The company Tools for Humanity, which manufactures an advanced camera called ORB, had been collecting iris, facial, and eye data from individuals in exchange for financial compensation via a crypto asset known as World Coin (WLD).
The stated purpose of iris collection, according to the company, was the development of a “unique human verification system” for digital identity verification, named World ID.
Under the Brazilian General Data Protection Law (LGPD), sensitive personal data is defined as personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when linked to a natural person.
Since the iris is unquestionably biometric data, it is classified as sensitive personal data and is subject to stricter processing requirements under the LGPD.
The company had been relying on the legal basis of consent to process iris biometric data in exchange for financial compensation to individuals, as provided under Article 11, section I of the LGPD.
On 11 November 2024, the Brazilian Data Protection Authority (Brazilian DPA), through its General Coordination of Supervision, initiated an oversight procedure against the company to investigate the processing of users’ biometric personal data in the context of the World ID project.
The Brazilian DPA requested several clarifications from the company, such as the context of data processing activities, the legal basis justifying the processing of biometric personal data, security measures adopted by the company, among other relevant information.
The company submitted the documents and information requested by the Brazilian DPA. However, on 24 January 2025, the Brazilian DPA decided to apply a preventive measure against Tools for Humanity, suspending the offer of cryptocurrency or any other form of financial compensation in exchange for iris collection.
The Brazilian DPA concluded that the consent obtained by the company was not valid, as the LGPD requires that consent be freely given, informed, unambiguous, and specifically and prominently provided for particular purposes.
Therefore, the Brazilian DPA understood that the financial compensation offered by the company to individuals in exchange for the collection of their iris data constituted an interference with the individuals’ free expression of will—especially in cases where there is potential vulnerability and economic disadvantage.
Tools for Humanity appealed the suspension decision. However, on 11 February 2025, the Brazilian DPA upheld the suspension of iris collection in exchange for financial compensation.
Brazilian DPA Director and case rapporteur Miriam Wimmer emphasised that the financial incentive offered by the company constitutes undue interference with the data subjects’ free will.
This case highlights the importance of understanding the LGPD, especially regarding the processing of sensitive personal data. Transparency and the appropriate legal basis must always be ensured.
It is essential to implement a continuous privacy, personal data protection, and cybersecurity governance programme to prevent further consequences, enforcement actions, and sanctions in both the administrative and judicial spheres.
