A group of Coinbase users from Illinois has filed a class-action lawsuit against the cryptocurrency exchange, alleging it violated the Illinois biometric privacy law by collecting and sharing facial recognition data without proper consent.
The lawsuit, filed on May 13 in a federal court, claims Coinbase failed to inform users about how their biometric data was collected, stored, and shared—a direct violation of the Illinois biometric privacy law, also known as the Biometric Information Privacy Act (BIPA).
Coinbase accused of secretly harvesting faceprints
Plaintiffs Scott Bernstein, Gina Greeder, and James Lonergan allege that Coinbase’s identity verification process, which requires users to upload a government ID and a selfie, illegally extracts facial geometry data without explicit consent.
“Coinbase does not publicly provide a retention schedule or guidelines for permanently destroying Plaintiffs’ biometric identifiers as specified by BIPA,” the complaint states.
The lawsuit claims that the exchange sends these selfies to third-party vendors like Jumio, Onfido, and Au10tix, which then analyze facial features to create biometric identifiers—commonly called faceprints. Under the Illinois biometric privacy law, companies must obtain written consent before collecting such data and disclose how long it will be stored.
Third-party data sharing under scrutiny
One of the key allegations is that Coinbase shared biometric data with external verification firms without user permission.
“Coinbase ‘obtains’ biometric data in violation of [BIPA] because it explicitly directed the Third Party Verification Providers to use its software to verify and authenticate users,” the lawsuit claims.
Legal experts say this could be a major sticking point. “BIPA is very clear—companies can’t share biometric data without informed consent,” said privacy attorney Alan Butler in an interview with Cointelegraph. “If Coinbase didn’t get explicit permission, they could face significant penalties.”
The plaintiffs are seeking 5,000 per willful violation and $ 1,000 per negligent violation of the Illinois biometric privacy law, along with injunctive relief to force Coinbase to comply with BIPA.
A growing wave of biometric privacy lawsuits
This isn’t the first time Coinbase has faced legal action over alleged Illinois biometric privacy law violations. In May 2023, another group of users sued the exchange under similar claims. That case was later sent to arbitration after Coinbase argued that users had agreed to resolve disputes outside of court.
However, the new lawsuit claims that more than 10,000 individuals have filed arbitration demands over the same issue, but Coinbase allegedly refused to pay arbitration fees, leading to dismissals.
“This suggests a pattern of ignoring BIPA requirements,” said consumer rights lawyer Rebecca Glenberg. “Companies can’t just bury arbitration clauses and then avoid accountability when violations pile up.”
Why Illinois’ law is a legal minefield for tech firms
The Illinois biometric privacy law is one of the strictest in the U.S., allowing individuals to sue companies for non-compliance. Unlike other states, BIPA doesn’t require proof of actual harm—just that a company failed to follow consent and disclosure rules.
Major corporations like Facebook, Google, and TikTok have faced multimillion-dollar settlements over BIPA violations. In 2021, Facebook (now Meta) paid $650 million to settle a case over its facial recognition features.
“Illinois has set a high bar for biometric privacy,” said Butler. “Companies that operate nationally often overlook BIPA’s requirements, only to face costly litigation later.”
What’s next for Coinbase?
The lawsuit adds to Coinbase’s growing legal troubles. The exchange is already battling at least six other lawsuits over a recent data breach involving bribed customer support agents.
If the court rules against Coinbase, the penalties could be steep. Given that thousands of Illinois users may be affected, damages could reach tens of millions.
For now, Coinbase has not publicly responded to the lawsuit. Legal analysts expect the company to push for arbitration again, but if the court allows the case to proceed, it could set a precedent for how crypto exchanges handle biometric data under the Illinois biometric privacy law.
Key takeaways:
-
Coinbase faces a class-action lawsuit for allegedly violating BIPA.
-
Plaintiffs claim the exchange collected and shared facial data without consent.
-
The Illinois biometric privacy law allows fines of up to $5,000 per violation.
-
This isn’t Coinbase’s first BIPA-related legal challenge.
-
The case could impact how crypto platforms handle biometric verification.
As biometric technology becomes more common in financial services, compliance with laws like BIPA will be crucial. For now, the lawsuit serves as a warning to tech firms: ignoring the Illinois biometric privacy law can be a costly mistake.
