Coinbase violated biometric privacy laws in Illinois through its collection and storage of customer fingerprints and facial templates, a proposed class-action lawsuit alleges.
A May 1 filing in a California District Court by a Coinbase user claimed the exchange’s requirement that a customer uploads pictures of a valid ID and a self-portrait in order for the firm to conduct Know Your Customer (KYC) checks is violating certain provisions of Illinois’ Biometric Information Privacy Act (BIPA).
The lawsuit argues BIPA required Coinbase to gain permission from users when collecting their biometrics. Coinbase needed to also provide the purpose for collecting such data, how long it would be stored, how it would be used and how Coinbase would permanently destroy it.
“Coinbase had no written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information,” the suit argued.
Coinbase user Michael Massel filed the suit on May 1, demanding a jury trial. Source: CourtListener
In a similar process used by other exchanges, the suit says Coinbase scans the photographs and creates a biometric template of a user’s face. It uses the information to confirm a match between the self-portrait and the face on the supplied ID.
“Thousands” of “highly detailed geometric maps of the face” and fingerprints from Illinois residents are claimed to have been illegally collected and stored by the exchange.
Biometric authentication, such as a fingerprint or face scan, is also used on Coinbase’s mobile app to verify the user when logging into their account, the suit states.
Related: Coinbase execs respond to SEC’s Wells notice in person and on video
It was alleged Coinbase’s “collection, obtainment, storage, and use” of such data is “unlawful” and exposes users “to serious and irreversible privacy risks.”
“If Coinbase’s database containing facial geometry scans or other sensitive, proprietary biometric data is hacked, breached, or otherwise exposed, Coinbase users have no means by which to prevent identity theft.”
The filing asserted that Coinbase should have “permanently destroyed” biometric data after a user opened a Coinbase account, as such information was used for the sole purpose of opening the account.
The suit is seeking damages of $5,000 per intentional BIPA violation or $1,000 if the court finds the alleged violations were not wilful along with paying the attorneys fees and court costs of the class action.
Cointelegraph contacted Coinbase for comment but did not receive a response by publication.