This article examines Thailand's enforcement action against Worldcoin, highlighting critical regulatory concerns surrounding biometric data collection and cryptocurrency incentive models. The Ministry of Digital Economy and Society ordered immediate suspension of operations and deletion of 1.2 million iris scans, citing violations of Thailand's Personal Data Protection Act. The enforcement reflects a global regulatory trend, with authorities across Kenya, Spain, Portugal, and Hong Kong implementing similar restrictions due to privacy concerns inherent to permanent biometric identifiers. The article explores technical innovations Worldcoin introduced—including Secure Multi-Party Computation and alternative verification methods—to address regulatory scrutiny. Despite operational challenges, the platform continues expanding, demonstrating the tension between privacy protection and emerging digital identity technologies in the Web3 ecosystem.
Thailand Tightens Grip on Worldcoin, Citing Illegal Biometric Data Practices
Thailand's Ministry of Digital Economy and Society has issued a comprehensive directive ordering the World project, formerly known as Worldcoin, to immediately suspend all operations within the country and permanently delete iris scan data collected from approximately 1.2 million Thai citizens. This enforcement action represents one of the most significant regulatory interventions against the controversial digital identity system founded by OpenAI CEO Sam Altman.
The decision follows an extensive investigation by the National Economic and Social Development Board, which concluded that the project's core business model—exchanging iris scans for WLD cryptocurrency tokens—fundamentally violates Thailand's Personal Data Protection Act (PDPA). The PDPA establishes strict requirements for the collection, processing, storage, and disclosure of sensitive personal information, with particularly stringent provisions governing biometric data due to its permanent and irreversible nature.
The announcement emerged from a high-level coordination meeting led by Minister of Digital Economy and Society Chaichanok Chidchob. Senior officials from the Personal Data Protection Committee (PDPC) and the Electronic Transactions Development Agency participated in the briefing, presenting detailed findings on why World's operational practices were deemed unlawful under Thai law. According to the official statement, the system's approach to collecting and processing iris biometric data in exchange for cryptocurrency tokens violated multiple provisions of the PDPA, particularly those governing informed consent, data minimization, and the protection of sensitive personal information.
This latest enforcement action builds upon previous regulatory scrutiny that began intensifying in recent months. Authorities conducted a significant raid on a World-affiliated iris scanning center in Bangkok, with the Securities and Exchange Commission and the Cyber Crime Investigation Bureau executing the operation jointly. The raid resulted in multiple arrests of individuals allegedly operating an unlicensed digital asset exchange that facilitated WLD token transactions without proper authorization under Thailand's Digital Asset Business Emergency Decree.
Investigators discovered that operators were providing cryptocurrency exchange services without obtaining the necessary regulatory approvals, thereby creating substantial risks for users including potential exposure to fraudulent schemes and money laundering activities. The authorities emphasized that this incident highlighted broader systemic concerns about unregulated cryptocurrency operations connected to World's rapidly expanding global identity verification network. The lack of proper licensing and oversight mechanisms raised serious questions about consumer protection and financial system integrity.
In response to the government's directive, World Thailand announced the immediate suspension of all verification activities and removed Thailand from its official list of active Orb locations. The Orb is the specialized hardware device used to capture and process iris biometric data from participants. Company representatives expressed surprise at the enforcement order, maintaining that they had operated in full compliance with local regulations throughout their presence in Thailand. The company issued a statement warning that millions of Thai users who had enrolled in the program—many seeking protection against online scams, identity theft, and AI-driven fraud—would be significantly affected by the suspension.
World Thailand indicated its intention to maintain ongoing dialogue with the Ministry of Digital Economy and Society and the Personal Data Protection Committee, expressing hope for reaching a resolution that would allow operations to resume under a framework acceptable to regulators. The company emphasized its commitment to data protection and privacy while arguing that its technology provides valuable safeguards in an increasingly digital economy.
Regulators Across Continents Target Worldcoin's Oversensitive Iris Data Handling
Thailand's enforcement action places the country among a growing international coalition of jurisdictions that have implemented restrictions, suspensions, or outright bans on World's operations. Since the project's initial launch under the Worldcoin brand, regulatory authorities across multiple continents have raised serious concerns about the handling of biometric data and the ethical implications of the incentive-based enrollment model.
Kenya emerged as one of the first countries to take decisive action, with authorities ordering a complete suspension of operations pending a comprehensive investigation into data protection practices. Spanish regulators similarly intervened, citing violations of the European Union's General Data Protection Regulation (GDPR), which establishes some of the world's most stringent requirements for processing personal data. Portugal followed with its own enforcement measures, while Indonesian authorities raised concerns about the project's compliance with local privacy laws and cultural sensitivities regarding biometric information collection.
Hong Kong's privacy commissioner launched an investigation into the project's operations, questioning whether the consent mechanisms met legal standards given the financial incentives offered to participants. Brazilian data protection authorities expressed similar concerns, arguing that offering cryptocurrency tokens in exchange for permanent biometric identifiers fundamentally compromises the voluntary nature of consent. Colombian regulators joined the growing list of enforcement actions, implementing operational restrictions while conducting their own assessment of the project's compliance with national data protection frameworks.
