Argentina's Data Protection Framework and Cookies
Argentina enacted its Personal Data Protection Act (PDPA) - officially Law 25.326 - in the year 2000, making it one of the earliest Latin American countries to regulate personal data processing. The law is enforced by the Agencia de Acceso a la Informacion Publica (AAIP), which also handles freedom of information requests.
The PDPA does not mention cookies by name. It predates the modern tracking ecosystem by several years. But its definitions of personal data and consent apply directly to any cookie that collects, stores, or transmits information linked to an identifiable person. If your site sets _ga, _fbp, or similar tracking cookies for visitors in Argentina, the PDPA's consent rules apply to you.
Argentina holds EU adequacy status - the European Commission confirmed in January 2024 that Argentine data protection standards remain adequate under the GDPR. That status means personal data flows freely between the EU and Argentina without additional safeguards, but it also raises the bar for what Argentine regulators and courts expect from data controllers.
What Law 25.326 Requires for Cookie Consent
Article 5 of the PDPA states that personal data may only be collected with the "express and informed consent" of the data subject. Consent must be given freely, for a specific purpose, and based on clear information about what data is being collected and why.
For cookies, this translates to a straightforward rule: non-essential cookies that process personal data require opt-in consent before they are set. Strictly necessary cookies - those required for basic site functionality like PHPSESSID or pll_language - do not require consent, since they do not serve a data collection purpose beyond the service the visitor requested.
The AAIP has not published cookie-specific guidelines in the way that CNIL in France or AEPD in Spain have. Enforcement remains principles-based rather than prescriptive. That said, the general consensus among Argentine privacy practitioners is that an opt-in model for analytics and marketing cookies is the safest approach.
Cookie Categories Under Argentine Law
The PDPA does not define cookie categories. In practice, most organisations operating in Argentina apply a classification system similar to the one used under the GDPR and ePrivacy Directive.
| Category | Examples | Consent Required? |
|---|---|---|
| Strictly Necessary | PHPSESSID, pll_language, session tokens | No |
| Functional / Preferences | Language selectors, UI settings | Recommended |
| Analytics | _ga, _gid, _hjSessionUser | Yes |
| Marketing / Advertising | _fbp, _gcl_au, retargeting pixels | Yes |
Functional cookies sit in a grey area. If they store personal data or track behaviour across sessions, treat them as requiring consent. When in doubt, categorise conservatively.
The AAIP: Enforcement Powers and Penalties
The AAIP classifies violations into three tiers under Resolution 240/2022.
Minor offences carry fines from ARS 1,000 to ARS 80,000. Serious offences range from ARS 80,001 to ARS 90,000. Very serious offences can reach ARS 100,000 or result in a one-year ban on data processing activities. In practice, the monetary penalties are modest - Argentine peso devaluation has eroded their real value significantly.
Enforcement has historically leaned toward warnings rather than large fines. Most AAIP sanctions since 2007 have been corrective in nature. But a proposed reform bill currently before Congress would dramatically increase penalties to between ARS 50,000 and ARS 10 billion, or 2-4% of annual global turnover - mirroring the GDPR's penalty structure.
Even under the current regime, a database processing ban is a serious operational risk. If the AAIP orders you to stop processing data for a year, that affects far more than cookies.
GDPR Adequacy: What It Means for Your Website
Argentina received its original EU adequacy decision in 2003 and was reconfirmed in January 2024 alongside 10 other countries. This status carries practical implications for website operators.
If your business is established in the EU and processes data of Argentine users, you already apply GDPR standards. Those standards exceed current Argentine requirements, so you are likely compliant with the PDPA as well. The reverse also applies: Argentine companies handling EU personal data benefit from streamlined data transfers without needing Standard Contractual Clauses.
The European Commission has recommended that Argentina enshrine certain protections currently found only in case law and sub-legislative guidance into formal legislation. The reform bills under consideration in Congress aim to address this.
