Costa Rica Law 8968

Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales (Law No. 8968)

Flag of CR
Costa RicaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 5, 2011
Enacted
September 5, 2011
Enforcing Authority
Agencia de Protección de Datos de los Habitantes (PRODHAB)
Consent Model
Opt-in
Applies To
Any entity processing personal data in Costa Rica

Overview

Costa Rica's Law 8968 explicitly requires consent for cookies and online tracking technologies alongside general data protection requirements. PRODHAB enforces the law with powers to suspend data processing for up to 6 months for serious violations.

What This Means for Your Website

  • Informed, express consent is required for all data processing including cookies
  • Databases must be registered with PRODHAB
  • Breach notification to PRODHAB is required within 5 business days
  • Sensitive data (biometric, health, financial) requires stricter handling
  • PRODHAB can suspend processing for up to 6 months for serious violations

Key Requirements

PRODHAB enforces Law 8968 with penalties based on base salaries: 1-5 for minor, 5-15 for serious, 15-30 for very serious (~USD $4,000-$24,000). Database registration is mandatory. The 6-month processing suspension power gives PRODHAB significant enforcement leverage.

How ConsentStack Handles This

ConsentStack applies informed, express cookie consent for Costa Rican visitors, meeting the law's explicit requirement for cookie and tracking technology consent.

Penalties

Minor: 1-5 base salaries. Serious: 5-15 base salaries. Very serious: 15-30 base salaries (~USD $4,000-$24,000). Processing suspension up to 6 months.

Key Requirements

  • Informed, express consent before data processing
  • Consent for cookies and tracking technologies
  • Register databases with PRODHAB
  • Breach notification to PRODHAB within 5 business days
  • Data subject rights: access, correction, deletion
  • Security measures to prevent unauthorized access

Notable Provisions

  • Cookie consent explicitly required
  • Database registration mandatory
  • PRODHAB can suspend processing for up to 6 months
  • 5-day breach notification
  • Graduated penalty system based on base salaries

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

Does Costa Rica require cookie consent?

Yes. Costa Rica's Law 8968 explicitly requires consent for cookies and tracking technologies, not just general data processing.

What are Costa Rica's data protection penalties?

1-30 base salaries depending on severity (~USD $4,000-$24,000), plus PRODHAB can suspend processing for up to 6 months.

Is database registration required in Costa Rica?

Yes. Organizations must register their databases with PRODHAB (Agencia de Protección de Datos de los Habitantes).

Stay compliant with Costa Rica Law 8968

ConsentStack helps you implement Opt-in consent for Costa Rica automatically.

Get started free