Regulators across these diverse jurisdictions have identified several common concerns that transcend geographical and legal boundaries. The permanent and immutable nature of iris biometric data stands at the center of these concerns—unlike passwords or even fingerprints, iris patterns cannot be changed if compromised, creating lifelong privacy implications for affected individuals. The incentive-based enrollment model has drawn particular scrutiny, with authorities arguing that offering financial rewards undermines the principle of free and informed consent that forms the foundation of modern data protection law.
Courts and data protection agencies in multiple countries have issued orders requiring temporary operational suspensions, mandating the deletion of collected biometric data, or imposing complete bans pending resolution of ongoing investigations. These enforcement actions reflect a growing global consensus that biometric data collection requires exceptionally rigorous safeguards, transparent practices, and genuine user consent that is not influenced by financial inducements.
European regulators have been particularly assertive in their analysis of the project's data handling practices. Data protection authorities determined that even the anonymized iris codes—mathematical representations derived from iris scans—qualify as personal data under GDPR because they can potentially be linked back to specific individuals. This classification triggers the regulation's most stringent compliance requirements, including strict limitations on data processing purposes, mandatory data protection impact assessments, and enhanced rights for data subjects. Initial assessments suggested that World's practices did not meet these elevated standards, prompting enforcement actions and ongoing regulatory dialogue.
In response to mounting regulatory pressure and enforcement actions worldwide, World's development team has introduced a series of technical innovations and policy changes designed to address global privacy concerns. The company has begun implementing a sophisticated Secure Multi-Party Computation (SMPC) system that fundamentally changes how biometric information is processed and stored. Under this new architecture, iris data is divided into multiple encrypted fragments that are distributed across different secure locations, with no single entity possessing complete access to the original biometric information.
The company has also unveiled a redesigned version of its Orb hardware device, incorporating enhanced transparency features that provide users with more detailed information about the data collection and processing procedures. Recognizing that some users and regulators remain uncomfortable with biometric verification methods, World has launched an alternative verification pathway that utilizes passport documents and Near Field Communication (NFC) technology to establish identity without requiring iris scans.
As part of an ongoing privacy upgrade initiative, the company has begun systematically deleting older iris codes that were collected under previous data handling protocols. Company representatives emphasize that the Orb devices themselves never store raw biometric data locally—all processing occurs in real-time with immediate encryption and transmission to secure servers. These technical measures represent an attempt to address regulatory concerns while maintaining the core functionality of the global identity verification network.
Despite facing significant regulatory headwinds in multiple major markets, the project continues to demonstrate substantial global expansion. The World ID digital identity service has expanded its presence into the United States and the Philippines, representing entry into two large and economically significant markets. The World App, which serves as the primary interface for users to access their digital identity credentials and manage their WLD token holdings, has surpassed 37 million registered users worldwide. The company reports that it has completed more than 100 million identity verifications across operations in 160 countries, demonstrating the scale and reach of the network even as regulatory challenges persist in key jurisdictions.
This tension between rapid global expansion and increasing regulatory scrutiny highlights the complex challenges facing biometric identity systems in an era of heightened privacy awareness and evolving data protection frameworks. As more countries develop and enforce comprehensive privacy regulations, projects like World must navigate an increasingly complex patchwork of legal requirements while attempting to build a globally interoperable identity verification system.
FAQ
Why did Thailand require World company to delete 1.2 million iris scan records? What laws were violated?
Thailand ordered World to delete the iris scan data because it violated Thailand's Personal Data Protection Act. The massive collection and storage of biometric data without proper consent breached privacy regulations and individual data protection rights.
What is iris scanning technology? Why does Sam Altman's World company collect this biometric data?
Iris scanning is a biometric identification technology that recognizes individuals through iris images. World collects this data to verify identity and prevent fraud. The biometric data is deleted after identity verification and AI training completion.
What are the legal consequences if World company does not delete the data, and how severe are Thailand's penalties?
World company faces up to six months imprisonment or maximum 500,000 Thai Baht fine, or both, under Thailand's Personal Data Protection Act. Thailand enforces strict penalties for data protection violations.
What are the differences in biometric data privacy protection (iris scans, facial recognition, etc.) across different countries?
Biometric privacy regulations vary significantly by country. The EU enforces strict GDPR standards, the US has fragmented state-level regulations, and China implements its own data protection framework. Key differences include data storage requirements, usage permissions, and cross-border sharing restrictions.
How does this event impact the operations of other tech companies in Thailand or Southeast Asia?
This event heightens risk awareness among tech companies in Thailand and Southeast Asia, prompting them to strengthen supply chain diversification and localized operations. Many companies are reassessing their regional strategies and compliance frameworks to mitigate regulatory risks.
How does World company safely delete collected iris data? What technical guarantees are provided?
World securely deletes iris data by immediately removing original iris images after generating unique iris codes. Zero-knowledge proof technology ensures data privacy and security without storing raw biometric information.
* The information is not intended to be and does not constitute financial advice or any other recommendation of any sort offered or endorsed by Gate.
