Worldcoin iris data wiped as Kenya tightens grip on biometric tech

Kenya’s data regulator has confirmed the full deletion of Worldcoin-linked biometric data, marking a decisive end to the country’s 2023 crackdown on “biometrics-for-tokens” models and setting a tougher compliance benchmark for digital identity, fintech and AI firms operating in Africa.

By Nhlanhla Muthe

Kenya’s data regulator has confirmed that all biometric data collected from Kenyan citizens by Tools for Humanity, the company behind the Worldcoin project, has been fully deleted.

The hard stance closes a major chapter in the country’s 2023 crackdown on “biometrics-for-tokens” models.

In a public notice dated January 20, the Office of the Data Protection Commissioner (ODPC) said it had verified the erasure of iris scans and related biometric identifiers gathered during Worldcoin’s short-lived operations in Kenya. The confirmation follows months of regulatory scrutiny and a compliance audit under the Data Protection Act, 2019.

“Regarding the processing of Kenyans’ personal data by Tools for Humanity, we confirm that the data controller has deleted all biometric data previously collected from Kenyan citizens,” the ODPC said in its statement. “The Office remains dedicated to enforcing the law, protecting data subjects, and ensuring that all data controllers and processors are held accountable for any non-compliance.”

Tools for Humanity had collected iris scans using specialised Orb devices, offering participants cryptocurrency tokens in exchange for biometric enrolment. While the programme was marketed as voluntary, Kenyan regulators later found that the incentive structure undermined lawful consent, a core requirement for processing sensitive personal data.

According to the ODPC, the company failed to conduct a mandatory Data Protection Impact Assessment and transferred biometric data outside Kenya without proper authorisation. It also did not fully meet registration obligations for entities involved in the data processing chain.

Biometric data is classified as sensitive personal data under Kenyan law, triggering higher standards for consent, purpose limitation and safeguards. The regulator did not disclose how many records were deleted or whether further penalties would follow.

Beyond Worldcoin, the decision has broader implications for Africa’s fast-growing digital identity, fintech and AI sectors. Kenya’s enforcement sends a clear message that experimental models built on trading biometric identifiers for financial rewards will face strict scrutiny.

For investors and technology firms, the move reinforces Kenya’s position as a “rules-forward” market. Compliance costs may rise, but regulatory clarity could also improve trust and predictability for serious operators willing to meet the standard.

As African governments grapple with digital identity and inclusion, Kenya’s Worldcoin episode is emerging as a precedent that innovation is welcome, but not at the expense of citizens’ biometric privacy.