The Bavarian State Data Protection Supervisory Agency (BayLDA) has ordered Worldcoin to implement stricter privacy measures after completing its investigation into the company’s biometric data practices.
Worldcoin (WLD) has been commissioned to provide a GDPR-compliant data deletion process within one month. The BayLDA also required the company to obtain explicit user consent for certain data processing activities and to delete previously collected data without sufficient legal basis.
Investigation completed
The investigation, launched in April 2023, examined the collection and use of biometric data acquired by Worldcoin, which the company uses to create unique digital identities through its World ID system.
The system aims to authenticate people and prevent double registrations. While Worldcoin voluntarily ceased operations in certain EU countries during the investigation, the BayLDA identified additional compliance issues.
Michael Will, President of BayLDA, said:
“With today’s decision, we are upholding European fundamental rights standards for the benefit of those involved. All users who have provided Worldcoin with their iris data now have the unrestricted right to demand the erasure of their data.”
The BayLDA ruling requires Worldcoin to introduce a GDPR-compliant data deletion process within one month of implementing the decision.
The authority also required explicit consent for specific data processing activities and ordered the deletion of data collected without sufficient legal basis. In addition, issues such as the protection of minors and possible administrative violations continue to be examined separately.
The research was conducted in collaboration with the European data protection authorities in the context of the General Data Protection Regulation (GDPR).
Regulatory challenges
Worldcoin’s operations span Europe and the rest of the world, making enforcement of uniform data protection standards complex. The project has drawn criticism worldwide over concerns about its biometric data practices and compliance with local laws. However, not all research has progressed.
In Kenya, authorities initially suspended Worldcoin’s operations due to privacy, security and financial concerns. After further investigation, the investigation was closed without further action, provided the company complies with local regulations.
Despite this, scrutiny continues in other regions, such as Hong Kong and Singapore, regarding data collection practices and possible financial misconduct, highlighting ongoing global concerns about the operation of the project.