Thailand is grappling with a high-stakes privacy and technological dilemma as Worldcoin, a cryptocurrency project co-founded by OpenAI’s (ChatGPT) Sam Altman, rolls out its iris-scanning technology across the country. The initiative, which offers digital IDs and cryptocurrency in exchange for biometric data, has sparked alarm among Thai authorities and privacy advocates, raising critical questions about data security, legal compliance, and the ethics of such programs in economically vulnerable regions. In an apparent lack of consultation with government, Worldcoin simply rolled out iris-scanning devices at popular retail locations such as BaNANA and JIB, which are located right across Thailand.
Find out if You’re at Risk of Worldcoin Iris Scan
Search Location: Enter City or District name
Malaysia, Philippines and Singapore readers can search for Worldcoin iris scanning locations here:
A Rapid Rollout Amid Public Concern
The Thai government has issued a nationwide alert regarding the deployment of iris-scanning devices, known as Orbs, in public spaces like shopping malls. Developed by Tools for Humanity, the company behind Worldcoin, these devices scan users’ irises to create a unique digital ID called World ID. In return, participants receive cryptocurrency valued at up to 1,000 Thai baht (~US$31). The Department of Provincial Administration has instructed local officials, including village heads, to monitor and restrict these activities, citing significant concerns over privacy and data security under Thailand’s Personal Data Protection Act (PDPA). 
Worldcoin’s expansion in Thailand has been swift. As of June 2025, over 100,000 Thais have had their irises scanned at 58 locations nationwide, with the company aiming to establish 1,000 Orb sites and reach 2 million users by the end of the year. Partnerships with local entities, including online retailer COM7 (BaNANA), NT (National Telecom Public Company Limited), and digital asset exchanges like Bitazza Thailand and Bitkub, have fueled this growth. Pakapol Thangtongchin, Thailand country manager for Tools for Humanity, highlighted that the country’s user growth ranks among the top 10 globally, reflecting a strong appetite for digital innovation.
Yet, this enthusiasm is tempered by caution from authorities. Deputy government spokesman Anukool Pruksanusak has urged citizens to weigh the long-term risks of exchanging biometric data for small financial rewards. The government has also emphasized that no state agency is involved in collecting biometric data, casting doubt on the authorization of Worldcoin’s operations in public venues.
Questions too Difficult to Answer
Broadsheet Asia journalists sought a response from Worldcoin offices however no response was received to some very basic questions about data privacy, namely:
- Is consent truly voluntary? PDPA (Section 26) and GDPR (Article 9) require explicit, unpressured consent for iris scans. Are crypto rewards pushing people to agree without full understanding broader implications? Why has Worldcoin chosen to predominantly operate in 3rd world and developing countries?
- How secure is personal iris data? PDPA (Section 37) and GDPR (Article 32) demand encryption and breach alerts. If hacked, could a person’s unchangeable biometrics be misused?
- Can a person delete their data easily? PDPA (Section 33) and GDPR (Article 17) guarantee erasure rights and the right to be forgotten. If Worldcoin’s “unverify” option fails, what happens to personal data long-term? Why is the word “unverify” used instead of “delete”?
- Where does personal data go? PDPA (Sections 28-29) and GDPR (Chapter V) restrict overseas transfers. Is personal iris code data sent abroad, and are Thai citizen’s personal data protected?
- What is Worldcoin’s Thailand-specific policy? Without clear PDPA compliance, how can people trust their data handling in Thailand’s regulated market?
Privacy Risks and Legal Challenges
At the heart of the controversy is the question of whether Worldcoin’s practices comply with Thailand’s PDPA, a relatively new framework designed to safeguard personal information. The company claims its technology employs zero-knowledge proof systems to ensure anonymity, asserting that no personal data, such as names or contact details, is stored. Instead, data is purportedly kept on users’ devices under a “Personal Custody” model. However, Paiboon Amonpinyokeat, a member of Thailand’s personal data protection committee, has warned that if the system can link data to individuals, it may still be classified as personal data under PDPA. This would require explicit, pressure-free consent as mandated by Section 26 of the law.
Privacy advocates are particularly concerned about the immutable nature of iris data. Unlike passwords or credit card numbers, biometric data cannot be changed if compromised, posing risks of identity theft, financial fraud, or misuse in technologies like deepfakes. Further scrutiny surrounds Worldcoin’s “unverify” option for data deletion, which remains ambiguous and may contravene PDPA Section 33, as well as international standards like the EU’s General Data Protection Regulation (GDPR) Article 17, both of which demand clear processes for data erasure. Additionally, PDPA Sections 28–29 restrict cross-border data transfers, and it remains unclear whether Thai users’ data is processed locally or abroad.
