Colombia's Data Protection Framework and Cookies
Colombia was one of the first Latin American countries to enact a comprehensive data protection statute. Statutory Law 1581 of 2012, known as the General Data Protection Law, governs all personal data processing in the country. Decree 1377 of 2013 fills in the operational detail, covering authorisation procedures, privacy notices, and cross-border transfers.
Cookies that collect or store personal data fall squarely within this framework. If your website sets tracking cookies such as _ga, _fbp, or advertising pixels that identify individual visitors, you are processing personal data under Colombian law.
The Superintendencia de Industria y Comercio (SIC) is the data protection authority responsible for enforcement. SIC sanctions rose by 22 percent in 2024, with fines of up to 2,000 statutory monthly minimum wages - roughly USD 600,000 at current exchange rates.
What Law 1581 Says About Consent
Article 9 of Law 1581 sets out the consent standard. Authorisation must be prior, express, and informed (previo, expreso e informado). That three-part test means consent must be collected before any data processing begins, it cannot be implied or assumed, and the data subject must understand what they are agreeing to.
Silence does not equal consent. Pre-ticked checkboxes do not qualify either.
Decree 1377 of 2013 adds a proof-of-authorisation duty. Claiming you had consent is not enough for the SIC. Controllers must keep records showing when and how each person granted permission, and those logs need to be available if the regulator requests them. For cookie consent, this translates to storing timestamped consent records tied to each visitor session.
The law recognises limited exceptions. Strictly necessary cookies - those required for the basic functioning of a website, such as PHPSESSID for session management - may be set without prior consent. Analytics and marketing cookies do not qualify for any exception.
Cookie Categories Under Colombian Law
Law 1581 does not define cookie categories explicitly, but the consent framework maps neatly onto the standard classification used by most consent management platforms.
| Cookie Category | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | PHPSESSID, csrf_token | No |
| Functional / preferences | pll_language, currency_pref | Yes |
| Analytics | _ga, _gid | Yes |
| Advertising / tracking | _fbp, IDE | Yes |
Any cookie that processes personal data beyond what is strictly required to deliver the service the visitor requested needs prior, express authorisation. Cookie consent banners must give visitors a genuine choice to accept or reject each non-essential category.
Privacy Notice and Cookie Policy Obligations
Decree 1377 requires every data controller to maintain a privacy policy. For websites using cookies, this means a dedicated cookie policy or a clearly identified section within the main privacy policy.
The policy must state the controller's identity and contact details, every type of cookie set and its purpose, the legal basis for processing, the data subject's rights, and how to exercise those rights.
Vague descriptions such as "we use cookies to improve your experience" are insufficient. Each cookie or category of cookies needs a specific explanation of what data it collects and why. A cookie scan is the practical first step - you cannot disclose what you do not know about.
SIC Enforcement and Fines
The SIC has broad enforcement powers. It can investigate complaints, conduct audits, and impose administrative fines. The maximum penalty is 2,000 statutory monthly minimum wages per infringement.
Enforcement activity has accelerated in recent years. In 2024, the SIC issued circulars targeting AI systems (Circular 002 of 2024) and fintech operations (Circular 001 of 2025), signalling a willingness to regulate emerging technologies. In December 2025, Circular Externa No. 003 introduced model contractual clauses for international data transfers.
Cookie-related complaints typically stem from websites that process data without valid consent or that fail to respond to data subject access requests. The proof-of-authorisation requirement is a frequent stumbling block - if your consent records are incomplete, the SIC treats that as a standalone violation.
