Hong Kong’s privacy authority has ordered Worldcoin to halt operations after uncovering serious issues with how the company handled personal and biometric data. The Office of the Privacy Commissioner for Personal Data (PCPD) found that Worldcoin’s collection of iris and face scans violated local privacy laws and posed major risks to user security.
At BTCRepublic, we looked into the report and found that the PCPD’s decision wasn’t just about data misuse; it reflects a growing global concern over how tech companies handle sensitive biometric information. Worldcoin, a project co-founded by OpenAI’s Sam Altman, has been under scrutiny for its plan to create a global digital ID system based on iris scans.
In this article, you’ll learn why Hong Kong stepped in, what the investigation revealed, and what this means for privacy protection worldwide.
- Key Takeaways
- Facts & Original Research: What the PCPD Found in the Worldcoin Case
- What Happened in Hong Kong?
- Hong Kong Says Worldcoin Violated Privacy Laws
- How This Affects Users and Operators
- Global Context: Other Regulators Watching
- Practical Steps You Can Take
- Conclusion
- Frequently Asked Questions (FAQs)
Key Takeaways
| Insight | Summary |
| 1. Hong Kong’s PCPD ordered Worldcoin to stop data collection | Regulators found the project violated local privacy laws related to biometric data handling. |
| 2. Over 8,000 residents had their irises scanned | The watchdog said this data was collected and stored without sufficient purpose transparency. |
| 3. Biometric data was retained for up to 10 years | Investigators flagged long-term storage as excessive and risky for user privacy. |
| 4. Six Worldcoin locations in Hong Kong were raided | Officials seized devices and records during their inspection for evidence. |
| 5. PCPD cited “unnecessary and excessive collection” | 7. Users are urged to request the deletion of stored data |
| 6. Similar actions in Spain and Portugal | Both countries previously halted Worldcoin’s data collection for privacy reasons, showing a broader regulatory trend. |
| 7. Users are urged to request deletion of stored data | The PCPD advised individuals who took part to exercise their right to erase personal information. |
Facts & Original Research: What the PCPD Found in the Worldcoin Case
The Hong Kong PCPD (Privacy Commissioner for Personal Data) conducted a months-long probe into Worldcoin’s iris scanning program, revealing clear breaches of privacy laws and poor data handling practices. The findings highlight why the watchdog ordered an immediate halt to all operations involving biometric collection.
Core Investigation Findings
| Key Data Point | Details / Source | Impact / Meaning |
| 8,302 Hong Kong residents scanned | PCPD investigation (2025 report) | Confirms the scale of personal data collected locally. |
| 6 premises inspected | PCPD enforcement notice | Devices and storage systems were seized for review. |
| Data is stored for up to 10 years | PCPD findings | Considered excessive and unnecessary under Hong Kong’s Personal Data (Privacy) Ordinance. |
| Consent process unclear | PCPD legal review | Users were not fully informed of storage duration or deletion rights. |
| Cross-border data transfers detected | PCPD inspection | Raised risks of data being processed or accessed overseas. |
What Happened in Hong Kong?
The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong launched an in-depth investigation into Worldcoin, a crypto-linked identity project founded by Sam Altman. The probe followed reports that the company was collecting and storing people’s iris and facial data through scanning devices called Orbs located across the city.
The PCPD’s investigation found that Worldcoin’s biometric data practices violated Hong Kong’s Personal Data (Privacy) Ordinance. Officials noted that users weren’t properly informed about how long their data would be kept or where it was stored.
Following the findings, the PCPD issued a cease-operations order demanding that Worldcoin immediately stop scanning and collecting biometric data from residents.
Investigators also conducted raids at six locations where Worldcoin devices were operating. The regulator later confirmed that over 8,300 individuals had already participated, marking one of the largest local data collection cases of its kind.
This enforcement sends a clear signal: Hong Kong takes biometric privacy seriously, especially when global tech projects collect sensitive personal data without transparent safeguards.
The Hong Kong ban adds to the growing number of regions where Worldcoin has been forced to stop operating. The project usually collects iris and facial images from the public through iris-scanning devices to generate a unique ID.
However, collecting sensitive biometric data has landed the company at loggerheads with privacy watchdogs. Among the issues mentioned are how the collected data is processed and used.
Hong Kong Says Worldcoin Violated Privacy Laws
Hong Kong’s privacy commissioner noted that the watchdog had visited the company’s location six times. Towards the end of January, the regulator used court warrants to raid these locations and collect evidence.
According to the privacy regulator, Worldcoin lured participants with free cryptocurrency to collect iris scans and facial data. The collection of such data was a privacy concern.
The region’s privacy chief, Ada Chung, noted that Worldcoin’s operations in Hong Kong failed to comply with data protection laws. Moreover, the company’s requirement for participants to submit facial and iris scans was “unnecessary and excessive.”
