Bermuda PIPA

Personal Information Protection Act 2016

Flag of BM
BermudaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2025
Enacted
January 1, 2016
Enforcing Authority
Privacy Commissioner of Bermuda (PrivCom)
Consent Model
Opt-in
Applies To
Organizations that use personal information in Bermuda, regardless of where incorporated or located

Overview

Bermuda's Personal Information Protection Act became fully effective on January 1, 2025 after a phased implementation from 2016. The law requires mandatory privacy officer designation and notably makes failure to notify breaches a criminal offense. Court-ordered compensation is available for financial loss or emotional distress.

What This Means for Your Website

  • Clear, free, and informed consent is required before processing personal information of Bermuda visitors
  • A privacy officer must be designated for communication with the Commissioner
  • Failure to notify data breaches is a criminal offense — not just a civil violation
  • Individuals suffering financial loss or emotional distress can seek court-ordered compensation
  • The law applies extraterritorially to organizations using personal information in Bermuda

Key Requirements

The Privacy Commissioner enforces PIPA with penalties up to USD $250,000 for organizations and USD $25,000 plus 2 years imprisonment for individuals. Breach notification must occur without undue delay. The criminal offense for notification failure creates strong incentives for prompt reporting.

How ConsentStack Handles This

ConsentStack applies clear, free, and informed consent for Bermuda visitors, supporting compliance with PIPA's processing and breach notification requirements.

Penalties

Individuals: up to BMD/USD $25,000 and/or 2 years imprisonment. Organizations: up to BMD/USD $250,000. Court-ordered compensation.

Maximum Fine
USD250,000 per violation

Key Requirements

  • Clear, free, and informed consent before processing
  • Designate a privacy officer for communication with Commissioner
  • Implement appropriate data security safeguards
  • Breach notification without undue delay — failure is a criminal offense
  • Data subject rights: access, correction, opposition
  • Data minimization and purpose limitation

Notable Provisions

  • Fully effective January 1, 2025 after phased implementation
  • Failure to notify breaches is a criminal offense
  • Court-ordered compensation for financial loss or emotional distress
  • Privacy officer designation mandatory
  • Extraterritorial application

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

When did Bermuda's PIPA become fully effective?

January 1, 2025, after phased implementation since 2016.

Is breach notification failure criminal in Bermuda?

Yes. Failure to notify the Privacy Commissioner of data breaches is a criminal offense under PIPA — not just a civil violation.

What are Bermuda's data protection penalties?

Organizations: up to USD $250,000. Individuals: up to USD $25,000 and/or 2 years imprisonment. Plus court-ordered compensation.

Stay compliant with Bermuda PIPA

ConsentStack helps you implement Opt-in consent for Bermuda automatically.

Get started