British fintech giant Revolut is being sued in Illinois under the state’s biometric identification law for allegedly failing to provide customers with crucial information on how their data is stored, and for how long.
Tina Haralampopoulos filed a proposed class action lawsuit against Revolut in December, alleging the fintech unlawfully collects and stores users’ biometric data without obtaining their written consent, as required by the Biometric Information Privacy Act.
Additionally, Haralampopoulos alleges that Revolut fails to disclose third party participation in the biometric identity verification process; and does not provide a publicly available policy with information on how long it keeps biometric data, why it keeps biometric data, and how and when that data is eventually destroyed.
Revolut has been gaining traction in the U.S. market since crossing the pond in 2020. Worldwide, the neobank claims over 35 million personal customers, and U.S. CEO Sid Jajodia told American Banker it has over 840,000 stateside users as of October. Jajodia was named to the position in 2022, cementing the neobank’s intention for U.S. growth.
Matthew Peterson of Consumer Law Advocate PLLC, who is representing plaintiffs in this case, told Banking Dive that given that Illinois is home to the country’s third-largest city, he “would not be surprised if IL accounts for at least 10K users.”
Should Revolut be found in violation of BIPA, plaintiffs are entitled to $5,000 in damages per reckless violation over the preceding five years, and $1,000 per negligent violation over the preceding five years.
The law was enacted in 2008 following the bankruptcy of Pay By Touch, a firm that provided retailers in Illinois with fingerprint scanners to facilitate consumer payments.
“That bankruptcy was alarming to the Illinois Legislature because suddenly there was a serious risk that millions of fingerprint records ... could now be sold, distributed, or otherwise shared through the bankruptcy proceedings without adequate protections for Illinois citizens,” Peterson wrote in Haralampopoulos’ case against Revolut.
“The bankruptcy also highlighted the fact that most consumers who had used that company’s biometric scanners were completely unaware that the scanners were not actually transmitting data to the retailer who deployed the scanner, but rather to the now-bankrupt company, and that their unique biometric identifiers could now be sold to unknown third parties,” he wrote.
A spokesperson for Revolut declined to comment on the lawsuit.
Last year, crypto companies Coinbase and BAM Trading, which does business as Binance.US, were separately sued under BIPA. Spokespeople for both firms didn’t return requests for comment about their respective suit’s current standing.
Several tech giants have reached BIPA settlements in recent years. Meta agreed to pay out $68.5 million last year in a class action BIPA suit for alleged violations of Instagram users; and three years ago, Meta settled a separate suit for $650 million for scanning the faces of Facebook users without their consent.
In 2022, Google’s parent company, Alphabet, settled allegations that the grouping function in Google Photos illegally collected users’ biometrics in violation of BIPA. The firm settled for $100 million.