Coinbase Slapped With Biometric Data Lawsuit—’Face ID’ Just Got Litigious

Another day, another crypto giant in the regulatory crosshairs. This time, Coinbase stands accused of swiping users’ biometric data without consent—because who needs permission when you’re disrupting finance?

Privacy advocates are up in arms, claiming the exchange collected facial scans and fingerprints faster than a bull run on leverage. No word yet on whether the data was used to train AI or just sold to hedge funds for sentiment analysis.

The suit could cost Coinbase millions—chump change compared to their Q1 earnings, but enough to make compliance teams sweat. Remember when crypto was supposed to be about anonymity? So much for that utopian dream.

Consumer Fraud and Data Breach Charges

According to the submission, users were asked to upload a government ID and a selfie as part of the sign-up procedure. These images were then sent to third-party facial recognition tools that analyzed facial features like geometry and faceprints. However, the suit claims this was done without the consent of users, which the violates BIPA.

“At no point during the verification process are Coinbase users asked to consent to the collection of their biometric information, notified that their biometric data will be collected by an unrelated third party, nor provided with any information about the process,” the lawsuit states.

The complaint also accuses Coinbase of transmitting this data to several third-party vendors, including Jumio, Onfido, Au10tix, and Solaris, without getting permission from the parties. Further, the document reveals that over 10,000 individuals filed arbitration demands, but Coinbase’s refusal to pay the required fees led to their cases being dismissed.

As a result, the plaintiffs have charged the exchange with three claims of violating state biometric privacy laws and one for consumer fraud under the Illinois Consumer Fraud and Deceptive Business Practices Act.

They are seeking damages of $5,000 for every reckless or intentional violation, and $1,000 for each negligent one. The group has also lodged an order to stop the alleged data practices and wants Coinbase to cover its court costs.

A Privacy Time Bomb

This is not Coinbase’s first involvement in such legal troubles. In May 2023, similar action was taken over the company’s handling of facial recognition during onboarding.

Meanwhile, the exchange is also dealing with the fallout from a recent data breach in which customer support agents were allegedly bribed to leak sensitive customer information. That incident caused at least six separate class-action lawsuits between May 15 and May 16, with Coinbase being accused of negligence, poor cybersecurity measures, and a slow response.

Nanak Nihal Khalsa co-founder of Holonym, a privacy-focused identity company, said the problem is bigger than just the platform.

“The Coinbase breach proves what we’ve known all along, KYC without zero knowledge is a privacy time bomb. You can’t collect and warehouse millions of user identities without eventually becoming both a target and a liability.”

Khalsa added that users should not have to give up privacy just to access crypto services. According to the specialist, the future of identity is not in storing data but in using zero-knowledge tools that let people prove who they are without giving away personal details.