How Peru's Law 29733 Applies to Website Cookies
Peru enacted its Personal Data Protection Law (Ley de Proteccion de Datos Personales, Law No. 29733) in 2011, making it one of the earlier Latin American countries to adopt comprehensive privacy legislation. The law is modelled on European data protection principles, with a strong emphasis on consent as the primary legal basis for processing personal data.
Cookies are not mentioned explicitly in Law 29733. The regulation applies whenever cookies collect or process personal data - meaning any cookie that can identify a visitor, track browsing behaviour, or build a profile falls within scope. Strictly necessary cookies that do not process personal data, such as PHPSESSID for session management, sit outside the law's reach.
On 30 November 2024, Peru published Supreme Decree No. 016-2024-JUS, a comprehensive overhaul of the law's implementing regulation. These updated rules took effect on 30 March 2025 and introduced expanded territorial scope, mandatory Data Protection Officers, and 48-hour breach notification requirements.
What the 2025 Regulatory Update Means for Websites
The 2025 regulation brought three changes that directly affect website operators outside Peru.
First, territorial reach now extends to any foreign organisation that offers goods or services to individuals in Peru or monitors the behaviour of people located in Peru. If your website uses analytics cookies like _ga or advertising trackers like _fbp on pages visited by Peruvian users, you fall within scope - regardless of where your servers are based.
Second, organisations above certain revenue thresholds must appoint a Data Protection Officer. Large companies (annual revenue exceeding 2,300 UIT, roughly USD 3.28 million) must comply by November 2025, with medium companies following by November 2026.
Third, security incident notification must happen within 48 hours. A cookie-related data breach - for example, session hijacking through a stolen PHPSESSID value - would trigger this obligation if personal data is exposed.
Consent Requirements Under Peruvian Law
Law 29733 requires consent that is free, prior, express, informed, and unequivocal. Each element carries specific meaning for cookie implementations.
Free means the visitor must have a genuine choice. Cookie walls that block content unless all cookies are accepted would likely fail this test. Prior means consent must be obtained before cookies are set - not after. Express rules out implied consent; simply continuing to browse a site does not constitute valid acceptance. Informed requires a clear explanation of what data is collected, why, and by whom. Unequivocal means the consent action must leave no doubt about the visitor's intention.
These requirements closely mirror the GDPR consent standard, making Peru's approach familiar to anyone already complying with European rules.
Which Cookies Need Consent in Peru
The decisive factor is whether a cookie processes personal data. Cookies that can identify an individual - directly or through combination with other data points - require express consent before being placed on the visitor's device.
| Cookie Type | Example | Consent Required? |
|---|---|---|
| Session / strictly necessary | PHPSESSID, csrf_token | No (if no personal data is processed) |
| Functional / preference | pll_language, currency_pref | Only if they store identifiable data |
| Analytics | _ga, _gid | Yes - identifies visitors via unique IDs |
| Advertising / tracking | _fbp, _gcl_au | Yes - profiles visitor behaviour |
A practical approach is to categorise your cookies and request consent only for those that process personal data. This matches the purpose-limitation principle embedded in Article 6 of Law 29733.
The ANPD: Peru's Data Protection Authority
The Autoridad Nacional de Proteccion de Datos Personales (ANPD, formerly ANPDP) sits within the Ministry of Justice and Human Rights. It holds investigative and sanctioning powers over data controllers operating in Peru or processing data of Peruvian residents.
In 2023, the ANPD resolved 272 personal data complaints and issued fines totalling over 2.7 million soles (approximately USD 720,000). Enforcement priorities have focused on data bank registration failures, inadequate consent practices, and poor responses to data subject rights requests.
The fine structure follows a tiered model based on Tax Reference Units (UIT). For 2025, one UIT equals S/5,350 (roughly USD 1,486).
| Infraction Level | UIT Range | Approximate USD Range |
|---|---|---|
| Mild | 0.5 - 5 UIT | USD 743 - USD 7,430 |
| Serious | 5 - 50 UIT | USD 7,430 - USD 74,300 |
| Very serious | 50 - 100 UIT | USD 74,300 - USD 148,600 |
Fines are capped at 10% of the organisation's annual net revenue from the previous year. The ANPD also publishes enforcement decisions, adding reputational risk to the financial penalties.
