Coinbase, one of the largest crypto exchanges in the United States, is under legal fire once again—this time over alleged breaches of Illinois’ biometric privacy law. A group of Illinois-based users has initiated a class-action lawsuit, accusing the platform of improperly handling biometric data collected during identity verification.
The lawsuit, filed on May 13 in a federal court, names plaintiffs Scott Bernstein, Gina Greeder, and James Lonergan. The trio contends that Coinbase’s identity verification process—which includes capturing facial data through selfies and government-issued IDs—violates the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, users were never properly informed about the collection, storage, and sharing of their biometric data, nor were they made aware of any data retention policies.
At the core of the lawsuit is the claim that Coinbase engages in what the plaintiffs call the “wholesale collection” of faceprints as part of its Know Your Customer (KYC) procedures. Users are prompted to upload a selfie along with their photo ID, which is then analyzed using third-party facial recognition software. The plaintiffs argue that this method captures unique biometric identifiers—like facial geometry—without obtaining informed written consent, a requirement under BIPA.
In addition, the lawsuit alleges that Coinbase shared users’ biometric information with third-party vendors such as Jumio, Onfido, Au10tix, and Solaris—all without user consent. These vendors, according to the complaint, were tasked with verifying the identities of users on Coinbase’s behalf, using facial recognition tools that further processed the sensitive data.
“Coinbase obtains biometric data in violation of Illinois law,” the complaint states, “because it explicitly directed third-party verification providers to use facial recognition software that captures and processes biometric identifiers.”
The plaintiffs also pointed out a significant procedural issue. Over 10,000 users have reportedly filed arbitration demands with the American Arbitration Association over similar biometric concerns. However, Coinbase has allegedly refused to pay the necessary arbitration fees in many of these cases, resulting in mass dismissals.
The lawsuit seeks substantial damages: $5,000 for each willful or reckless violation of BIPA, $1,000 for each negligent violation, along with injunctive relief to halt further alleged misuse of biometric data and coverage of legal costs. Additionally, the lawsuit includes a claim under the Illinois Consumer Fraud and Deceptive Business Practices Act, further expanding the scope of legal challenges Coinbase is facing.
This isn’t the first time Coinbase has been in hot water over biometric privacy. Back in May 2023, a similar lawsuit was filed with nearly identical accusations. That case was paused pending arbitration and eventually dismissed without prejudice earlier this year after both parties agreed to drop it.
Coinbase is also grappling with a separate legal issue stemming from a May 15 disclosure involving internal misconduct. The company revealed that some of its customer service agents were bribed to leak sensitive user information—leading to at least six additional lawsuits.
While Coinbase has yet to publicly respond to the latest BIPA-related lawsuit, the case underscores the growing scrutiny over how major tech and crypto platforms handle sensitive biometric data. As privacy laws tighten and users become more aware of their rights, companies operating in highly regulated spaces like finance and cryptocurrency may need to reassess their data practices to avoid similar legal headaches.