Bahamas DPA

Data Protection (Privacy of Personal Information) Act, 2003

Flag of BS
BahamasOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
April 2, 2007
Enacted
January 1, 2003
Enforcing Authority
Data Protection Commissioner
Consent Model
Opt-in
Applies To
Public and private entities processing personal data in the Bahamas

Overview

The Bahamas' Data Protection Act dates from 2003 and is increasingly outdated. A comprehensive GDPR-inspired replacement bill (Data Protection Bill, 2025) is under public consultation, proposing coverage of AI, digital assets, biometrics, e-commerce, and cloud computing with significantly stronger penalties.

What This Means for Your Website

  • Lawful and fair data collection with consent is required under current law
  • Data must be accurate, stored securely, and not retained longer than necessary
  • The replacement bill would significantly strengthen requirements and penalties
  • Current penalties reach USD $100,000 for unlawful disclosure

Key Requirements

The Data Protection Commissioner enforces the current law with penalties up to BSD $100,000. The law establishes basic principles for fair processing, accuracy, purpose limitation, and secure storage. The pending replacement bill would modernize the framework substantially.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Bahamian visitors, positioning websites for compliance with both current law and the pending GDPR-inspired replacement.

Penalties

Up to BSD $100,000 for unlawful disclosure or unauthorized access.

Maximum Fine
BSD100,000 per violation

Key Requirements

  • Lawful and fair data collection with consent
  • Accurate and up-to-date data maintenance
  • Use data only for specified, legitimate purposes
  • Store data securely with appropriate safeguards
  • Do not retain data longer than necessary
  • Data subject rights: access, correction

Notable Provisions

  • Outdated (2003) — GDPR-inspired replacement bill under consultation
  • New bill would cover AI, digital assets, biometrics, e-commerce, cloud
  • Current law has basic data protection principles
  • Replacement bill would significantly strengthen penalties

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

Is the Bahamas updating its data protection law?

Yes. A GDPR-inspired Data Protection Bill (2025) is under public consultation, covering AI, biometrics, digital assets, e-commerce, and cloud computing.

What are the current Bahamas penalties?

Up to BSD $100,000 for unlawful disclosure or unauthorized access under the 2003 law.

Is the current Bahamas law adequate?

The 2003 law is increasingly outdated. The replacement bill would significantly strengthen penalties and modernize the framework for digital technologies.

Stay compliant with Bahamas DPA

ConsentStack helps you implement Opt-in consent for Bahamas automatically.

Get started