LOPDP

Ley Orgánica de Protección de Datos Personales

Flag of EC
EcuadorOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 26, 2023
Enacted
May 26, 2021
Enforcing Authority
Superintendencia de Protección de Datos Personales
Consent Model
Opt-in
Applies To
All companies and organizations handling personal information in Ecuador or of individuals in Ecuador

Overview

Ecuador's LOPDP requires all organizations to implement a Comprehensive Personal Data Protection System (SPDP) by December 2025. After initially zero sanctions through November 2025, recent enforcement actions against LigaPro (~$250K) and the Football Federation (~$200K) signal increasing activity.

What This Means for Your Website

  • Free, specific, informed, and unequivocal consent is required for Ecuadorian visitors
  • A Comprehensive Personal Data Protection System must be implemented by December 2025
  • A DPO must be appointed and registered on the authority's digital platform
  • Data breach notification is required within 5 days
  • Revenue-based penalties range from 0.1% to 1% of annual revenue

Key Requirements

The Superintendencia enforces the LOPDP with revenue-based penalties of 0.1-1% of annual revenue. The mandatory SPDP implementation by December 2025 creates comprehensive organizational requirements including data inventories and processing records. DPO registration on the authority's platform is required by end of 2025.

How ConsentStack Handles This

ConsentStack applies opt-in consent for Ecuadorian visitors and supports the consent record-keeping requirements of the mandatory SPDP framework.

Penalties

0.1%-1% of annual revenue of the violating entity.

Revenue-based
1% of annual revenue

Key Requirements

  • Free, specific, informed, and unequivocal consent
  • Implement Comprehensive Personal Data Protection System by December 2025
  • Appoint and register a Data Protection Officer
  • Maintain Record of Processing Activities
  • Breach notification within 5 days
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • Mandatory SPDP implementation by December 2025
  • Revenue-based penalties (0.1-1%)
  • Initially zero sanctions but enforcement increasing
  • DPO registration on authority platform required
  • 5-day breach notification

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

What is the SPDP requirement in Ecuador?

All organizations must implement a Comprehensive Personal Data Protection System by December 2025, including data inventories, processing records, and DPO registration.

Is Ecuador enforcing data protection?

Enforcement is increasing. After initially zero sanctions, the Superintendencia fined LigaPro (~$250K) and the Football Federation (~$200K).

What are Ecuador's data protection penalties?

Revenue-based: 0.1-1% of annual revenue of the violating entity.

Stay compliant with LOPDP

ConsentStack helps you implement Opt-in consent for Ecuador automatically.

Get started free