Colombia Orders Immediate, Definitive Closure of Worldcoin Operations

Colombia’s Superintendence of Industry and Commerce (SIC), the country’s data protection and market regulator, has ordered the “immediate and definitive closure” of all data processing operations in Colombia for World Foundation (formerly Worldcoin Foundation) and Tools for Humanity Corporation.

The sanction, detailed in Resolution 78798 of October 3, 2025, concludes a seven-month investigation into the companies’ practice of collecting sensitive biometric data from thousands of Colombians.

The companies began operations in Colombia in the first half of 2024, deploying “Orb” devices to capture biometric images of individuals’ irises. This data was used to create a “World ID” and, according to the SIC, was obtained by offering economic compensation.

President Gustavo Petro commented on the sanction via his account on the social network X: “Excellent. In Colombia, the right to habeas data exists. You own your data. Sensitive data like the iris of the eyes cannot be handed over simply for money, without knowledge of the use that will be given to it. For this practice, the operations of these companies were closed.”

The SIC investigation determined that this quid pro quo—offering money for biometric data—invalidated the legality of the consent obtained. The agency found that the economic incentive “conditioned the will” of data holders, preventing them from making a “free, spontaneous, or voluntary” decision as required by Colombian law.

The agency labeled the resulting consent an “uninformed and premature decision”.

SIC Findings and Legal Basis

The 76-page resolution details multiple, cascading violations of Colombia’s Statutory Law 1581 of 2012, which governs the constitutional right to habeas data, or the right of citizens to control their personal information.

Under Colombian law, biometric data, such as an iris scan, is classified as “sensitive data”. The processing of such data is expressly prohibited by default, with narrow exceptions, such as obtaining explicit, prior, and informed authorization from the user.

The SIC’s Directorate of Personal Data Protection Investigations found that the companies failed to meet this standard on several fronts:

• No Legal Authorization: The investigation concluded that the authorization formats used did not comply with the “principle of liberty” and other legal requirements. For example, several forms and processes presented to users were in English, not in Spanish, Colombia’s official language.
• Inadequate Policies: The companies’ data treatment policies were not adapted to Colombian law. The SIC noted that while Worldcoin’s policies included “adendas” (addendums) with specific, often stricter, rules for regions like the European Union, Japan, Argentina, and Peru, no such addendum was created for Colombia.
• Insufficient Security Measures: The resolution states that the companies failed to demonstrate “appropriate and effective” security measures for the sensitive data collected. The company’s 2021 Information Security Policy did not specifically cover the processing of biometric data.
• Lack of Transparency: The SIC found that Worldcoin failed to inform users about its Secure Multi-Party Computation (SMPC) protocol, a system where iris codes are fragmented and stored by third parties. This protocol was not disclosed in consent forms until December 2024, despite being in use since May 2024. The agency also raised concerns about the security risks and oversight of the third parties (including universities and other companies) storing these data fragments.
• Incomplete Data Deletion: The regulator found that the companies’ consent forms informed users that their “iris code” or “proof of singularity” would not be deleted, even if the user requested the deletion of their images. The SIC argued this proves the data is never fully suppressed, as it must be retained to check for duplicate registrations, a fact not clearly communicated to users.

The foundation and company were founded by tech billionaire Sam Altman, and pay people small amounts of cryptocurrency to scan their eyes and create a unique, identifiable record. Some find this extremely creepy and say it takes advantage of the poor & gullible. Altman is also the CEO of OpenAI, maker of ChatGPT.

The Sanction and Company Response

The SIC’s resolution imposes two primary actions:

Immediate and Definitive Closure: An order for the “immediate and definitive closure” of any operation in Colombia that involves the treatment of personal data.

Data Suppression: An order for World Foundation and Tools for Humanity to “suppress” all sensitive personal data, including all iris codes, from all databases, repositories, or servers where they are stored. This applies to all data collected in Colombia since the beginning of their operations.

The companies are required to submit a report from an external entity certifying the complete elimination of this data within one month of the resolution being executed.

World Foundation Response

In an official statement, World Foundation announced it would pursue legal appeals against the sanction. The company described the resolution as “preliminary and of the first instance” and asserted that its legal appeals “have a suspensive effect,” which it claims allows it to “continue operating in a normal and legal manner.”

The company contended that the SIC’s findings are “incomplete” and “based on outdated policies and technologies.”

World Foundation also clarified its position, stating that it does not store biometric data and that user consent is “confirmed at multiple stages” of the verification process. It further stated that the Worldcoin token is “additional and is completely separate from the verification process.”

The company said it hopes to establish an “open dialogue with the SIC to clarify how this important technology works.”

The SIC’s resolution also noted that the companies’ legal counsel had previously attempted to nullify the administrative proceeding, alleging “improper notification” of the initial investigation. The SIC rejected these motions, ruling that the companies had already responded to official inquiries using the same email addresses, thereby constituting “notification by conclusive conduct”.