German Regulator Orders World to Delete User Data

The Bavarian Data Protection Authority (BayLDA) has ordered World (formerly Worldcoin) to delete users’ personal data and implement a procedure allowing users to do so themselves.

BayLDA has been examining the project’s operations since late 2022 due to risks to the personal information of EU citizens. According to officials, World has been “constantly working to improve its data protection principles,” but these efforts have been insufficient so far.

“Despite the improvements already made, further changes are necessary to align the company’s data processing procedures with the law,” noted BayLDA.

According to the regulator’s statement, the project must align its personal data deletion procedure with regulations, erase previously collected information, and “explicitly” seek users’ consent for future data processing.

The World team has contested the decision and published a statement with explanations. They claim that “BayLDA’s conclusions pertain to outdated methods that were replaced during 2024.”

The developers emphasized that thanks to the Personal Data Custody system, user data is stored exclusively on their devices. Neither World nor other parties know who owns specific World ID identifiers.

They also urged European regulators to develop clear anonymity standards for the General Data Protection Regulation (GDPR). Without this, it is “extremely difficult” to create systems with anonymization and “safely use data for good purposes.”

“Without a clear definition of anonymity, we may lose our most powerful tool in the fight for privacy protection in the AI era,” stated Damian Kieran, Chief Privacy Officer at Tools for Humanity.

In September, World began testing facial recognition technology for the World App.