On October 9, 2025, the Philippines' National Privacy Commission (NPC) took a decisive stand against Tools for Humanity, the company behind the World App and its much-discussed iris biometric orbs. In a move that has sent ripples through the global tech and privacy community, the NPC issued a Cease and Desist Order, demanding an immediate halt to all data processing operations in the country related to World’s biometric systems. The decision, according to the NPC’s announcement, was rooted in multiple violations of the Philippines’ Data Privacy Act of 2012, particularly concerning the handling of citizens’ sensitive biometric information.
The heart of the matter lies in how Tools for Humanity sought to collect iris biometrics from Filipino citizens. According to the NPC’s investigation, the company offered monetary incentives in exchange for consent to gather this data—a practice the commission categorized as “undue influence.” The NPC argued that such incentives undermine the principle of genuine, voluntary consent. As Deputy Privacy Commissioner Jose Amelito S. Belarmino II put it, “When consent is compromised by the lure of compensation, it ceases to be a genuine expression of choice.” He went further, emphasizing, “The integrity of a Filipino citizen’s biometric data is non-negotiable, as it is a unique and permanent identifier.”
But the problems didn’t stop at the issue of incentivized consent. The NPC’s Complaints and Investigation Division found that Tools for Humanity’s privacy notice and policy fell short of providing clear, accessible information about the purpose, scope, extent, and duration of its data processing. This lack of transparency, the commission asserted, left users in the dark about how their most personal data would be used or for how long it would be stored. Even more damning, the NPC determined that collecting iris biometrics was not necessary to achieve the company’s stated goal of providing a “proof of humanity.” In other words, the NPC concluded that Tools for Humanity was overreaching, gathering much more data than was reasonably required for its purposes.
“This Cease and Desist Order sends a clear message that the NPC will not tolerate practices that exploit socioeconomic vulnerabilities or compromise fundamental data privacy rights in pursuit of business objectives,” Belarmino declared in the commission’s official statement. The order, effective immediately, compels Tools for Humanity to discontinue all processing of biometric data linked to the World App and its associated systems within the Philippines. The commission’s findings were unequivocal: the ongoing processing of such sensitive information posed what it called a “risk of grave and irreparable injury” to Filipino citizens.
The NPC’s action comes at a time of heightened concern around data protection and biometric privacy in the Philippines. Recent months have seen allegations of government database breaches and controversy over the use of facial recognition technology on anti-corruption protestors. These incidents have put the spotlight on how both public and private entities handle sensitive personal information, and the NPC’s move against Tools for Humanity is being interpreted as a strong assertion of the country’s commitment to upholding its citizens’ privacy rights.
The regulatory scrutiny of Tools for Humanity in the Philippines is not an isolated case. The NPC pointedly referenced similar actions taken against the company in other parts of the world, including Kenya and Hong Kong. In these jurisdictions, too, authorities have raised concerns about the collection and processing of biometric data under questionable circumstances. The growing list of countries taking regulatory action suggests a broader, global reckoning with how emerging technologies and ambitious startups handle the most intimate forms of personal information.
According to reports by Biometric Update, the World App and its signature iris biometric orbs are part of a larger initiative to establish a digital “proof of humanity”—a system that, in theory, would allow individuals to verify their identity online in a way that’s secure and resistant to fraud. The company’s pitch is ambitious and, on paper, potentially transformative. But as the NPC’s findings make clear, the methods by which this vision is being pursued have raised serious ethical and legal red flags.
One of the most striking aspects of the NPC’s decision is its focus on the unique nature of biometric data. Unlike a password or even a credit card number, a person’s iris pattern is immutable—it can’t be changed if compromised. This permanence is precisely what makes biometric identifiers so valuable for security purposes, but also what makes their misuse so potentially damaging. As Belarmino underscored, “The integrity of a Filipino citizen’s biometric data is non-negotiable.”
The Cease and Desist Order is not just a technical or bureaucratic maneuver; it carries significant implications for how technology companies approach privacy and consent in markets around the world. The NPC’s insistence that consent must be freely given, without the distorting influence of monetary incentives, sets a high bar for ethical data collection. It’s a stance that resonates beyond the Philippines, especially as debates about big tech, privacy, and the power dynamics of the digital economy continue to rage globally.
Meanwhile, in Europe, the conversation around tech and privacy has also been intensifying. On the same day as the NPC’s order, Euractiv reported on joint guidance intended to clarify the European Union’s rules regarding big tech and user privacy. While that article didn’t delve into specific incidents or companies, the timing reflects a broader trend: regulators worldwide are grappling with how to protect citizens in an era where data collection is both ubiquitous and often opaque.
For Tools for Humanity, the road ahead in the Philippines—and potentially in other countries—looks uncertain. The company must now demonstrate that it can comply with stringent privacy standards or risk being shut out of key markets. For Filipino citizens, the NPC’s action may offer some reassurance that their rights are being defended, even as new technologies push the boundaries of what’s possible—and what’s permissible.
The story of World App and its biometric ambitions is far from over. But if there’s one thing the NPC’s ruling makes clear, it’s that the rules of engagement in the digital age are still being written, and the stakes—for individuals and for society—couldn’t be higher.
