Worldcoin Foundation – Violation Found (Portugal, 2024)

The Worldcoin Foundation (the controller) used a phone application and in-person sites to engage in large-scale processing of biometric data, particularly irises, eyes and faces. The data was subsequently processed for various purposes including the creation of a digital identity profile (World ID). On 10 August 2023, the Portuguese DPA (CNPD) initiated an investigation. The CNPD found that the controller had collected the biometric data of over 300,000 data subjects within Portugal. It noted in particular that the controller (1) collected biometric data of minors, (2) made it impossible to exercise the right to erasure of the collected data, (3) made it impossible to revoke consent, and (4) provided deficient information to data subjects. The controller collected data initially through a phone application through which data subjects could create a World ID in order to use Worldcoin cryptocurrency. In order to ‘verify’ the World ID, data subjects were encouraged to visit the controller’s in-person stores so that a device called an ‘Orb’ could capture high-resolution images of their irises, eyes, and faces. The controller alleged that this ‘verification process’ was necessary to establish ‘proof of personhood’ and prevent duplication of World IDs. Orb operators were taught to encourage data subjects to consent to the storage and use of the biometric data. The controller offered tokens to encourage data subjects to provide their biometric data via the Orb, and offered financial rewards for them to invite others to have their biometric data collected. In February and March 2024, the CNPD received reports from data subjects concerning mass collection of minors’ biometric information, the impossibility of exercising rights to erasure, and inadequate disclosure concerning risks of processing at the time of collection. The CNPD observed that there were no measures in place to verify data subjects’ ages. It noted that the controller’s consent forms expressly mentioned th