Portugal Halts Worldcoin’s Biometric Data Collection

In a recent move, Portugal’s data regulator, the National Data Protection Commission (CNPD), has taken decisive action against Worldcoin, a controversial crypto biometrics venture, ordering it to cease collecting biometric data for 90 days. This decision comes amid growing concerns over the protection of citizens’ data privacy rights, particularly in relation to minors.

Worldcoin, founded by Sam Altman, CEO of OpenAI, operates by scanning individuals’ irises through its Orb devices, offering a digital ID and its own cryptocurrency, WLD coin, in return. Despite its global reach, with over 4.5 million sign-ups in 120 countries, Portugal has reported more than 300,000 individuals providing their biometric data for the project.

The CNPD’s action follows numerous complaints, particularly regarding the unauthorized collection of data from minors, deficiencies in information provided to data subjects, and the inability to erase data or withdraw consent. This underscores the heightened risks associated with processing biometric data, especially of vulnerable populations such as minors, under GDPR standards.

This regulatory setback is not isolated, as Worldcoin has faced similar bans in other jurisdictions. Spain’s data protection authority issued a three-month ban earlier, and Kenya suspended Worldcoin’s operations last August. These actions reflect a broader trend of regulatory scrutiny over projects involving biometric data collection, highlighting concerns over privacy and data protection.

Worldcoin’s response has emphasized compliance with relevant laws and regulations governing biometric data collection and transfer. On the record comment attributable to Jannick Preiwisch, Data Protection Officer at the Worldcoin Foundation, stated,

“Worldcoin is fully compliant with all laws and regulations governing the collection and transfer of biometric data, including Europe’s General Data Protection Regulation. The Worldcoin Foundation has the utmost respect for the role and responsibilities of data protection authorities, in the CNPD in Portugal. Since offering humanness verification services in Portugal, we have been completely transparent and happy to address CNPD’s questions or concerns. The report from CNPD is the first time we are hearing from them regarding many of these matters, including reports of underage sign-ups in Portugal, for which we have zero tolerance for and are working to address in all instances, even if a matter of a few reports.”

Furthermore, the company has introduced measures like “Personal Custody,” aimed at giving users more control over their data—not just deletion, but any future use prior to being deleted. However, challenges remain as regulators continue to investigate and address concerns surrounding data privacy and protection.

Under the supervision of the BayLDA, the Worldcoin project has improved their privacy practices and shows robust compliance with GDPR requirements. To that end, on Friday, March 22, Worldcoin  open sourced its orb software and began its transition to personal custody.

While Worldcoin’s ambitious goals of building an identity and financial network have drawn attention, they also raise questions about the ethical and legal implications of biometric data usage. As technology evolves, balancing innovation with privacy rights becomes increasingly crucial.

Updated (March 27, 2028) with the comment attributable to Jannick Preiwisch, Data Protection Officer at the Worldcoin Foundation