Colombia Orders Worldcoin Shutdown Over Biometric Data Violations

Colombia’s Superintendency of Industry and Commerce (Superintendencia de Industria y Comercio, SIC) has issued an “immediate and permanent” shutdown order against World Foundation and its developer, Tools for Humanity, the companies behind the digital identity project Worldcoin. The move follows an investigation that found serious breaches of Colombia’s data protection law, known as Law 1581 of 2012.

The regulator has prohibited both entities from collecting or processing any personal information belonging to Colombians and ordered them to delete all sensitive data already obtained, including biometric templates, codes, and iris scans stored on servers. The decision affects nearly two million users who had registered in Colombia by submitting their iris data through Worldcoin’s Orb scanning devices.

According to the SIC’s investigation, Worldcoin offered financial incentives to users to provide their biometric data without adequately explaining how the data would be used or stored. The regulator determined that users’ consent was not fully informed, that data was subjected to processing beyond what was disclosed, and that individuals were effectively pressured into participation through economic inducements.

SIC identified five separate violations of Colombia’s data protection framework. The ruling highlights a growing global scrutiny of biometric and AI-driven identity systems, particularly concerning the collection of highly sensitive data such as iris scans.

A growing pattern of global enforcement
This is not the first time Worldcoin has faced regulatory backlash. Earlier in October, the Philippines’ National Privacy Commission issued a cease-and-desist order against the same project, citing similar concerns about transparency and consent. The initiative is also under parliamentary investigation in Brazil.

Co-founded by OpenAI CEO Sam Altman, Worldcoin markets itself as a global digital identity system that uses iris recognition to verify ‘proof of personhood’ – distinguishing humans from AI-generated accounts. The company says it does not store biometric images and that the verification process uses cryptographic methods to confirm users’ uniqueness while maintaining anonymity.

In response to the Colombian order, Worldcoin stated that the regulator’s findings are ‘incomplete’ and based on ‘outdated policies and technologies.’ The company maintains that biometric images are processed locally and deleted within seconds and that the Worldcoin token offered after registration is optional and separate from the verification process.

‘World is an innovative technological development that helps protect Colombians from scams, identity theft, and fraud driven by artificial intelligence,’ the company said in a statement published by Forbes. It added that it intends to cooperate with the SIC to clarify how its technology works.

Civil society reaction

Colombian civil society organisations have strongly backed the regulator’s decision, describing it as an essential step to protect the constitutional right to control personal data.

Groups such as Fundación Karisma, a leading digital rights organisation, warned that Worldcoin’s model was ‘very opaque with the use of data’ and exploited vulnerable communities by offering money or tokens in exchange for highly sensitive biometric information. ‘The fact that a problem arises doesn’t mean it should be solved in any way,’ said Karisma co-director Juan Diego Castañeda, stressing that iris scans, unique and irreversible identifiers, demand the highest possible safeguards.

Civil society actors also questioned whether participants truly understood what they were consenting to. They noted that financial rewards can distort the voluntariness of consent, particularly among those facing economic hardship. Advocacy groups argue that such practices undermine the principle of human dignity at the heart of data protection law.

More broadly, privacy advocates across Latin America see the case as part of a growing need for stronger oversight of AI-driven biometric systems. ‘If people do not fully understand the risks, they cannot give meaningful consent,’ said one digital rights expert quoted by El País. Organisations in the region have called for clearer regulations, transparency in algorithmic processing, and stronger enforcement mechanisms to prevent companies from exploiting regulatory gaps in developing countries.