A proposed class-action lawsuit claims that Coinbase violated Illinois biometric privacy regulations by collecting and storing client fingerprints and facial templates. A Coinbase user claimed in a May 1 filing in a California District Court that the exchange’s requirement that a customer upload images of a valid ID and a self-portrait in order for the firm to conduct Know Your Customer (KYC) checks violates certain provisions of Illinois’ Biometric Information 

Privacy Act (BIPA).

According to the lawsuit, BIPA compelled Coinbase to obtain consent from users before collecting their fingerprints. Coinbase also needed to explain why such data was being collected, how long it would be kept, how it would be used, and how it would be permanently destroyed.

“Coinbase had no written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information,” according to the lawsuit. According to the claim, Coinbase scans pictures and produces a biometric template of a user’s face in a technique similar to that utilized by other exchanges. It employs the data to validate a match between the self-portrait and the face on the given ID.

The exchange is accused of illegally collecting and storing “thousands” of “highly detailed geometric maps of the face” and fingerprints from Illinois residents. According to the suit, biometric authentication, such as a fingerprint or face scan, is also employed on Coinbase’s mobile app to validate the user when signing into their account.

According to the complaint, Coinbase’s “collection, acquisition, storage, and use” of such data is “illegal” and exposes users to “serious and irreversible privacy risks.”

“Coinbase users have no way to prevent identity theft if Coinbase’s database containing facial geometry scans or other sensitive, proprietary biometric data is hacked, breached, or otherwise exposed.”

According to the complaint, Coinbase should have “permanently destroyed” biometric data when a user opened a Coinbase account because such information was only utilized to open the account. The claim seeks $5,000 in damages for each willful BIPA infringement or $1,000 if the court finds the alleged violations were not wilful, as well as payment of the class action’s attorneys’ fees and court costs.