Argentina vs GDPR: Key Differences
While the two frameworks share common principles, several gaps exist.
| Requirement | Argentina PDPA | EU GDPR |
|---|---|---|
| Consent standard | Express and informed | Freely given, specific, informed, unambiguous |
| Cookie-specific rules | None (general data protection principles apply) | ePrivacy Directive Article 5(3) plus national implementations |
| Data breach notification | No mandatory timeline (reform proposes 72 hours) | 72 hours to supervisory authority |
| DPO requirement | Not required | Required in certain cases |
| Maximum fines | ARS 100,000 (current); up to 4% turnover (proposed) | Up to EUR 20 million or 4% turnover |
| Database registration | Mandatory with AAIP | Not required (replaced by ROPA) |
| Right to erasure | Yes (suppression) | Yes (right to be forgotten) |
The database registration requirement is unique to Argentina. Any organisation that maintains a personal data file or database must register it with the AAIP. This includes databases populated through cookie-based data collection if they contain personal data.
Compliance Checklist for Cookie Consent in Argentina
Use this checklist to assess whether your site meets current PDPA requirements for Argentine visitors.
Run a cookie scan to identify every cookie your site sets and classify each one by category
Block analytics and marketing cookies until the visitor gives express opt-in consent
Display a cookie banner in Spanish (or the visitor's language) with equal-weight Accept and Reject buttons
Provide granular category controls so visitors can consent to analytics separately from marketing
Publish a cookie policy listing every cookie by name, purpose, provider, and retention period
Allow visitors to withdraw consent at any time through a persistent settings link
Register any personal data databases with the AAIP if you store data collected from Argentine users
Keep consent records as proof of valid consent for each visitor
Review compliance whenever you add new third-party scripts or tracking tools
How Argentina Fits the Latin American Privacy Landscape
Argentina's PDPA sits within a broader wave of data protection legislation across the region. Mexico's LFPDPPP, Colombia's Law 1581, Chile's ongoing reform, and Peru's Law 29733 all share a European-influenced consent model. Brazil's LGPD is the most comprehensive, with explicit cookie-related guidance from the ANPD.
Argentina's EU adequacy status sets it apart. No other Latin American country currently holds this designation, though Brazil and Uruguay have sought similar recognition. For businesses operating across the region, Argentina's framework often serves as a de facto baseline.
The proposed reform - with GDPR-aligned breach notification timelines, higher fines, and new concepts like automated decision-making - would bring Argentina closer to Brazil's LGPD in scope and enforcement power.
Frequently Asked Questions
Does Argentina require cookie consent on websites?
Argentina's PDPA requires express and informed consent before collecting personal data. Cookies that track behaviour or identify users - such as analytics and advertising cookies - fall under this requirement. Strictly necessary cookies do not require consent.
What is the AAIP in Argentina?
The AAIP (Agencia de Acceso a la Informacion Publica) is Argentina's data protection authority. It oversees enforcement of Law 25.326, handles complaints, maintains the database registry, and issues guidance on data protection matters.
What fines can the AAIP impose for cookie non-compliance?
Current fines range from ARS 1,000 to ARS 100,000. The AAIP can also suspend data processing activities for up to one year. A reform bill proposes increasing maximum fines to ARS 10 billion or 4% of global turnover.
Does Argentina have EU adequacy status for GDPR?
Yes. Argentina has held EU adequacy status since 2003. The European Commission reconfirmed this status in January 2024, meaning personal data can flow between the EU and Argentina without Standard Contractual Clauses or other transfer mechanisms.
Do I need to register my cookie database with the AAIP?
If your website collects personal data from Argentine visitors and stores it in a database, you must register that database with the AAIP. This obligation applies regardless of where your business is located.
How does Argentina's cookie law compare to Brazil's LGPD?
Both require consent for non-essential data collection. Brazil's LGPD is more modern, with 10 legal bases for processing, a dedicated supervisory authority (ANPD), and explicit guidance on cookies. Argentina's PDPA is older and less specific about cookies, though proposed reforms aim to close the gap.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
