Peru Law 29733

Ley de Protección de Datos Personales (Law No. 29733)

Flag of PE
PeruOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
July 3, 2011
Enacted
July 3, 2011
Enforcing Authority
Autoridad Nacional de Protección de Datos Personales (ANPDP)
Consent Model
Opt-in
Applies To
Any entity processing personal data in Peru or offering services to Peruvian individuals (extraterritorial scope added in 2025)

Overview

Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements by company size, extraterritorial scope, and the tightest breach notification timeline in the region. The maximum penalty cap of 10% of annual net income is substantial.

What This Means for Your Website

  • Free, prior, express, informed, and unequivocal consent is required for Peruvian visitors
  • Personal data banks must be registered with the ANPDP
  • DPO requirements are phased by company size: large companies by November 2025, micro by November 2028
  • Foreign companies serving Peruvian individuals must appoint local representatives
  • Breach notification must follow the tightest timeline in the region
  • Maximum penalty is 10% of annual net income

Key Requirements

The ANPDP enforces Law 29733 with tiered penalties capped at 10% of annual net income. The 2025 regulation added extraterritorial scope for foreign companies offering services to Peruvians. DPO requirements phase in by company size from November 2025 through November 2028.

How ConsentStack Handles This

ConsentStack applies opt-in consent for Peruvian visitors meeting the high "free, prior, express, informed, and unequivocal" standard required by Peruvian law.

Penalties

Minor: 0.5-5 UIT. Serious: 5-50 UIT. Very serious: 50-100 UIT (1 UIT 2025 = ~$1,486 USD). Maximum 10% of annual net income.

Revenue-based
10% of annual revenue

Key Requirements

  • Free, prior, express, informed, and unequivocal consent
  • Register personal data banks with ANPDP
  • Appoint DPO (phased: large by Nov 2025, small by Nov 2028)
  • Breach notification within tightest timeline in region
  • Data subject rights: access, rectification, cancellation, opposition
  • Foreign entities must appoint local representatives

Notable Provisions

  • Tightest breach notification in the region
  • Phased DPO requirements by company size (2025-2028)
  • Maximum penalty capped at 10% of annual net income
  • Extraterritorial scope added in 2025 regulation

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Jamaica DPAJamaica
The most comprehensive data protection law in the Caribbean, with GDPR-level penalties (4% of worldwide turnover). Individual violators face both fines and up to 10 years imprisonment. The OIC operates independently with broad enforcement powers including assessment notices, information notices, and criminal prosecution.

Frequently Asked Questions

What changed in Peru's data protection in 2025?

Updated regulations added extraterritorial scope, phased DPO requirements by company size (2025-2028), and the tightest breach notification timeline in the region.

What are Peru's data protection penalties?

Tiered from 0.5 UIT (minor) to 100 UIT (very serious), capped at 10% of annual net income.

Does Peru's law apply to foreign companies?

Yes, since 2025. Foreign companies offering services to Peruvian individuals must comply and appoint local representatives.

Stay compliant with Peru Law 29733

ConsentStack helps you implement Opt-in consent for Peru automatically.

Get started free