Uruguay Law 18.331

Ley de Protección de Datos Personales y Acción de Hábeas Data (Law No. 18.331)

Flag of UY
UruguayOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
August 11, 2008
Enacted
August 11, 2008
Enforcing Authority
Unidad Reguladora y de Control de Datos Personales (URCDP)
Consent Model
Opt-in
Applies To
Any entity processing personal data in Uruguay or maintaining databases accessible from Uruguay

Overview

Uruguay's Law 18.331 earned EU adequacy status in 2012, placing it among an elite group of non-European countries recognized for adequate data protection. The law features mandatory database registration with quarterly updates and a graduated enforcement model from warnings through database closure.

What This Means for Your Website

  • Free, prior, express, and informed consent is required for Uruguayan visitors
  • Databases must be registered with the URCDP and updated quarterly
  • EU adequacy enables smooth data transfers between Uruguay and the EU
  • Graduated enforcement escalates from warnings to database closure for severe violations

Key Requirements

The URCDP enforces Law 18.331 with graduated penalties: warnings, admonitions, fines up to 500,000 UI (~USD $60,000), 5-day database suspension, and database closure. Breach notification is required without delay. Uruguay also ratified Convention 108+ for international alignment.

How ConsentStack Handles This

ConsentStack applies opt-in consent for Uruguayan visitors meeting the law's standard for free, prior, express, and informed consent.

Penalties

Warning; admonition; fines up to 500,000 UI (~USD $60,000); database suspension for 5 days; database closure.

Maximum Fine
UYI500,000 aggregate

Key Requirements

  • Free, prior, express, and informed consent
  • Mandatory database registration with URCDP (quarterly updates)
  • Breach notification without delay to URCDP and individuals
  • Data Protection Impact Assessments for high-risk processing
  • Data subject rights: access, rectification, deletion, opposition
  • Cross-border transfer restrictions

Notable Provisions

  • EU adequacy status since August 2012
  • Ratified Convention 108+
  • Graduated enforcement (warning to database closure)
  • Mandatory database registration with quarterly updates

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

Does Uruguay have EU adequacy?

Yes, since August 2012. Uruguay is one of few Latin American countries with EU adequacy status.

What are Uruguay's enforcement options?

Graduated: warnings, admonitions, fines up to 500,000 UI (~USD $60,000), 5-day database suspension, or database closure.

Does Uruguay require database registration?

Yes. Databases must be registered with the URCDP and updated quarterly.

Stay compliant with Uruguay Law 18.331

ConsentStack helps you implement Opt-in consent for Uruguay automatically.

Get started free