Chile's Data Protection Overhaul: From Law 19.628 to Law 21.719
Chile was the first country in Latin America to adopt a data protection law. Law 19.628, enacted in 1999, gave Chilean citizens basic rights over their personal data but lacked any real enforcement mechanism - there was no supervisory authority, no mandatory breach notification, and no meaningful penalties for violations.
After eight years of legislative debate, Chile's Congress approved Law 21.719 on 26 August 2024. The law was published on 13 December 2024 and enters into force in December 2026, giving organisations a two-year transition period.
The reform brings Chile into alignment with international standards, most notably the EU's General Data Protection Regulation (GDPR). It establishes an independent supervisory authority, introduces data breach notification obligations, and creates a tiered penalty system with genuine financial consequences.
What Law 21.719 Means for Cookies on Your Website
Law 21.719 does not contain a standalone cookie provision equivalent to the EU's ePrivacy Directive. Cookies are instead governed by the law's general data protection principles: transparency, purpose limitation, and consent.
When a cookie processes personal data - and most analytics and marketing cookies do, since they assign unique identifiers to visitors - that processing falls within the scope of Law 21.719. This means you need a lawful basis before setting cookies like _ga, _fbp, or _gid on a Chilean visitor's device.
Strictly necessary cookies, such as PHPSESSID or session tokens that keep a shopping cart functional, do not require consent because they serve a purpose the visitor explicitly requested.
The Agencia de Proteccion de Datos Personales is expected to issue specific guidance on cookies and similar tracking technologies after it becomes operational. Until that guidance arrives, applying an opt-in consent model for non-essential cookies is the safest approach.
The Agencia de Proteccion de Datos Personales
One of the most significant changes is the creation of Chile's first independent data protection authority. The Agencia de Proteccion de Datos Personales will have regulatory, investigative, and sanctioning powers.
Its responsibilities include supervising compliance with Law 21.719, issuing binding guidelines, administering sanctions, and serving as Chile's point of contact for international data protection cooperation. The Agencia can initiate investigations on its own or in response to complaints from data subjects.
This marks a fundamental shift. Under Law 19.628, individuals had to pursue civil court action to enforce their data protection rights - a slow and expensive process that rarely resulted in meaningful outcomes.
Consent Requirements Under the New Law
Law 21.719 defines consent as a free, specific, informed, and unambiguous indication of the data subject's wishes. Pre-ticked boxes and implied consent through continued browsing are explicitly insufficient.
For your cookie banner, this translates to several practical requirements:
Visitors must take a clear affirmative action (clicking "Accept" or toggling specific cookie categories) before non-essential cookies are set
Consent must be granular - bundling cookie consent with terms of service acceptance is not compliant
Visitors must be able to withdraw consent as easily as they gave it
Your cookie policy must explain which cookies you use, their purposes, and their retention periods
Consent records should be stored as proof of compliance
Children's data receives additional protection. Processing personal data of minors under 14 requires parental or guardian consent.
Fines and Enforcement: The Penalty Structure
The penalty framework under Law 21.719 uses Chile's Unidad Tributaria Mensual (UTM) as its currency unit. The tiered structure is as follows:
| Violation Level | Maximum Fine (UTM) | Approximate Value (USD) | Revenue-Based Alternative |
|---|---|---|---|
| Minor | 500 UTM | ~$35,000 | N/A |
| Serious | 5,000 UTM | ~$387,000 | Up to 2% of annual global revenue |
| Very serious | 20,000 UTM | ~$1,550,000 | Up to 4% of annual global revenue |
For large enterprises, the Agencia applies whichever is higher: the fixed UTM amount or the revenue-based percentage. Repeat offenders face the revenue-based calculation automatically for serious and very serious violations.
The Agencia can also issue written warnings and order corrective measures, including temporary or permanent suspension of data processing activities.
How Chile's Law Compares to the GDPR
Law 21.719 borrows heavily from the GDPR's structure, but there are differences worth noting for organisations already familiar with EU compliance.
| Feature | Chile (Law 21.719) | EU (GDPR) |
|---|---|---|
| Supervisory authority | Agencia de Proteccion de Datos Personales | National DPAs (CNIL, ICO, etc.) |
| Maximum fine | 4% of global revenue | 4% of global revenue or EUR 20 million |
| Data breach notification | Required, without undue delay | Required, within 72 hours |
| Data subject rights | Access, rectification, erasure, portability, objection | Access, rectification, erasure, portability, objection, restriction |
| DPO requirement | Not mandatory for all controllers | Mandatory for certain controllers |
| Cookie-specific rules | General principles apply (no ePrivacy equivalent) | ePrivacy Directive + GDPR |
| Transition period | 24 months (until December 2026) | Was 24 months (completed May 2018) |
The absence of a dedicated ePrivacy-style regulation means Chile's cookie rules are less prescriptive than those in EU member states. The Agencia's forthcoming guidance will likely fill this gap.
Compliance Checklist for Website Owners
If your website receives traffic from Chile, these steps will help you prepare before December 2026:
Audit your cookies - Run a cookie scan to identify every cookie and tracking technology on your site
Classify cookies by purpose - Separate strictly necessary cookies from analytics, marketing, and functional ones
Implement an opt-in banner - Block non-essential cookies until visitors give explicit consent
Write a clear cookie policy - Explain each cookie's name, purpose, provider, and duration in plain language
Enable granular consent - Let visitors accept or reject individual cookie categories rather than offering only an all-or-nothing choice
Store consent records - Keep timestamped proof of each visitor's consent decision
Respect withdrawal - Provide an easy way for visitors to change their preferences at any time
Review third-party scripts - Ensure tools like Google Analytics, Meta Pixel, and advertising tags respect the visitor's consent state
Chile in the Latin American Privacy Landscape
Chile's reform is part of a broader trend across Latin America. Brazil's LGPD has been in force since 2020, with its own supervisory authority (the ANPD) actively issuing fines and guidance. Argentina maintains one of the region's oldest data protection frameworks and holds EU adequacy status. Colombia's Law 1581 has been enforced by the SIC since 2012, and Peru's Law 29733 provides a consent-based model enforced by the ANPD Peru.
For organisations operating across the region, the direction is clear: Latin American countries are converging on GDPR-style consent models. Implementing a robust consent management platform that supports geo-detection allows you to apply the correct consent rules based on each visitor's location.
Frequently Asked Questions
Does Chile's new data protection law apply to websites outside Chile?
Yes. Law 21.719 applies to any organisation that processes personal data of individuals located in Chile, regardless of where the organisation is based. If your website sets cookies on Chilean visitors, the law applies to you.
When does Chile's cookie consent requirement take effect?
Law 21.719 was published on 13 December 2024 and enters into force 24 months later, in December 2026. Organisations should use the transition period to update their cookie practices.
Do I need a cookie banner for visitors from Chile?
If your website sets non-essential cookies that process personal data, you should display a cookie banner requesting opt-in consent from Chilean visitors. Strictly necessary cookies do not require consent.
What is the maximum fine under Chile's new data protection law?
The maximum fine for very serious violations is 20,000 UTM (approximately $1.55 million USD) or up to 4% of global annual revenue, whichever is higher.
How does Chile's law differ from the GDPR for cookie consent?
Chile's law applies general data protection principles to cookies rather than having a separate cookie-specific directive like the EU's ePrivacy Directive. The consent standard is similar - explicit, informed, and freely given - but specific cookie guidance from the Agencia is still pending.
Is implied consent through continued browsing acceptable in Chile?
No. Law 21.719 requires consent to be a clear affirmative action. Continuing to browse a website does not constitute valid consent for non-essential cookies.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
