In May 2025, Kenya's High Court reportedly ruled in Katiba Institute v. Tools for Humanity Corp. & Others that Worldcoin's collection of iris biometric data from thousands of Kenyans violated the Data Protection Act 2019, and ordered the company to delete the iris codes it had harvested. The judgment closed a chapter that began in August 2023, when the Office of the Data Protection Commissioner (ODPC) suspended Worldcoin's local operations after queues of Kenyans formed outside Nairobi shopping malls to exchange iris scans for roughly 7,000 Kenyan shillings' worth of WLD tokens.
The headlines write themselves: a Sam Altman-backed crypto venture told off by an African court. But the more useful story is what the ruling says about how Kenya intends to govern biometric and AI infrastructure — and why this is, on balance, good news for serious operators in identity, payments, and frontier tech across Africa.
What the Court Actually Said
The Katiba Institute's petition focused on consent. Under sections 25, 26 and 30 of the Data Protection Act 2019, processing of biometric data — explicitly categorised as "sensitive personal data" — requires an explicit lawful basis, and consent must be freely given, specific, informed, and unambiguous. The court reportedly found that the Worldcoin model failed on several of those tests: monetary inducement at the point of scan distorted the "freely given" standard; the privacy notices on the Orb devices were inadequate to make consent "informed"; and there was no clear basis for indefinite cross-border transfer and storage of the resulting iris codes.
The remedy was striking in its specificity: deletion of the iris data already collected, not merely a fine or future operating conditions. For a regulator and judiciary still building a track record, that is a deliberate signal — biometric templates, once collected unlawfully, are not laundered by subsequent disclosures or token payments.
Why This Strengthens, Rather Than Threatens, Kenyan Tech
From a pro-innovation perspective, this outcome is closer to a feature than a bug. Three reasons:
- Trust is foundational infrastructure. Kenya is building Maisha Namba, expanding mobile-money biometrics, and hosting an active stack of fintechs that rely on KYC. None of that scales without public confidence that sensitive identifiers will not be collected by the highest bidder at a mall kiosk. A regulator that draws a hard line around iris codes is doing the same work as one that polices payment-system integrity.
- Predictability beats permissiveness. The worst environment for a frontier tech company is one where rules are unclear and enforcement is arbitrary. The ODPC's Worldcoin response — suspension, investigation, litigation, court-supervised remedy — is procedurally orderly. Serious operators can read this judgment and design compliant products. Drive-by harvesters cannot, and that asymmetry is precisely what good regulation produces.
- Africa is the wrong continent on which to experiment loosely with biometrics. Iris codes are, for practical purposes, permanent. A leak in Nairobi is not undone by a software patch. Kenyan courts holding global firms to the same standards they would face under the EU's General Data Protection Regulation makes the country a more attractive base for compliance-grade fintech and identity work, not a less attractive one.
Where Proportionality Still Matters
None of this means the ODPC should treat every biometric deployment as a Worldcoin-style threat. The cautionary lessons cut both ways.
First, deletion orders should be targeted. The court's remedy worked because Worldcoin's consent was defective at source. Where a controller has a lawful basis but a procedural flaw — say, an incomplete data protection impact assessment — the proportionate response is a corrective order and registration, not destruction of operational data that millions of users rely on.
Second, sensitive-data rules should distinguish between identifier collection (iris, fingerprint, face templates used for unique identification) and incidental biometric processing (a liveness check that is not stored). Treating every camera ping as Article 30 processing would freeze obvious safety features like spoof detection.
Third, the ODPC's emerging guidance on automated decision-making and AI — drafts of which have circulated through 2025 and 2026 — should keep biometric and AI rules aligned but distinct. The Worldcoin case is about consent and unlawful collection; many AI risks are about downstream use. Conflating the two in a single rulebook would over-burden compliant builders.
The Pan-African Signal
Worldcoin has been challenged or restricted across multiple jurisdictions — including reported regulatory actions in Spain, Portugal, Argentina, Hong Kong, and Brazil — but the Kenyan case is one of the first full court rulings ordering deletion under an African data protection statute. That matters for two reasons: it gives sister regulators in Nigeria (NDPC), South Africa (Information Regulator), and Ghana (Data Protection Commission) a citable, well-reasoned precedent; and it weakens the lazy narrative that African markets are a soft-touch destination for products that have stalled in Brussels or Madrid.
The right takeaway for global tech is not that Africa is closed to biometric innovation. It is the opposite: the continent's most credible regulators are now testing global products against the same legal standards as their Northern counterparts. Firms that engineer for explicit, specific, informed consent — and for proportionate data minimisation — will find a willing market. Those that treat consent as a UX afterthought will find Nairobi's courts increasingly unforgiving.
What Comes Next
Three things to watch over the next 12 months. One: whether Tools for Humanity appeals, and how the appellate courts treat the cross-border transfer findings. Two: how the ODPC operationalises post-Worldcoin compliance — particularly whether it publishes biometric-specific guidance with clear consent templates, retention limits, and impact-assessment expectations. Three: whether the Finance Bill 2026 and related digital-economy measures preserve the policy coherence Kenya has built, rather than trading it away for short-term revenue.
Kenya's iris verdict is not a tech backlash. It is the country's data protection framework working — slowly, procedurally, and on the right side of the line between rights and innovation. The job now is to keep it there.