Peru vs GDPR: Key Differences and Similarities
Peru's framework shares significant DNA with European data protection law, but several differences stand out.
Both regimes require prior, informed, freely given consent. Both recognise data subject rights including access, rectification, and deletion. Both impose obligations on data controllers and processors, and both have extraterritorial reach.
The differences matter for compliance planning. Peru does not have an equivalent of the ePrivacy Directive, which in Europe specifically regulates the placing of cookies on devices. Peru's cookie rules derive entirely from its general data protection framework. Fines under Law 29733 are modest compared to the GDPR's ceiling of EUR 20 million or 4% of global turnover. Peru's maximum penalty of 100 UIT (roughly USD 148,600) is a fraction of the amounts European DPAs routinely impose.
Peru requires registration of data banks (databases) with the ANPD - an obligation that does not exist under the GDPR. If your website stores cookie-related personal data in a database, this registration requirement applies.
Compliance Checklist for Peruvian Cookie Requirements
Use this checklist to align your website with Law 29733's requirements for cookies.
Audit your cookies - run a free cookie scan to identify every cookie your site sets and determine which ones process personal data.
Implement a consent banner - display a clear cookie consent banner before setting non-essential cookies. Pre-ticked boxes or implied consent through continued browsing do not satisfy the express consent requirement.
Block scripts before consent - analytics and advertising tags must not fire until the visitor has given consent. Google Consent Mode can help manage this for Google services.
Write a cookie policy - publish a transparent cookie policy that lists each cookie, its purpose, the data it collects, and its retention period. This fulfils the "informed" element of valid consent.
Provide withdrawal options - visitors must be able to withdraw consent as easily as they gave it. A persistent settings link or floating icon works well.
Register data banks - if you store cookie-derived personal data in a database, register that data bank with the ANPD. Registration is free under the updated regulation.
Appoint a DPO if required - check whether your organisation meets the revenue threshold requiring a Data Protection Officer.
Use geo-detection - if you serve visitors globally, geo-detection allows you to show Peru-specific consent banners only to visitors located in Peru, while applying different rules for other jurisdictions.
How Peru Fits Into Latin American Privacy Trends
Peru is part of a broader wave of data protection enforcement across Latin America. Colombia's Law 1581 and Argentina's PDPA both predate Peru's framework, while Chile is in the process of modernising its 1999 data protection law with a reform that introduces a dedicated supervisory authority.
Ecuador's LOPDP, enacted in 2021, closely follows the GDPR model. Mexico's LFPDPPP takes a slightly different approach by distinguishing between data controllers in the private and public sectors.
For website owners operating across the region, the common thread is consent. Every major Latin American jurisdiction requires some form of prior, informed consent for processing personal data through cookies. Building a consent mechanism that meets the strictest standard - currently Peru or Ecuador - means you are likely compliant across the region.
Frequently Asked Questions
Does Peru's Law 29733 require cookie consent?
Yes, if your cookies process personal data. Law 29733 requires free, prior, express, informed, and unequivocal consent before collecting personal data, which includes data gathered through analytics and advertising cookies.
Do I need a cookie banner for Peruvian visitors?
You need a cookie banner if your site sets cookies that process personal data and is accessible to visitors in Peru. The 2025 regulatory update expanded the territorial scope to cover foreign websites targeting Peruvian users.
What fines can the ANPD impose for cookie non-compliance?
Fines range from 0.5 UIT (approximately USD 743) for mild infractions to 100 UIT (approximately USD 148,600) for very serious violations, capped at 10% of annual net revenue.
Is implied consent valid under Peruvian data protection law?
No. Law 29733 requires express consent. Continuing to browse a website or using pre-ticked checkboxes does not meet the legal standard for valid consent in Peru.
Does Peru require a data protection officer for websites?
Under the 2025 regulation, organisations above certain revenue thresholds must appoint a DPO. Large companies must comply by November 2025 and medium companies by November 2026.
How does Peru's cookie law compare to the GDPR?
Peru's consent requirements closely mirror the GDPR standard. The main differences are lower fine ceilings, the absence of an ePrivacy-style directive specifically covering cookies, and an obligation to register data banks with the ANPD.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
