On 24 November 2025, the Office of the Personal Data Protection Committee (PDPC) issued an order for the business conducting “iris scans in exchange for crypto tokens” (unnamed, but widely understood to be Worldcoin) to suspend its services and delete all data belonging to 1.2 million users.
The PDPC’s Expert Committee No. 2 reviewed the business and found that it had collected “biometric data,” which is a sensitive category of personal information. The consent obtained from data subjects did not meet legal standards because it was incentivized with cryptocurrency rewards, making the consent not freely given as required by law.
Another issue concerns the stated purpose of consent at the time of data collection. Users were informed that their iris data would be used “to verify humanness,” yet individuals who had already scanned their irises could not rescan. The committee viewed this as “identity verification,” which exceeds the original scope for which consent was obtained.
Pol. Col. Surapong Plengkham, Secretary-General of the PDPC, stated that the Expert Committee issued the following administrative orders:
1. The service provider and all persons involved in collecting iris data must immediately suspend or cease collecting personal data through iris scanning in exchange for cryptocurrency. They must report compliance to the PDPC within 7 days.
2. The service provider and involved parties must delete and destroy all iris data and related personal data of 1.2 million individuals to prevent the unlawful transfer of such personal data abroad.