← Back to Legal Enforcements

Philippine NPC Issues Cease and Desist Order Against Tools for Humanity

Published: 17th October 2025
Category: Legal Enforcements - Regulatory Enforcement
Authority: Philippine National Privacy Commission (NPC)
Subject: Tools for Humanity (TFH) - World App & Biometric Orb

On 23 September 2025, the Philippine National Privacy Commission (NPC) issued a Cease and Desist Order against Tools for Humanity (TFH), the US-based developer of the World App and biometric "Orb" verification device. The Order immediately halts all biometric data processing in the Philippines, finding that TFH's consent mechanisms were invalid and its processing of irreversible iris scans and facial images violated core data protection principles. This marks one of the most significant enforcement actions globally against "proof of personhood" technologies.

Background

TFH operates the World App, a mobile application linked to a hardware device called the Orb that captures high-resolution iris and facial images to generate a "World ID"—an anonymous digital identity. In February 2025, the NPC's Complaints and Investigation Division received multiple reports about TFH's data collection practices at events in Bulacan, Philippines, where individuals were allegedly offered monetary incentives in exchange for biometric verification. The local operator, WCPH Corporation, facilitated on-ground operations. The case proceeded under the Data Privacy Act of 2012 (DPA), and NPC Circular No. 2023-04 on consent and No. 20-02 on cease-and-desist powers.

Decision

The NPC found that TFH engaged in multiple violations of the DPA warranting immediate cessation of operations.

First, consent was invalid on three grounds: it was not specific (privacy notice and terms bundled together, no granular choice), not freely given (financial incentives and referral commissions created undue influence in a developing economy context), and not an informed indication of will (29-page privacy notice in technical language, presented only at point of Orb verification with insufficient time to read). The Commission emphasized that "consent fatigue" and complexity rendered purported consent meaningless.

Second, TFH violated transparency principles by using ambiguous, technical jargon ("blockchain data," "AMPC fragments," "zero knowledge infrastructure") without plain-language explanations, and by misrepresenting that no sensitive data was processed—when in fact passport information was scanned and stored. The Commission found TFH's Data Protection Impact Assessments (DPIAs) unreliable; TFH submitted materially identical documents labeled "updated" despite claiming structural changes.

Third, the processing was disproportionate and lacked legitimate purpose. TFH claimed biometric scanning was necessary to verify "humanness" and prevent AI-driven fraud, but failed to demonstrate why less intrusive methods (e.g., behavioral verification, physical presence confirmation by staff) could not achieve the same goal. The Commission questioned whether proof-of-personhood justified processing immutable biometric identifiers that, once compromised, cannot be reset like passwords.

Fourth, TFH violated data subject rights, including the right to be informed (incomplete disclosure of processing purposes), right to access (no mechanism provided despite TFH's exclusive control over anonymized data fragments), and right to erasure (biometric consent form stated data retained up to 10 years; no proof of 12-second deletion as claimed).

Outcome: The NPC ordered TFH to cease all World App operations in the Philippines, stop Orb-based verification, halt data transfers, and report total Filipino registrants and operating locations. The Order is immediately executory.

Implications

This decision sets a high bar for biometric data processing, particularly where financial incentives are involved. Organizations must ensure privacy notices are genuinely understandable—not just legally comprehensive—and that consent mechanisms are granular, not bundled. The NPC's finding that registration alone does not equal compliance reinforces that substantive obligations (valid consent, proportionality, transparency) must be independently satisfied.

For international data controllers, the decision signals that Philippine regulators will scrutinize claims of "privacy by design" and require verifiable technical proof, not assertions. Data controllers processing irreversible identifiers face heightened accountability; if harm cannot be remedied, prevention through compliance is mandatory.

For enforcement trends, the case reflects global regulatory skepticism toward biometric "proof of personhood" systems and demonstrates the NPC's willingness to halt operations of well-funded foreign tech companies.

Commentary

  • Registration ≠ compliance: TFH's NPC registration did not shield it from enforcement for substantive violations.
  • Economic context matters: Monetary incentives may invalidate consent where financial vulnerability creates undue influence.
  • Technical claims require proof: Assertions of anonymization, deletion, or security must be substantiated with verifiable evidence.
  • Irreversibility raises stakes: Processing immutable biometric data demands the highest standard of care; once compromised, harm is permanent.

Need Legal Guidance on Data Protection Compliance?

Our expert legal team can help you navigate complex privacy regulations and ensure your organization meets the latest compliance requirements.

Schedule Consultation Email Us