Revolut could face millions of dollars in damages after being hit by allegations of illegally collecting, storing and using its customers’ biometric data in a fresh lawsuit filed in the US.
The London-based fintech firm is accused of having violated privacy rules in the state of Illinois by failing to fully inform and seek the consent of users over the use of the biometric data, the extent of time it is stored before being destroyed and how and whether it is shared with third parties, according to court documents filed in a Cook County court.
Revolut uses the data – which is obtained by requesting users to take ‘selfies’ using their mobile apps – to verify their identities, for example by comparing the photos to those used on their passports or driving licences.
The rules, which form Illinois’ Biometric Information Privacy Act or BIPA, carry damages of up to $5,000 for every violation over the past five years, meaning that several million dollars’ worth of damages could accrue in the event the lawsuit is successful.
In 2021, Facebook was forced to pay more than $650 million in damages for breeching BIPA rules, in what was described at the time as one of the largest-ever settlements for a privacy violation. However, a similar lawsuit filed against Google was ultimately dismissed.
Revolut declined to comment. The firm is understood to be challenging the lawsuit.
Revolut has more than 35 million users worldwide of which around one million are in the US. A successful lawsuit would mark another blow to the finances of its US operations, after it lost $20 million from a cyberattack after hackers exploited a software vulnerability.