NAIROBI, Kenya — Kenya’s Office of the Data Protection Commissioner (ODPC) has formally confirmed the complete deletion of biometric data collected from Kenyan citizens by Worldcoin’s parent company, Tools for Humanity, marking the conclusion of a prolonged legal and regulatory confrontation.
In a public notice dated January 20, 2026, the ODPC said Worldcoin had fully complied with government directives to erase iris scan and related biometric identifiers, which were central to the suspension of its operations in Kenya in 2023.
“Regarding the processing of Kenyans’ personal data by Tools for Humanity, we confirm that the data controller has deleted all biometric data previously collected from Kenyan citizens,” the commission stated.
The declaration follows an extensive compliance audit by the ODPC to verify adherence to Kenya’s Data Protection Act, 2019, a statute designed to safeguard individual privacy and regulate processing of personal information.
Background: Legal and regulatory context
The deletion requirement stems from a May 2025 High Court ruling, which found that Worldcoin’s biometric data operations in Kenya had breached national data protection law by collecting sensitive personal identifiers without a valid Data Protection Impact Assessment and without legally sufficient consent.
The High Court ordered that:
- All biometric data collected be erased within seven days under the supervision of the ODPC;
- Worldcoin cease further processing or collection of biometric data in Kenya unless it meets legal prerequisites; and
- The company’s previous decision to collect or process such data be quashed.
At the time, civil society groups including Amnesty International Kenya welcomed the ruling, arguing that the company’s incentive model, offering cryptocurrency in return for personal data, failed to meet legal standards for informed and freely given consent.
Ongoing accountability and regulatory signals
Although the ODPC has confirmed full deletion of the data, it has not disclosed the exact volume of records involved.
The regulator reiterated its broader mandate “to enforce the law, protect data subjects, and ensure that all data controllers and processors are held accountable for any non‑compliance.”
The ODPC also emphasised that the deletion sets “an important precedent” for multinational digital firms operating in Kenya, reinforcing key provisions of the Data Protection Act, particularly Section 25 on personal data privacy.
Worldcoin has indicated an interest in potentially resuming operations in Kenya under a revised framework that fully aligns with domestic data protection laws, though specific plans remain under discussion.
Regional and global context
Kenya’s action reflects a wider pattern of regulatory scrutiny confronting Worldcoin and similar digital identity projects.
Other jurisdictions, including Indonesia and parts of Europe, have paused or restricted related services over concerns about privacy, consent and operational compliance.
What this means for data protection in Kenya
Experts say the episode underscores the growing importance of data governance frameworks in African digital markets.
As Kenya positions itself as a hub for innovation in fintech and digital identity systems, the ruling and subsequent enforcement action signal that technological experimentation must be balanced with statutory rights and protections.
The government is also preparing to implement tighter regulations on cross‑border data flows and processing standards.
These issues are expected to feature prominently at the Data Privacy Conference 2026 in Mombasa later this year.