The regulator also accused Worldcoin of failing to submit the necessary documents, such as a biometric data consent form or a privacy notice. The company should also have informed those submitting their data about the potential risks of sharing such sensitive information.
How This Affects Users and Operators
The PCPD’s enforcement order against Worldcoin has direct effects on both everyday users and companies handling sensitive data in Hong Kong.
For Users
If you participated in the iris-scanning program, your personal and biometric data may still exist in storage systems operated by Worldcoin. The PCPD has advised users to:
- Submit a data access or deletion request to confirm whether their information has been erased.
- Stay alert for phishing or fake communication attempts using the Worldcoin name.
- Avoid sharing further biometric details through unofficial or unverified scanning devices.
You can file privacy-related complaints directly with the Office of the Privacy Commissioner for Personal Data (PCPD) if you suspect misuse.
For Operators and Tech Firms
The ruling serves as a reminder that any organisation collecting biometric or sensitive data must:
- Define a clear, lawful purpose for data collection.
- Obtain informed consent from every participant.
- Avoid storing data longer than necessary and ensure deletion mechanisms are in place.
- Maintain transparency about where and how data is processed.
This case shows that biometric data projects are now under close scrutiny, and regulators expect strict compliance before allowing similar programs to continue.
Global Context: Other Regulators Watching
Hong Kong isn’t alone in its action against Worldcoin. Privacy regulators around the world have raised red flags about how the project collects, stores, and transfers biometric data. The halt in Hong Kong adds to a growing list of enforcement cases showing that global authorities are taking biometric privacy far more seriously than ever before.
Global Actions Against Worldcoin
| Country / Region | Regulatory Action | Outcome / Status |
| Spain | Issued a cease-operations order under PDPO | Temporary ban upheld while investigation continues |
| Portugal | Imposed a 90-day suspension on all biometric collection | Worldcoin operations remain paused |
| Kenya | Suspended Worldcoin activities after national data audit | Awaiting new compliance review |
| Germany (Bavaria DPA) | Opened an inquiry into biometric handling procedures | Ongoing monitoring of data transfer practices |
| Hong Kong | Issued cease-operations order under PDPO | All local scanning activities stopped |
Practical Steps You Can Take
Whether you’re a participant in Worldcoin’s scanning program or simply concerned about data protection, there are clear actions you can take to protect your privacy and stay informed.
For Individuals
- Check if your data was collected
Visit the official Worldcoin support page or contact the company through verified email channels to confirm whether your iris or face scan is stored. - Request data deletion
Under Hong Kong’s privacy laws, you have the right to ask for erasure of personal data. Submit a formal request referencing the Personal Data (Privacy) Ordinance (PDPO). - Monitor for misuse
Stay alert for messages or websites claiming to be Worldcoin representatives. Phishing attempts often follow large investigations. - Stay updated
Follow privacy news from BTCRepublic or the PCPD for verified updates on the case and new policy developments.
For Businesses and Developers
- Create transparent privacy notices and explain data use in plain language.
- Limit biometric collection to essential functions only.
Implement short retention periods and document deletion policies. - Conduct independent audits before launching any data-intensive app or service.
Conclusion
The halt of Worldcoin’s operations in Hong Kong sends a strong message to every tech and crypto project handling personal data: privacy protection is non-negotiable. The PCPD’s investigation revealed that unclear consent forms, long data retention, and limited transparency around iris scans were unacceptable under local law.
This decision adds to a series of global actions, from Spain to Portugal, proving that regulators worldwide are tightening rules around biometric collection.
For individuals, the case is a reminder to question how personal data is stored and used. For companies, it’s a signal to build trust through compliance and openness before scaling globally.
Stay informed on privacy developments, digital ID trends, and global crypto regulation with BTCRepublic, your source for accurate, human-focused reporting on technology and data ethics.
Frequently Asked Questions (FAQs)
Did Hong Kong ban Worldcoin completely?
Not entirely, but the PCPD ordered Worldcoin to stop all biometric data collection and related activities in Hong Kong. The company can only resume operations if it fully complies with local privacy laws and proves that data handling meets legal standards.
What did the investigation uncover?
The PCPD found that Worldcoin collected iris and facial scans from over 8,000 people without giving clear details on storage, retention, or deletion. Data was kept for up to 10 years — much longer than necessary — and participants weren’t fully informed about how it would be used.
How can I delete my Worldcoin data?
You can file a data deletion or access request directly with Worldcoin or contact the Office of the Privacy Commissioner for Personal Data (PCPD). Include your registration details and specify that you want your biometric data permanently removed.
Is my personal information at risk?
If your data was scanned, it could still be stored unless deleted. While Worldcoin claims to encrypt biometric data, regulators say encryption doesn’t remove privacy risks if users can’t confirm deletion. Staying cautious and filing a request is the safest option.
What does this mean for future biometric projects?
The case shows that regulators now demand transparency, necessity, and consent before allowing biometric collection. Projects like Worldcoin will need to meet stricter privacy standards to operate globally.