Jamie Fisher, a Singapore-based cybersecurity executive and digital privacy advocate, expressed similar concerns in a conversation on August 28, 2025, describing Worldcoin’s data collection as a continuation of the steady erosion of digital freedoms. “Regulations such as the EU’s GDPR and Thailand’s PDPA are meant to control how organizations obtain by consent, govern and secure personal data. The issue here is that Worldcoin seems to have rolled out to 170 destinations and is offering a ‘free eyeball scan’ in exchange for $35.”
The Cyber Crime Investigation Bureau is currently evaluating the risks posed by Worldcoin’s operations. Its findings could determine whether the initiative violates Thai law, particularly in areas such as data loss monitoring and international data transfers. For now, the lack of transparency about who authorized the placement of Orbs in public spaces, and whether venue operators profit from hosting them, continues to fuel public skepticism.
Global Backlash and Ethical Dilemmas
Thailand is not alone in its concerns. Worldcoin has faced significant regulatory pushback worldwide. In Spain, the national data protection agency ordered the deletion of all iris scan data by December 2024, citing GDPR violations. Hong Kong banned the project in May 2024. Kenya’s High Court ruled that all Kenyan personal data must be deleted, while investigations are ongoing in Germany, Argentina, and South Korea. Globally, over 12 million people across 160 countries have enrolled in Worldcoin, with 1,500 Orbs in circulation and plans to deploy an additional 12,000, primarily in developing nations where economic incentives often drive participation. Alarmingly there is over 170 installations in Thailand at popular retail stores like JIB and BaNANA, and elsewhere.
The ethical implications of Worldcoin’s model are particularly stark in regions like Thailand, where financial incentives can blur the lines of voluntary consent. In economically disadvantaged areas such as Isaan, where average annual salaries hover around US$7,000, the promise of 1,000 baht can be a powerful motivator. This raises questions about whether participants fully understand the risks of surrendering unchangeable biometric data for short-term gain.
International privacy advocates have been vocal in their criticism. Jake Wiener, legal counsel for the Electronic Privacy Information Center (EPIC), has described Worldcoin’s approach as creating serious privacy risks by incentivizing vulnerable populations to relinquish sensitive data. He argues that mass biometric data collection threatens privacy on a grand scale, whether through misuse by the company or potential data breaches. Wiener has called for regulatory agencies worldwide to closely scrutinize Worldcoin’s operations.
Fisher said. “There is some good work being done to protect digital rights” citing Electronic Frontiers Foundation and the Thai government’s PDPA, while highlighting the risks of centralized biometric databases, especially in third world countries where Worldcoin seems to be most active.
A Broader Erosion of Digital Freedoms?
The debate over Worldcoin also taps into broader anxieties about the erosion of digital freedoms. Cybersecurity experts point to a global trend of increasing data collection by both governments and private entities, often justified by security or innovation. In Thailand, while the PDPA offers some protections, it lacks the robust enforcement mechanisms seen in regions like the European Union, where GDPR prioritizes individual rights over corporate interests.
The risks of centralized biometric databases are particularly acute in developing economies, where regulatory oversight may be less stringent. Worldcoin’s ambition to create a global digital ID and currency, without widespread democratic consensus, has led some to question the long-term implications of such a system. If successful, it could set a precedent for private companies to wield unprecedented control over personal data, potentially reshaping identity verification and financial systems worldwide.
Thailand at a Digital Crossroads
As Worldcoin pushes forward with its vision of a global digital identity, Thailand stands at a critical juncture. The country’s response to this controversy will serve as a litmus test for how emerging economies balance the allure of technological advancement with the imperative to protect personal data. With AI and biometric technologies advancing at a breakneck pace, the stakes could not be higher.
The ongoing review by the Cyber Crime Investigation Bureau may provide clarity on whether Worldcoin’s operations breach Thai law. In the meantime, public discourse is likely to intensify, as citizens, policymakers, and privacy advocates grapple with the trade-offs between innovation and security. For now, the question remains: can Thailand harness the benefits of digital transformation without compromising the fundamental rights of its people?
As the government and society navigate these uncharted waters, the outcome of this debate could shape not only Thailand’s digital future but also set a precedent for how other nations in the region address the challenges of biometric data in an increasingly connected world.
