Privacy Regulations in Latin America & Caribbean

22 privacy and data protection laws across Latin America & Caribbean

LGPD
Brazil
Flag of BR
Opt-in

Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.

LFPDPPP
Mexico
Flag of MX
Opt-in

Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.

Colombia Law 1581
Colombia
Flag of CO
Opt-in

Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.

Argentine PDPA
Argentina
Flag of AR
Opt-in

One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.

Chile Law 21.719
Chile
Flag of CL
Opt-in

A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.

Peru Law 29733
Peru
Flag of PE
Opt-in

Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Jamaica DPA
Jamaica
Flag of JM
Opt-in

The most comprehensive data protection law in the Caribbean, with GDPR-level penalties (4% of worldwide turnover). Individual violators face both fines and up to 10 years imprisonment. The OIC operates independently with broad enforcement powers including assessment notices, information notices, and criminal prosecution.

Costa Rica Law 8968
Costa Rica
Flag of CR
Opt-in

Costa Rica's data protection law requires informed and express consent for all processing including cookies and online tracking. Organizations must register databases with PRODHAB. PRODHAB can suspend data processing for up to 6 months for serious violations. Breach notification is required within 5 business days.

LOPDP
Ecuador
Flag of EC
Opt-in

Ecuador's LOPDP requires all organizations to implement a Comprehensive Personal Data Protection System (SPDP) by December 2025. After initially zero sanctions, recent fines against LigaPro (~$250K) and the Football Federation (~$200K) demonstrate increasing enforcement. DPO registration is required on the authority's digital platform.

Uruguay Law 18.331
Uruguay
Flag of UY
Opt-in

Uruguay's data protection law earned EU adequacy in 2012. Features mandatory database registration with quarterly updates and graduated enforcement from warning through database closure. Uruguay also ratified Convention 108+ for additional international alignment.

Panama Law 81
Panama
Flag of PA
Opt-in

Panama's data protection law establishes principles including loyalty, purpose limitation, proportionality, and transparency. ANTAI oversees enforcement with powers to conduct inspections and approve cross-border transfers. Violations are classified into minor (3-year expiry), serious (5-year expiry), and very serious (no prescription).

Dominican Republic Law 172-13
Dominican Republic
Flag of DO
Opt-in

The Dominican Republic has a comprehensive data protection framework inspired by European standards, but lacks a dedicated supervisory authority — creating a significant enforcement gap. Criminal sanctions of 6 months to 2 years imprisonment are available. The Bank Superintendency handles only credit bureau violations.

Barbados DPA
Barbados
Flag of BB
Opt-in

Barbados's data protection law requires mandatory breach notification within 72 hours (GDPR-aligned) and registration with the Data Protection Commissioner before processing. Penalties range widely from BD $10,000 to $500,000 with criminal sanctions including 2 months to 3 years imprisonment.

Bermuda PIPA
Bermuda
Flag of BM
Opt-in

Bermuda's PIPA became fully effective January 2025 after phased implementation from 2016. Requires clear, free, and informed consent with mandatory privacy officer designation. Failure to notify breaches is a criminal offense. Court-ordered compensation is available for financial loss or emotional distress.

Cayman Islands DPA
Cayman Islands
Flag of KY
Opt-in

The Cayman Islands' data protection law was designed with EU adequacy in mind. The Ombudsman has substantial enforcement powers including information orders, enforcement orders, inspection and seizure powers, and monetary penalties. Data breach notification is required within 5 days.

Bahamas DPA
Bahamas
Flag of BS
Opt-in

The Bahamas' original data protection law is over 20 years old and increasingly outdated. It establishes basic principles for fair and lawful collection, accuracy, and secure storage. A comprehensive GDPR-inspired replacement bill (Data Protection Bill, 2025) is under public consultation covering AI, biometrics, and cloud computing.

Antigua and Barbuda DPA
Antigua and Barbuda
Flag of AG
Opt-in

Antigua and Barbuda's data protection law establishes a framework for personal data processing with the Information Commissioner as enforcement authority. Features both summary and indictable offense categories with escalating penalties, including up to 5 years imprisonment for serious violations.

Curaçao NOPDP
Curaçao
Flag of CW
Opt-in

Curaçao has its own personal data protection ordinance, separate from the Netherlands' GDPR implementation. The penalty ceiling is relatively low at NAf. 10,000. As an autonomous country within the Kingdom of the Netherlands, Curaçao maintains its own data protection framework.

Sint Maarten NOPDP
Sint Maarten
Flag of SX
Opt-in

Sint Maarten has its own personal data protection ordinance with substantially higher penalties than neighboring Curaçao — NAf. 500,000 versus NAf. 10,000 (50x higher). As an autonomous country within the Kingdom of the Netherlands, it maintains an independent framework.

BVI DPA 2021
British Virgin Islands
Flag of VG
Opt-in

The BVI's first comprehensive data protection law establishes an Information Commissioner role with penalties up to USD 500,000 for corporations. However, the Commissioner is not yet fully operational, creating an enforcement gap despite the law being in force.

Trinidad and Tobago DPA
Trinidad and Tobago
Flag of TT
Opt-in

Trinidad and Tobago's data protection law has been only partially in force since 2012 and remains not fully operational after more than 14 years. The delay stems from incomplete establishment of administrative frameworks. While comprehensive on paper, practical enforcement remains severely limited.

Aruba NOPR
Aruba
Flag of AW
Opt-in

Aruba is an autonomous country within the Kingdom of the Netherlands with its own personal data protection ordinance, separate from the Netherlands' GDPR implementation. The framework is consent-based with data subject rights and registration requirements.