19-5-2025 – A landmark legal challenge has emerged against Coinbase, hospedaje at the U.S. District Court for the Northern District of Illinois, where the cryptocurrency exchange faces accusations of breaching the Illinois Biometric Information Privacy Act (BIPA). The class-action lawsuit, spearheaded by plaintiffs Scott Bernstein, Gina Greeder, and James Lonergan, alleges that Coinbase illicitly harvested and disseminated users’ facial data during its Know Your Customer (KYC) verification process, without securing explicit consent.
The complaint contends that Coinbase neglected to adhere to BIPA’s stringent requirements, failing to obtain written permission or transparently disclose its policies on the collection, storage, and sharing of biometric information. During KYC procedures, users were required to submit government-issued identification and selfies, which were allegedly processed by third-party facial recognition providers—Jumio, Onfido, Au10tix, and Solaris—without proper authorisation. Further, the lawsuit accuses Coinbase of engaging in deceptive practices, violating the Illinois Consumer Fraud and Deceptive Business Practices Act, thereby misleading its user base.
This legal action arrives amid heightened scrutiny of data privacy within the cryptocurrency sector, spurred by Illinois’ rigorous biometric regulations. The plaintiffs are pursuing substantial statutory damages—$5,000 for each wilful or reckless violation and $1,000 for negligent infractions—alongside injunctive relief and coverage of legal expenses. A 2024 amendment to BIPA, potentially limiting damages to a “per person” basis rather than “per scan,” hangs in the balance, with courts yet to reach consensus on its retrospective application, casting uncertainty over Coinbase’s financial exposure.
The case also references a deluge of over 10,000 arbitration requests lodged with the American Arbitration Association in early 2024, which Coinbase is accused of thwarting by refusing to cover associated fees, resulting in dismissals that paved the way for this federal lawsuit. This is not Coinbase’s first brush with BIPA-related controversy; a similar lawsuit in May 2023 was halted for arbitration and ultimately settled, with the case dismissed without prejudice in February 2025.
Compounding Coinbase’s challenges, a data breach disclosed on 15 May 2025, involving bribed support staff and affecting a small fraction of its clientele, triggered six additional lawsuits. Coupled with an ongoing Securities and Exchange Commission (SEC) investigation into customer metrics, these events precipitated a 7% plunge in Coinbase’s share price, as reported by Ecoinimist.
The Illinois federal court rejected Coinbase’s bids to divert the case to small claims or pre-dispute resolution, allowing the lawsuit to advance. Coinbase has remained silent on the matter publicly. Should the plaintiffs prevail, the exchange could face crippling financial penalties under BIPA, particularly given the volume of users potentially implicated, as evidenced by the arbitration claims. Moreover, the case’s outcome could redefine biometric data compliance standards across the cryptocurrency industry, fostering heightened regulatory adherence and bolstering consumer trust..
