Across Nairobi, Nakuru and Kisumu, long queues formed around futuristic silver “orbs”. For a few minutes of eye contact, Kenyans walked away with 25 WorldCoin tokens, roughly Kes. 7,000 at the time. On the surface, this looked like a tech‑driven stimulus: fast cash for anyone willing to join the digital economy.
Behind the marketing, those short scans created a permanent biometric key. Unlike a password, you cannot reset your iris, change your face or “unsubscribe” your DNA. Once a company captures and links that biometric data to a block chain‑based identity, you cannot simply walk away. The bargain raised a hard question: can consent remain free when you attach a price tag to it?
Under our Data Privacy Week theme, TAKE CONTROL OF YOUR DATA, this alert unpacks how Kenyan law treats consent, what the WorldCoin judgment says, and why paying people for sensitive data threatens both individual autonomy and public trust.
CONSENT UNDER KENYAN DATA PROTECTION LAW
The Data Protection Act defines consent as a data subject’s express, unequivocal, free, specific and informed agreement through a statement or clear affirmative action. In practice, this definition imposes several obligations on data controllers and processors:
- Data handlers must ensure that the data subject understands what data they collect, why they collect it, how they will use it and whether they will share it with third parties.
- Data handlers must show that the data subject has the legal capacity to consent and that no one coerces, manipulates or misleads them.
- Data handlers must limit consent to specific purposes and allow data subjects to withdraw consent without suffering unfair consequences.
The Data Protection (General) Regulations, 2021 reinforce this position by prohibiting consent mechanisms that rely on undue influence, power imbalance or financial inducement that undermines genuine choice. In short, the law expects organizations to earn trust, not buy it.
THE WORLDCOIN JUDGMENT: CONSENT ON SALE
In Republic v Tools for Humanity Corporation (US) (Worldcoin) Judicial Review Application E119 of 2023, the High Court considered how WorldCoin and its local operator, Platinum De Plus, collected biometric data in Kenya. The project promised “free” WorldCoin tokens to users who agreed to have their irises scanned and linked to a digital identity.
According to the Multi‑Agency Investigation Report, Platinum De Plus acted as an orb operator and presented its activities as marketing for WorldCoin while collecting extremely sensitive biometric data. The offer, 25 tokens valued at about Kes. 7,000 in exchange for an iris scan, targeted the public with a clear financial incentive rather than a neutral request for participation.
The Court accepted that this model deprived users of the ability to give free and genuine consent. By tying consent to a cash‑equivalent benefit, the operators exploited economic vulnerability and contravened Regulation 4(4) of the General Regulations, which bars consent mechanisms that rely on inducement or non‑negotiable conditions.
The judgment illustrates a crucial point: if someone feels compelled to trade their privacy for short‑term financial relief, the law will treat that choice with suspicion.
WHY FINANCIAL INCENTIVES UNDERMINE FREE CHOICE
Informed consent in data protection rests on autonomy. People must have space to say “no” without feeling that they sacrifice survival, dignity or basic opportunities. Money distorts that space, especially where income is low or unstable.
When organizations pay individuals to surrender sensitive personal data, several risks emerge:
- Economic pressure replaces genuine choice – A person in financial distress may agree to terms they do not understand or would normally reject if money were not on the table.
- Information asymmetry widens – Data handlers often understand the technical and long‑term implications of biometric data processing far better than data subjects, who may focus only on the immediate reward.
- Consent becomes transactional, not protective – Instead of acting as a safeguard, consent becomes a waiver, with individuals signing away rights they cannot realistically negotiate.
For regulators, courts and practitioners, this case underscored the need to treat financial incentives around sensitive data with heightened scrutiny.
VULNERABILITY, BIOMETRICS AND IRREVERSIBLE RISK
Biometric data occupies a special place in privacy law because it uniquely identifies a person and cannot be replaced if compromised. Passwords change. Phone numbers change. Biometric characteristics do not. When an organization captures biometric templates and links them to a global digital ID, the potential for misuse, profiling or surveillance extends far beyond the initial project.
The WorldCoin model raised two overlapping concerns:
- It targeted economically vulnerable populations who might trade long‑term privacy for short‑term gains.
- It normalized the idea that people can sell their most intimate identifiers like any other asset, even though they cannot reverse that decision later.
If privacy becomes the price of participation in the digital economy, the bargain becomes fundamentally unequal. People with fewer resources pay with more of themselves.
LESSONS FOR KENYA’S TECH ECOSYSTEM
The WorldCoin experience offers several lessons for regulators, innovators and the public in Kenya:
- Innovation must respect consent – New products, especially those using AI, biometrics or blockchain, must integrate data protection by design. You cannot retro‑fit ethics after extraction.
- Regulators must move early, not just react – Multi‑agency investigations and judicial oversight helped contain WorldCoin, but future projects will move faster. Proactive guidance, sandboxing and vetting mechanisms can help.
- Public education is essential – Data subjects need practical literacy on what biometric and other sensitive data can reveal.
- Tech firms must adopt a higher standard for vulnerable groups – Where economic or informational power imbalances exist, organizations should avoid using financial incentives to obtain sensitive data altogether.
CONCLUSION: TOKENS END, DATA REMAINS
You can spend tokens. You can lose tokens. You can even forget tokens. But once you hand over your biometric data, you cannot ask for a refund, an exchange, or a reset. The WorldCoin case shows that Kenyan law will not treat consent as valid when organizations buy it from people who need money more than they need privacy.
Under our TAKE CONTROL OF YOUR DATA theme, the lesson is personal and professional. As individuals, we must resist the urge to trade permanent identifiers for short‑term rewards. As advisors, regulators and innovators, we must design systems that respect autonomy, avoid exploiting vulnerability and keep the human being behind the data at the center of every decision.