How Colombian Law Compares to the GDPR
Law 1581 predates the GDPR by four years, yet the two frameworks share core principles. Both require a lawful basis for processing, grant data subjects rights of access, rectification, and deletion, and impose obligations on controllers and processors. The differences matter for organisations operating across both jurisdictions.
| Aspect | Colombia (Law 1581) | EU (GDPR) |
|---|---|---|
| Lawful bases | Consent-centric; consent is the primary basis | Six co-equal lawful bases including legitimate interest |
| Consent standard | Prior, express, and informed | Freely given, specific, informed, and unambiguous |
| Cookie-specific law | No separate cookie directive; covered by general data protection law | ePrivacy Directive (Article 5(3)) plus GDPR |
| DPA | SIC | National DPAs (CNIL, ICO, etc.) |
| Maximum fine | 2,000 monthly minimum wages (approx. USD 600,000) | EUR 20 million or 4% of global turnover |
| Data breach notification | No mandatory timeframe specified | 72 hours to DPA |
| DPO requirement | Not mandatory | Required in certain cases |
The most significant practical difference is the absence of a "legitimate interest" basis in Colombian law. Under the GDPR, some analytics processing can rely on legitimate interest with appropriate safeguards. In Colombia, you need consent.
Cookie Compliance Checklist for Colombia
Getting your website compliant with Law 1581 does not require a complete overhaul if you already follow GDPR-style consent practices. Focus on these steps.
1. Audit Your Cookies
Run a cookie scan to identify every cookie and tracking script on your site. Many websites set third-party cookies they are unaware of, particularly from embedded videos, social widgets, and analytics tools.
2. Implement a Consent Banner
Display a cookie consent banner before non-essential cookies are set. The banner must allow visitors to accept or reject categories individually. A single "Accept All" button without an equally prominent reject option does not meet the express consent requirement.
3. Block Scripts Until Consent
Non-essential cookies and tracking scripts must not fire until the visitor grants consent. This requires script blocking or tag management integration - simply showing a banner while cookies load in the background is not compliant.
4. Keep Consent Records
Store a timestamped log of each consent decision. Record which categories were accepted or rejected, the version of the cookie policy shown, and the visitor's identifier (anonymised if possible). These records satisfy the proof-of-authorisation requirement under Decree 1377.
5. Publish a Cookie Policy
List every cookie by name, its provider, purpose, duration, and category. Link to this policy from your consent banner.
6. Provide Withdrawal Mechanisms
Visitors must be able to change or withdraw their consent at any time, just as easily as they gave it.
Cookie Consent Across Latin America
Colombia is part of a broader wave of data protection regulation across the region. If your website targets visitors in multiple Latin American countries, you will need to account for each jurisdiction's specific rules.
Mexico's LFPDPPP takes a similar consent-first approach but includes an "aviso de privacidad" (privacy notice) requirement with specific formatting rules. Argentina's PDPA is one of the few Latin American laws with an EU adequacy decision. Peru's Law 29733 mirrors many provisions of Law 1581. Chile is currently reforming its data protection framework to align more closely with the GDPR. Ecuador's LOPDP, enacted in 2021, is the newest addition to the region's privacy landscape.
A country-by-country approach to cookie consent ensures you meet each standard without over-simplifying.
Frequently Asked Questions
Does Colombia have a specific cookie law?
Colombia does not have a standalone cookie law. Cookie consent obligations fall under the general data protection framework of Law 1581 of 2012 and Decree 1377 of 2013, which require prior, express, and informed consent for processing personal data collected through cookies.
What fines can the SIC impose for cookie violations?
The SIC can impose fines of up to 2,000 statutory monthly minimum wages per infringement, which equates to roughly USD 600,000 at current exchange rates. Failure to maintain proof of consent is treated as a separate violation.
Do strictly necessary cookies need consent in Colombia?
Strictly necessary cookies that are essential for providing a service explicitly requested by the visitor, such as session cookies or authentication tokens, do not require prior consent. All other cookies, including analytics and advertising cookies, do.
Is a cookie banner required for Colombian websites?
Yes. Any website that sets non-essential cookies and collects personal data from visitors in Colombia must display a consent mechanism - typically a cookie banner - before those cookies are activated.
How does Colombian cookie consent compare to GDPR consent?
Both require informed, express consent before setting non-essential cookies. The main difference is that Colombian law is consent-centric with no "legitimate interest" alternative, while the GDPR offers six co-equal lawful bases for processing.
Does Law 1581 apply to websites outside Colombia?
Law 1581 applies to personal data processing that takes place in Colombian territory or that involves data subjects located in Colombia. If your website targets Colombian visitors and collects their personal data through cookies, the law applies regardless of where your servers are located.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Colombian data protection law.
