Ecuador's LOPDP: A GDPR-Inspired Data Protection Framework
Ecuador enacted the Ley Organica de Proteccion de Datos Personales (LOPDP) on 26 May 2021, becoming one of the first Andean nations to adopt a comprehensive data protection law modelled on the EU's General Data Protection Regulation. The law entered force with a two-year transition period, and full compliance obligations - including mandatory registration with the Superintendencia de Proteccion de Datos Personales (SPDP) - took effect by the end of 2025.
The LOPDP does not contain a dedicated chapter on cookies. Cookie obligations arise from the law's general principles on consent, transparency, and lawful data processing.
If your website targets Ecuadorian visitors or processes personal data of individuals in Ecuador, the LOPDP applies to you regardless of where your servers are located.
How the LOPDP Applies to Cookies
Cookies that collect or store personal data fall under the LOPDP's scope. Article 8 of the LOPDP requires data controllers to obtain consent before processing personal data, and Article 7 sets out the conditions that make consent valid. Any cookie that identifies a user, tracks browsing behaviour, or links to a personal profile triggers these requirements.
Strictly necessary cookies - those required for a website to function, such as PHPSESSID for session management - do not collect personal data in most configurations and can be set without consent. Analytics cookies like _ga or _gid, advertising cookies like _fbp, and social media tracking pixels all process personal data and require prior consent under the LOPDP.
The law also mandates transparency. Your cookie policy must clearly describe which cookies your site uses, what data they collect, and how long they persist.
Consent Requirements Under the LOPDP
Article 7 of the LOPDP defines valid consent as free, specific, informed, and unambiguous. Consent must be demonstrated through a clear affirmative action - a deliberate opt-in such as clicking an "Accept" button or toggling cookie categories on.
Pre-ticked checkboxes do not qualify as valid consent. Bundled consent - where agreeing to terms of service also grants permission to set tracking cookies - is equally invalid. Each processing purpose must be presented separately so the visitor can make a genuine choice.
Withdrawing consent must be as straightforward as giving it. If a visitor consented via a single click, revoking that consent should require no more effort. Your cookie banner should include a persistent link or button that allows visitors to revisit and change their preferences at any time.
What Makes Consent Valid in Ecuador
| Requirement | LOPDP Standard | Practical Implementation |
|---|---|---|
| Free | No coercion or penalty for refusing | Access to content must not depend on accepting cookies |
| Specific | Separate consent per purpose | Granular controls for analytics, marketing, and functional cookies |
| Informed | Clear description of processing | Cookie banner with plain-language explanation and link to full policy |
| Unambiguous | Affirmative action required | No pre-ticked boxes; visitor must actively opt in |
| Revocable | Withdrawal as easy as consent | Visible "Manage preferences" link on every page |
The SPDP: Ecuador's Data Protection Authority
The Superintendencia de Proteccion de Datos Personales (SPDP) is Ecuador's dedicated supervisory authority. Established under the LOPDP, the SPDP oversees compliance, investigates complaints, and issues sanctions.
The SPDP has already demonstrated willingness to enforce the law. In late 2025, it imposed a USD 259,644 fine on LigaPro (Ecuador's professional football league) and a USD 194,856 fine on the Ecuadorian Football Federation (FEF). Both organisations processed fans' personal data through digital platforms without obtaining valid consent - a direct parallel to the risks websites face when setting tracking cookies without proper authorisation.
These cases confirmed that the SPDP treats the absence of valid, verifiable consent as a serious infraction under Article 68 of the LOPDP.
Fines and Penalties for Non-Compliance
The LOPDP classifies infractions into minor and serious categories, each carrying percentage-based fines calculated against the offending entity's annual turnover from the preceding financial year.
Minor infractions attract fines between 0.1% and 0.7% of annual turnover. Serious infractions - including processing data without valid consent - carry fines between 0.7% and 1% of annual turnover. While these percentages are lower than the GDPR's ceiling of 4%, they can still represent substantial sums for mid-sized and large organisations.
Beyond financial penalties, the SPDP can order data deletion, mandate notification of affected individuals, and require organisations to implement corrective measures within specified deadlines.
