Guatemala Has No Dedicated Data Protection Law
Guatemala is one of the few countries in Latin America without a standalone personal data protection statute. Unlike neighbouring Mexico, Colombia, or Peru, Guatemala has not yet enacted legislation that comprehensively regulates how private organisations collect, store, or process personal data.
That does not mean personal data is unprotected. Two legal instruments provide partial coverage: the 1985 Constitution of the Republic of Guatemala and Decree 57-2008, the Law on Access to Public Information (Ley de Acceso a la Informacion Publica). A draft bill is also progressing through Congress.
Constitutional Privacy Protections
The Guatemalan Constitution contains several articles relevant to privacy. Article 23 protects the inviolability of the home. Article 24 safeguards the privacy of correspondence, documents, and books. Article 25 regulates the search of persons and vehicles.
Article 31 is the most directly relevant provision for data protection. It grants every person the right to access information held about them in public files, registries, or government records, and to know the purpose for which that data is used. The Constitutional Court has interpreted this article as a partial recognition of informational self-determination.
The court has also recognised data privacy as a human right and established that consent is required for the use of personal data. These rulings carry legal weight, but they fall short of the detailed obligations found in dedicated data protection statutes elsewhere in the region.
Decree 57-2008: The Law on Access to Public Information
Decree 57-2008, enacted in 2008, is the closest Guatemala comes to data protection legislation. Its primary purpose is to regulate access to government-held information, but it includes definitions and provisions that touch on personal data.
Article 9 of the Decree defines personal data as any information pertaining to identified or identifiable natural persons. It also defines sensitive personal data, covering characteristics such as racial or ethnic origin, political opinions, religious beliefs, health status, and sexual preference. The law establishes habeas data as a mechanism allowing individuals to access, correct, and update their personal information held in public records.
The critical limitation is scope. Decree 57-2008 applies primarily to data held by public bodies and state registries, leaving a significant gap in the regulation of personal data processed by private companies, including website operators.
Draft Bill 6105: A Comprehensive Law on the Horizon
Bill 6105, introduced on 23 June 2022, proposes a dedicated Personal Data Protection Law for Guatemala. The Guatemala Transparency and Probity Commission issued a favourable opinion on the initiative, and the bill has returned to the plenary of Congress for discussion through three required debates.
If enacted, Bill 6105 would bring Guatemala closer to the standards set by Ecuador's LOPDP and Chile's reformed data protection framework. Until then, website operators targeting Guatemalan users work in an environment with limited domestic regulation of online data collection.
Cookie Consent Rules: What Applies Today
Guatemala has no specific legislation requiring cookie consent banners. There is no equivalent to the EU's ePrivacy Directive or Brazil's LGPD cookie provisions. Strictly speaking, Guatemalan law does not mandate that you display a cookie notice to visitors located in Guatemala.
That said, several practical reasons make cookie consent management worthwhile even without a legal mandate.
If your website attracts visitors from jurisdictions with strict cookie laws, such as the EU, UK, or Brazil, you still need to comply with those regulations for those users. A geo-targeted cookie consent banner handles this automatically. Tools like Kukie.io's geo-detection feature can display banners only to visitors in regulated jurisdictions, avoiding unnecessary friction for Guatemalan users while keeping you compliant elsewhere.
The Constitutional Court's stance on consent for personal data use also suggests that voluntarily obtaining consent before placing tracking cookies like _ga, _fbp, or _gcl_au is a prudent approach, especially if Bill 6105 passes.
Guatemala vs GDPR: A Comparison
| Aspect | Guatemala (Current) | EU (GDPR + ePrivacy) |
|---|---|---|
| Dedicated data protection law | None (Bill 6105 pending) | GDPR (Regulation 2016/679) |
| Cookie-specific legislation | None | ePrivacy Directive, Article 5(3) |
| Consent requirement for cookies | Not legally required | Prior opt-in consent required |
| Data protection authority | None established | National DPAs in each member state |
| Right of access | Article 31 (public records only) | Article 15 GDPR (all data controllers) |
| Sensitive data definition | Decree 57-2008, Article 9 | Article 9 GDPR |
| Cross-border transfer rules | None | Chapter V GDPR (adequacy, SCCs, BCRs) |
| Fines for non-compliance | No specific penalties | Up to 4% of global annual turnover |
The gap between Guatemala's framework and the GDPR is substantial. If your site serves both Guatemalan and European visitors, the GDPR requirements will apply to European users regardless of where your servers are located.
Practical Compliance Checklist for Websites Targeting Guatemala
Even without a strict legal obligation, adopting good data practices protects your business and prepares you for upcoming legislation. Here is a practical checklist.
Audit your cookies - Run a free cookie scan to identify every cookie your site sets, including third-party cookies from analytics and advertising scripts.
Classify cookies by purpose - Group cookies into categories: strictly necessary, functional, analytics, and marketing. This mirrors the structure used by most consent management platforms.
Publish a cookie policy - Explain what cookies your site uses, their purpose, and their duration. Transparency builds trust even where it is not yet mandated by law.
Consider a consent banner for international visitors - If your site receives traffic from the EU, UK, Brazil, or other regulated jurisdictions, a cookie consent banner is not optional for those users.
Respect user choices - If you collect consent, make sure non-essential cookies like
_gidor_fbpare blocked until the visitor opts in. Script blocking prevents cookies from firing before consent is granted.Prepare for Bill 6105 - Building consent infrastructure now means less work if Guatemala enacts its pending data protection law.
How Guatemala Fits into Latin American Privacy Trends
Across Latin America, data protection laws are expanding rapidly. Argentina was an early adopter with its Personal Data Protection Act. Brazil's LGPD, Colombia's Law 1581, and Ecuador's LOPDP have all raised the bar for data processing standards in the region.
Guatemala, along with a handful of Central American neighbours, remains in the group of countries still developing comprehensive frameworks. The progress of Bill 6105 signals that change is coming. Website operators who build privacy-respecting practices now will be ahead when that legislation arrives.
Frequently Asked Questions
Does Guatemala require cookie consent banners on websites?
No. Guatemala has no law that specifically requires cookie consent banners. There is no equivalent to the EU's ePrivacy Directive. Displaying a banner is recommended as a best practice, particularly if your site serves visitors from regulated jurisdictions.
What is Guatemala's main data protection law?
Guatemala does not have a dedicated data protection law. The closest instrument is Decree 57-2008, the Law on Access to Public Information, which includes some personal data provisions but applies mainly to public records. Bill 6105 proposes a comprehensive data protection statute.
Does Article 31 of Guatemala's Constitution protect online personal data?
Article 31 grants access to personal data held in public files and registries. The Constitutional Court has interpreted this as a partial right to informational self-determination, but it does not extend to data held by private companies or website operators.
Is there a data protection authority in Guatemala?
Guatemala does not have a dedicated data protection authority. If Bill 6105 is enacted, it is expected to establish a supervisory body, but no such authority exists at present.
Do I need to comply with GDPR if my website is based in Guatemala?
If your Guatemala-based website targets or monitors individuals in the EU, the GDPR applies to those interactions under Article 3(2). You would need to obtain prior consent before setting non-essential cookies for European visitors.
What cookies need consent under Guatemalan law?
Guatemalan law does not currently distinguish between cookie types or require consent for any of them. If you voluntarily implement consent, the standard practice is to require opt-in for analytics cookies like _ga and marketing cookies like _fbp, while allowing strictly necessary cookies without consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
