Chile Law 21.719

Ley sobre Protección de Datos Personales (Law 21.719)

Flag of CL
ChileOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 1, 2026
Enacted
August 26, 2024
Enforcing Authority
Agencia de Protección de Datos Personales (new dedicated agency, operational by December 2026)
Consent Model
Opt-in
Applies To
Any entity processing personal data of individuals in Chile, with extraterritorial provisions

Overview

Chile's Law 21.719 is a complete overhaul of the country's data protection framework, replacing the outdated 1999 law with a GDPR-aligned regime. A new dedicated Data Protection Agency will be operational by December 2026, with authority to issue cookie guidelines and enforce tiered penalties.

What This Means for Your Website

  • Explicit, free, informed, and unambiguous consent is required — pre-ticked boxes are explicitly prohibited
  • The new agency must issue specific cookie guidelines before enforcement begins
  • Tiered penalties scale by severity, with revenue-based caps for large entities (2-4% of annual income)
  • A Data Protection Officer must be appointed
  • The law takes effect December 1, 2026 after a 24-month implementation period

Key Requirements

The new Agencia de Protección de Datos Personales will enforce tiered penalties from minor (5,000 UTM / ~$35K) to very serious (20,000 UTM / ~$1.55M), with a 2-4% revenue cap for large entities. Cookie guidelines, transfer rules, and impact assessment standards will be issued by the agency.

How ConsentStack Handles This

ConsentStack will apply Chile's new consent requirements when the law takes effect in December 2026, following the agency's cookie guidelines once issued.

Penalties

Minor: up to 5,000 UTM (~$35K). Serious: up to 10,000 UTM (~$387K). Very serious: up to 20,000 UTM (~$1.55M). Large entities: 2-4% of annual income.

Revenue-based
4% of annual revenue

Key Requirements

  • Explicit, free, informed, unambiguous consent — pre-ticked boxes prohibited
  • Appoint a Data Protection Officer
  • Data Protection Impact Assessments for high-risk processing
  • Data subject rights: access, rectification, deletion, portability, opposition
  • Breach notification obligations
  • Cross-border transfer safeguards

Notable Provisions

  • Complete overhaul replacing 1999 law
  • Creates new dedicated agency (operational December 2026)
  • Pre-ticked boxes explicitly prohibited
  • GDPR-aligned with tiered penalties
  • Agency must issue cookie guidelines

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Jamaica DPAJamaica
The most comprehensive data protection law in the Caribbean, with GDPR-level penalties (4% of worldwide turnover). Individual violators face both fines and up to 10 years imprisonment. The OIC operates independently with broad enforcement powers including assessment notices, information notices, and criminal prosecution.

Frequently Asked Questions

When does Chile's new data protection law take effect?

December 1, 2026, after a 24-month implementation period from the December 2024 publication.

Does Chile's law address cookies specifically?

The new Data Protection Agency must issue specific cookie guidelines before enforcement begins. Pre-ticked consent boxes are explicitly prohibited.

What are the penalties under Chile's new law?

Tiered by severity: up to 5,000 UTM for minor, 10,000 UTM for serious, 20,000 UTM for very serious. Large entities face 2-4% of annual income.

Stay compliant with Chile Law 21.719

ConsentStack helps you implement Opt-in consent for Chile automatically.

Get started