Jumio named in BIPA lawsuit over crypto ID verification

Biometric identity verification provider Jumio is in legal hot water again for alleged violations of Illinois’ BIPA. This time, plaintiff Jacob Czyszczon claims Jumio collected, stored, and used his biometric data without his consent, and therefore unlawfully, when he went through a KYC process in a finance app that used Jumio’s identity verification. A class action lawsuit was filed in San Francisco federal court on March 18.

The filing, spotted by Northern California Record, says Czyszczon completed the KYC process on the Phemex crypto trading app, which used Jumio’s identity verification. He was asked to upload a picture of his state ID and a selfie. Jumio then used biometrics to compare the images and confirm Czyszczon’s identity.

As a provider for Phemex, Jumio collected and retained biometric information for the plaintiff’s account. According to the plaintiff, Jumio had no written policy establishing how long the data would be retained and when it would be destroyed after the data fulfilled its purpose or, if the data’s use is ongoing, within the last three years of the plaintiff’s interaction with Jumio.

Phemex instructed the user to complete the process without stating that Jumio was collecting or storing biometric data, according to the complaint. Jumio also allegedly violated BIPA in sharing biometric information with Phemex without the user’s consent.

Once Czyszczon’s identity was verified, the face template used should have been permanently destroyed but was instead stored, the lawsuit argues.

Plaintiffs can pursue damages of $1,000-$5,000 per violation, where each time a user scans their biometrics over the last five years counts as a violation, not just the first instance.

Jumio is also involved in a similar case for providing identity verification to Binance Capital Management. In recent developments, a U.S. federal judge accepted Binance Capital‘s motion to dismiss the case against it due to lack of jurisdiction, and rejected dismissal motions from Jumio and BAM Trading Services. The case is ongoing.

The cases continue to demonstrate that BIPA affects businesses using biometrics and technology providers alike since the law’s enactment. Jumio saw a pair of BIPA lawsuits in a similar vein including one that was filed after deploying identity verification to Binance in 2022. Jumio settled a different case in 2020, which led to the dismissal of a class action case against its client, WeWork, in 2022.

At the time of the settlement, a Jumio representative told Biometric Update that it was working with customers to keep them on the right side of the regulation. Phemex announced that it had switched to Jumio for identity verification weeks later. Phemex privacy policy explicitly states that “When you set up your Account, we may collect your biometric template.”

Jumio’s cases contrast with among more egregious alleged violations such as claims Google collected biometrics from children without parents’ consent back in 2022.

Jumio declined to comment.

Article Topics

biometric data  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data privacy  |  data storage  |  Jumio  |  lawsuits