South Korea Fines Worldcoin $860K for Data Collection Violations

Worldcoin and its parent company, Tools for Humanity (TFH), were fined by South Korea's Personal Information Protection Commission (PIPC) for failing to comply with data protection laws. The violations center on improper data collection practices, including the handling of sensitive biometric information.

According to a press release issued on September 25, the PIPC levied a combined fine of KRW 1.14 billion ($861,408) against Worldcoin and TFH. Specifically, Worldcoin faces a penalty of KRW 725 million ($550,000), while TFH is fined KRW 379 million ($287,000). The fines are accompanied by corrective orders and recommendations to improve data handling practices.

The companies were found to have violated multiple provisions of South Korea's Personal Information Protection Act (PIPA), including failing to properly disclose the purpose of collecting iris data and neglecting to secure separate consent from users for such sensitive information. 

An investigation, launched in February following complaints and media reports, revealed that Worldcoin and TFH were collecting biometric information—such as iris scans—without a legal basis, in exchange for virtual assets like 'Worldcoin.' The probe concluded that the companies did not inform users about the purpose of collecting their data, nor did they clarify the retention and usage period of this information as required under PIPA.

Moreover, Worldcoin and TFH transferred users' biometric data to countries such as Germany without providing transparency about the recipients or destinations of the data. Under PIPA, companies must inform users when transferring personal data overseas, specifying where it will be sent and who will receive it.

In addition to the fines, the PIPC imposed new requirements on the companies. Moving forward, Worldcoin and TFH must obtain separate, explicit consent when processing iris data and ensure that it is only used for its stated purpose. They are also required to inform users of relevant details when transferring biometric data internationally.

The investigation also uncovered that Worldcoin did not provide users with the ability to delete or suspend the processing of their iris codes, a requirement under South Korean law. In response, Worldcoin added a deletion feature in April. Further, the PIPC found that WorldApp, another platform operated by TFH, lacked proper age verification measures for users under 14. As a result, TFH has been ordered to implement stricter verification procedures as part of the corrective actions.

This decision highlights the growing scrutiny on companies handling sensitive biometric data, especially regarding transparency and user consent.