Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), did something in early 2025 that few regulators worldwide had been willing to do plainly: it told Tools for Humanity, the company behind the Worldcoin/World ID iris-scanning project, that it could not offer cryptocurrency or any other financial incentive to Brazilian citizens in exchange for their iris scans. The order — which has continued to shape ANPD's posture through 2025 and into 2026 — rests on a deceptively simple proposition under Brazil's Lei Geral de Proteção de Dados (LGPD): if you pay someone to surrender their biometrics, the consent you obtain is no longer 'free' in the legal sense the statute requires for sensitive personal data.
It is a narrow ruling with wide implications. Worldcoin's proposition — a globally interoperable 'proof of personhood' anchored in a one-time iris scan and rewarded with WLD tokens — is one of the more ambitious private experiments in digital identity since the smart-card era. ANPD has not banned the technology, the company, or even the Orbs. It has banned the bundle: biometric enrolment plus a financial reward. That distinction matters, and it is worth defending on its merits.
What ANPD actually said
The ANPD's enforcement order, issued through its Coordenação-Geral de Fiscalização, applied LGPD's Article 11 framework for sensitive data (which includes biometric information) together with Article 8's requirement that consent be 'free, informed and unequivocal.' The regulator's reasoning was that monetary compensation — especially in the form of speculative crypto tokens — functions as an inducement that materially undermines the voluntariness of consent, particularly among lower-income data subjects for whom the WLD payment is non-trivial. Tools for Humanity reportedly suspended the financial-incentive flow in Brazil and has continued operating Orbs only where enrolment is unpaid.
Several other regulators have taken parallel but distinct actions. Spain's AEPD issued a precautionary order in 2024 temporarily halting Worldcoin's data collection; Germany's Bavarian DPA (BayLDA) concluded a lengthy investigation with corrective measures the same year; Argentina, Kenya, Hong Kong and South Korea have each opened or sustained investigations. Brazil, however, is among the few to articulate so cleanly that the problem is not iris scanning per se, but iris scanning for sale.
The principle is sound — even from a pro-innovation perspective
It is tempting, especially for those of us who believe regulators too often reach for prohibition where disclosure or guardrails would do, to read ANPD's order as another precautionary overreach. We do not read it that way. Consent is the load-bearing wall of nearly every modern privacy regime, and consent that is purchased — particularly in contexts of meaningful income asymmetry — collapses under any honest scrutiny. The same logic that prohibits payment for organs or for participation in certain clinical trials applies, in attenuated form, to the irreversible disclosure of immutable biometric templates. You cannot grow a new iris.
None of this requires hostility to Worldcoin's underlying technology. Tools for Humanity's claim — that the Orb generates a hashed 'IrisCode' and discards the source image, and that the resulting credential can be used in zero-knowledge proofs that do not reveal identity — is genuinely interesting privacy engineering. A proof-of-personhood layer that resists Sybil attacks without requiring a government ID at every login would be a public good for the open internet. The right regulatory response is to keep that engineering legal while disallowing the commercial bundle that makes consent suspect.
How this interacts with Brazil's state ID stack
The deeper question ANPD's posture raises is about the relationship between voluntary, private identity networks and the state-run infrastructure Brazil has been building at unusual speed. The federal gov.br platform now serves the great majority of adult Brazilians as an authentication front-end to public services, and the new Carteira de Identidade Nacional (CIN) — a unified national ID anchored to the CPF — is being rolled out across states with a 2026 target for nationwide coverage. Brazil has, in effect, decided that the foundational layer of digital identity should be a public good, delivered by the state and governed by LGPD.
That choice should not crowd out private identity experiments — pluralism in identity infrastructure is healthier than monoculture, and gov.br itself is more credible because LGPD applies to it. But it does set a high floor for what private alternatives must look like. A network that asks Brazilians to monetise their irises in exchange for a token is on the wrong side of that floor. A network that offers a free, revocable, zero-knowledge credential, with clear deletion rights and independent audits, could plausibly sit alongside the CIN as a complementary tool for online services that do not need — and should not have — a citizen's national ID number.
What good regulation looks like from here
The constructive path forward is fairly obvious. ANPD should publish clear guidance distinguishing (a) payment for biometric enrolment, which it has rightly prohibited, from (b) biometric identity services offered without inducement, which LGPD already accommodates under standard consent and proportionality rules. Tools for Humanity, for its part, should treat the Brazilian decision as a feature of its global compliance story rather than a setback: a credential network that works without paying users is a stronger product, not a weaker one. And policymakers elsewhere — including in jurisdictions still drafting biometric rules — should note that 'pay-for-biometrics' is the cleanest single line they can draw without foreclosing the experimentation the next generation of identity infrastructure will require.
Brazil's regulator has, on this one, threaded the needle. The open internet does not benefit when private identity networks are pushed underground, and it does not benefit when biometric consent becomes a market transaction. ANPD found the narrow ground between those two failure modes. Other authorities should study it.