Coinbase Accused Of Violating State Laws With KYC Practice


  • The plaintiff’s complaint alleges that Coinbase broke biometric privacy laws in Illinois.
  • A user named Michael Massel damages on the grounds that the crypto exchange violated state laws when carrying out know-your-customer checks and unlawfully stored sensitive user data.
  • The California District Court case is the latest battle faced by crypto exchange Coinbase on U.S. soil as the company explores offshore jurisdictions.

Coinbase crypto exchange has been sued in a California District Court for allegedly violating Illinois’ Biometric Information Privacy Act (BIPA and using sensitive customer identification data unlawfully.

The suit alleges that the crypto company’s biometric data collection through its know-your-customer (KYC) practices was unlawfully obtained and stored without implementing providing the necessary details on this verification policy.

It’s a common requirement among some crypto exchanges, especially those operating in the U.S. and other strict jurisdictions, for users to confirm their identity and upload a photo for verification. Regulators make KYC mandatory as an anti-money laundering tactic and a way to fight illicit finance.

According to BIPA rules, a company that collects biometric data must inform the user in writing of the data collection including the specific purpose and length of term for which the data will be stored.

Written consent is also required from the customer and the company has to publish publicly‐available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information.

The suit claims that the crypto company does not comply with these rules and instead “wrongfully profits” from the data by collecting biometric data to “further enhance Coinbase and its online ‘app-based’ platform.

Furthermore, the suit alleges that Coinbase “disclosed, redisclosed, or otherwise disseminated Plaintiff’s biometric information to numerous third parties including, but not limited to, Jumio Corporation, Onfido, Inc., Au10tix LTD, Solaris AG, and Liquid Co. Ltd.”

The Plaintiff, Michael Massel, a user of the exchange, is seeking $5,000 in damages for every “intentional and reckless violation” of Illinois’ Biometric Information Privacy Act (BIPA) and a further $1,000 for each other violation his legal team can find. 

Coinbase, Crypto Companies Spar With US Regulators

Coinbase, like a host of crypto businesses, is also taking heat from U.S. regulators pursuing what the industry describes as a “regulation-by-enforcement strategy,” where federal agencies like the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) prefer to serve up lawsuits and legal threats rather than draft new guidelines for the still-nascent industry. 

Earlier this year, the SEC alleged that the staking services offered by exchanges like Kraken and Coinbase were unregistered securities and began a crackdown against them, issuing the former with a $30mn fine and the latter with a Wells Notice. 

The hostile climate appears to be driving Coinbase further offshore. Last month the exchange announced it received a license to operate in Bermuda, and is in talks with the Financial Services Regulatory Authority (FRSA), a regulator of the Abu Dhabi Global Market (ADGM)—a crypto-friendly free economic zone in the territory of UAE—about the potential of opening a regulated exchange there.

Meanwhile, the company is locked in a legal bottleneck with U.S. regulators over securities laws and clearer crypto laws.