Colombia Law 1581

Ley Estatutaria 1581 de 2012 (Statutory Law 1581 of 2012 on Personal Data Protection)

Flag of CO
ColombiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
October 17, 2012
Enacted
October 17, 2012
Enforcing Authority
Superintendencia de Industria y Comercio (SIC)
Consent Model
Opt-in
Applies To
All entities in Colombia that process personal data as part of business operations, regardless of size

Overview

Colombia's Law 1581 requires prior, express, and informed consent ("previo, expreso e informado") for all personal data processing including cookies. The SIC actively enforces cookie consent, imposing a $214 million fine in 2025 and issuing specific circulars for AI and Fintech.

What This Means for Your Website

  • Prior, express, and informed consent is required for all data processing including cookies
  • A pop-up must inform users about your privacy policy and cookie management options
  • Authorization logs must be maintained for cookie consent
  • The SIC has broad powers including on-site inspections and employee interviews
  • All entities regardless of size must comply

Key Requirements

The SIC enforces Law 1581 with penalties up to 2,000x monthly minimum wage (~USD $500,000), temporary suspension, and database closure. Active enforcement is demonstrated by a $214M fine in 2025. Databases must be registered with the SIC. Recent circulars address AI (2024) and Fintech (2025).

How ConsentStack Handles This

ConsentStack presents Colombian visitors with a consent pop-up meeting the "previo, expreso e informado" standard and maintains authorization logs for cookie consent compliance.

Penalties

Up to 2,000x monthly minimum legal wage (~COP $2.6B / ~USD $500,000). Temporary suspension up to 6 months. Database closure.

Key Requirements

  • Prior, express, and informed consent for all data processing
  • Cookie consent with authorization logs — pop-up required
  • Register databases with the SIC
  • Notify SIC and affected parties for breaches
  • Data subject rights: access, update, rectification, deletion
  • Data Protection Impact Assessments

Notable Provisions

  • SIC actively enforces cookie consent — $214M fine in 2025
  • Specific circulars for AI (2024) and Fintech (2025)
  • Authorization logs for cookies required
  • Applies to all entities regardless of size

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Jamaica DPAJamaica
The most comprehensive data protection law in the Caribbean, with GDPR-level penalties (4% of worldwide turnover). Individual violators face both fines and up to 10 years imprisonment. The OIC operates independently with broad enforcement powers including assessment notices, information notices, and criminal prosecution.

Frequently Asked Questions

Does Colombia require cookie consent?

Yes. Colombia requires prior, express, and informed consent for cookies, with authorization logs. A pop-up must inform users about privacy and cookie management.

What are the penalties for non-compliance in Colombia?

Up to 2,000x monthly minimum wage (~USD $500,000), temporary suspension up to 6 months, or database closure. The SIC imposed a $214M fine in 2025.

Does Colombia actively enforce cookie laws?

Yes. The SIC actively enforces cookie consent requirements with on-site inspections, documentation requests, and significant fines.

Stay compliant with Colombia Law 1581

ConsentStack helps you implement Opt-in consent for Colombia automatically.

Get started free