Jamaica DPA

The Data Protection Act, 2020

Flag of JM
JamaicaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 1, 2023
Enacted
January 1, 2020
Enforcing Authority
Office of the Information Commissioner (OIC)
Consent Model
Opt-in
Applies To
Any entity processing personal data of Jamaican residents or within Jamaica

Overview

Jamaica's Data Protection Act 2020 is the most comprehensive data protection law in the Caribbean, with GDPR-level penalties of up to 4% of worldwide turnover. Individual violators face up to 10 years imprisonment. The OIC has broad enforcement powers including assessment notices, fixed penalty notices, and criminal prosecution.

What This Means for Your Website

  • Clear and lawful consent is required before processing personal data of Jamaican visitors
  • GDPR-level penalties apply: up to 4% of annual gross worldwide turnover
  • Individual violators face both fines (JMD 5,000,000) and imprisonment (up to 10 years)
  • A DPO must be appointed for large-scale processing
  • Data breach notification to the Information Commissioner is required

Key Requirements

The OIC enforces the DPA with GDPR-level penalties and broad powers including assessment notices, information notices, fixed penalty notices, and criminal prosecution. The severity of penalties — both financial (4% turnover) and criminal (10 years) — makes Jamaica the most consequential data protection jurisdiction in the Caribbean.

How ConsentStack Handles This

ConsentStack detects Jamaican visitors and applies consent-based processing meeting the DPA's requirements for clear and lawful consent.

Penalties

Corporate: up to 4% of annual gross worldwide turnover. Individuals: up to JMD 5,000,000. Imprisonment: up to 10 years.

Revenue-based
4% of annual revenue

Key Requirements

  • Clear and lawful consent before processing
  • Appoint a DPO for large-scale processing
  • Data breach notification to the Information Commissioner
  • Data subject rights: access, correction, deletion, portability
  • Fair and transparent processing for specified purposes
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • Most comprehensive Caribbean data protection law
  • GDPR-level penalties (4% worldwide turnover)
  • Up to 10 years imprisonment for individuals
  • OIC operates independently with broad powers

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

How strong is Jamaica's data protection law?

Jamaica has the most comprehensive data protection law in the Caribbean, with GDPR-level penalties of 4% worldwide turnover and up to 10 years imprisonment.

What are Jamaica's data protection penalties?

Corporate: up to 4% of annual worldwide turnover. Individual: up to JMD 5,000,000 and 10 years imprisonment.

Who enforces data protection in Jamaica?

The Office of the Information Commissioner (OIC) operates independently with broad enforcement powers.

Stay compliant with Jamaica DPA

ConsentStack helps you implement Opt-in consent for Jamaica automatically.

Get started free