LOPDP Compared with the GDPR
The LOPDP borrows heavily from the GDPR's architecture, but several differences matter for website operators.
| Aspect | Ecuador LOPDP | EU GDPR |
|---|---|---|
| Consent definition | Free, specific, informed, unambiguous | Free, specific, informed, unambiguous |
| Cookie-specific rules | No dedicated cookie provision | ePrivacy Directive (Article 5(3)) plus GDPR |
| Maximum fines | 0.7% - 1% of annual turnover | Up to 4% of global annual turnover |
| Data Protection Officer | Required in certain cases | Required in certain cases |
| Breach notification | Required | 72 hours to DPA |
| Extraterritorial scope | Yes, applies to processing of Ecuadorian residents' data | Yes, applies to processing of EU residents' data |
| Supervisory authority | SPDP | National DPAs (CNIL, ICO, etc.) |
If your site already complies with the GDPR's cookie consent requirements, you are well positioned to meet Ecuador's standards. The main adjustment is ensuring your consent records and privacy documentation reference the LOPDP specifically.
Cookie Compliance Checklist for Ecuadorian Websites
Before Launching Your Cookie Banner
Run a cookie scan to identify every cookie and tracker on your site
Categorise cookies by purpose: strictly necessary, functional, analytics, and marketing
Draft a cookie policy in Spanish (and English if you serve international visitors) that lists each cookie, its purpose, its provider, and its expiry period
Map your legal basis for each cookie category under the LOPDP
Configuring Your Consent Mechanism
Block non-essential cookies until the visitor provides affirmative consent
Offer granular category controls rather than a single "accept all" option
Provide equal visual weight to "Accept" and "Reject" buttons - dark patterns undermine the "free" element of consent
Store consent records with timestamps, the version of the banner shown, and the categories accepted
Implement a persistent "Manage cookies" link so visitors can withdraw consent at any time
Ongoing Compliance
Re-scan your site regularly to catch new cookies introduced by third-party scripts or CMS updates
Keep your cookie policy current whenever you add or remove tracking tools
If you use Google Consent Mode v2, verify that tags only fire after consent is granted
Latin American Privacy Laws: Regional Context
Ecuador's LOPDP sits within a broader wave of data protection legislation across Latin America. Colombia's Law 1581 has been in force since 2012, while Peru's Law 29733 predates Ecuador's framework. Chile is reforming its data protection regime to align more closely with the GDPR, and Argentina's PDPA has long been recognised as providing adequate protection by the European Commission.
Brazil's LGPD remains the region's most prominent framework and has influenced several neighbouring countries, including Ecuador. If your website serves visitors across multiple Latin American markets, a consent-first approach to cookies provides the broadest coverage.
Mexico's LFPDPPP takes a somewhat different approach, but the trend across the region is unmistakable: explicit, informed consent is becoming the baseline standard.
Frequently Asked Questions
Does Ecuador have a specific cookie law?
Ecuador does not have a standalone cookie law. Cookie obligations arise from the LOPDP's general requirements on consent and transparency when personal data is processed through cookies or similar tracking technologies.
Do I need cookie consent for Ecuadorian website visitors?
Yes. If your cookies collect personal data from individuals in Ecuador, you must obtain free, specific, informed, and unambiguous consent before setting those cookies. Strictly necessary cookies that do not process personal data are exempt.
What are the fines for cookie non-compliance in Ecuador?
Serious infractions under the LOPDP, including processing data without valid consent, carry fines of 0.7% to 1% of the organisation's annual turnover. The SPDP has already imposed fines exceeding USD 250,000 in enforcement actions.
Is the LOPDP similar to the GDPR?
The LOPDP is closely modelled on the GDPR. Both laws require free, specific, informed, and unambiguous consent, grant data subjects similar rights, and apply extraterritorially. The main differences are in fine thresholds and the absence of a dedicated cookie directive in Ecuador.
Does the LOPDP apply to foreign websites?
Yes. The LOPDP applies to any organisation that processes personal data of individuals in Ecuador, regardless of where the data controller is located. This extraterritorial scope mirrors the GDPR's approach.
What cookies require consent under Ecuador's LOPDP?
Analytics cookies (such as _ga), advertising cookies (such as _fbp), and any other cookies that collect or link to personal data require consent. Session cookies used purely for website functionality typically do not.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
