.svg)
While the EU General Data Protection Regulation (EU GDPR) comprises only 99 articles, its fundamental principles and the broad privacy rights it grants individuals have significantly influenced how governments worldwide regulate and protect personal data.
Last year, Chile joined the growing list of countries that have revised their data privacy laws to strengthen individuals’ privacy rights and regulate the digital economy. The new Chilean Data Protection Act, Law No. 21.719 on the Protection of Personal Data (LPPD), was officially published and became law on December 13, 2024.
Overall, the new Chilean Personal Data Protection Law grants individuals stronger data privacy rights, including the introduction of the right to data portability and the right to block processing of personal information. It also imposes more stringent requirements on organizations, including enhanced data security obligations and stricter rules governing international data transfers.
If you handle the personal data of Chilean residents, or if your website or mobile app is accessible to them, you may be subject to the new Chilean Personal Data Protection Law. In this article, we will walk you through the key requirements of the new law and explain how you can achieve compliance before it takes effect on December 1, 2026.
What is the new Chile Data Protection Act?
The new Chilean Data Protection Act (LPPD) regulates the collection, processing, and handling of the personal data of individuals residing in Chile.
According to the Chilean government, the two primary goals of this new privacy legislation are to enhance privacy protection for individuals and to regulate the digital economy. In line with these objectives, the new law grants Chilean residents privacy rights similar to those under the EU GDPR, such as the right to data portability and the right to block the processing of personal data.
Furthermore, the legislation introduces additional compliance obligations for data controllers, including the requirement to embed privacy by default into data processing activities and to comply with international data transfer rules.
Alongside these sweeping changes, the Law establishes a national data protection authority that will enforce the provisions of the new law. Although the Act became law on December 13, 2024, its provisions will become enforceable on December 1, 2026. Given the relatively short timeframe before the Act takes effect, businesses are strongly advised to assess whether it applies to them and to determine how they can comply with its new obligations.
In the following sections, we will discuss when the Act may apply to you and outline the key requirements you should be aware of.
Does the new Chile Data Protection Act apply to you?
The applicability criteria for the new Chilean Data Protection Act are highly similar to those of the EU GDPR. If you meet both of the following criteria simultaneously, the new Act will likely apply to your processing of the personal data of Chilean residents:
Criterion 1: You are a data controller or data processor that processes the personal data of Chilean residents
The Act defines personal data broadly as “any information linked to or referring to an identified or identifiable natural person.”
In other words, even if you cannot directly identify an individual from the information you hold, you may still fall within the scope of the Act if that person’s identity can be determined using indirect identifiers such as a job title, address details, IP address, vehicle registration number, or other identifying data.
If any of the information you hold relates to an individual residing in Chile, your data processing activity will satisfy this criterion.
Criterion 2: Your processing activity falls within the geographical scope of the Act
If you process the personal data of Chilean residents as described above, you must also determine whether your processing activity falls within the Act’s geographical scope.
If you are a data controller or processor established within Chilean territory, this criterion will automatically be met. If you are based outside of Chile, you may still be subject to the new Act if one of the following conditions applies:
- You process the personal data of Chilean residents on behalf of an organization established in Chile; or
- You offer goods or services to Chilean residents, or monitor their activities through technologies such as online tracking or profiling.
As you can infer from these two criteria, if you operate a website, mobile app, or other online service that is offered to Chilean residents, you will likely fall within the scope of the new Data Protection Act.
What are the key obligations organizations must comply with under the new Chile Data Protection Act?
If you determine that your data processing activities are subject to the new Chilean Data Protection Act, you must comply with the following key obligations:
Identify a lawful basis for processing personal data
Under the new Data Protection Act, you must identify and rely on one of the legal bases for collecting and processing personal data. The available legal bases are similar to those under the EU GDPR and include the data subject's consent, contractual necessity, legal obligation, and legitimate interests.
Implement a legally compliant consent mechanism
While consent is the general lawful basis for processing personal data, the new Act imposes stringent requirements on its validity. Under the Act, consent must be free, informed, and specific as to its purpose.
Additionally, consent must be given before the relevant data processing activity and must constitute an unambiguous affirmative act. In other words, pre-ticked boxes, continued website browsing, or downloading a mobile app will not amount to valid consent under the Act.
Lastly, data subjects must be able to withdraw their consent at any time.
Ensure transparency
Under the Act, organizations must maintain readily available privacy notice describing how personal data is processed in compliance with the law. Furthermore, an organization must provide this information to data subjects or to the Chilean Data Protection Agency upon request.
In practice, maintaining a publicly accessible privacy policy is likely the most appropriate and effective way to meet this requirement.
Uphold data subject rights
The previous data protection framework in Chile granted individuals certain rights, such as the right to access and the right to rectification of personal data.
The new Act expands these rights, introducing the right to data portability and the right to block the processing of one’s personal data. It also grants individuals the right to object to processing and the right not to be subject to decisions based solely on automated processing, including profiling.
These newly introduced rights align Chile’s data protection framework more closely with the EU GDPR.
Implement data security measures
Article 14 of the new Act requires data controllers to establish and implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the personal data they handle and to prevent accidental or unlawful destruction of personal data.
Controllers must also adhere to the principle of data protection by design and by default when implementing security measures.
Obtain consent before processing sensitive data
As a general rule, you must obtain the explicit consent of the data subject before collecting or processing their sensitive data. Article 2 of the Act defines sensitive data as information relating to:
(...) the physical or moral characteristics of individuals, or to facts or circumstances of their private life or intimacy, that reveal ethnic or racial origin, political opinions, trade union affiliation, socioeconomic situation, ideological or philosophical convictions, religious beliefs, health data, human biological profile, biometric data, and information related to sexual life, sexual orientation, or gender identity.
- Law No. 21.719 on the Protection of Personal Data, Diario Oficial de la República de Chile, December 13, 2024, (Source)
Notify data breaches
Article 14 of the Act requires organizations to report data breaches to the Chilean Data Protection Agency without undue delay when there is a reasonable risk to the rights and freedoms of the affected individuals.
Additionally, the law requires direct notification to data subjects when the breach involves sensitive data, children's data, or financial/banking records.
Comply with cross-border data transfers
Under the Act, the personal data of Chilean residents may be transferred to a third country only if:
- The recipient country has been granted adequacy status, or
- The organization relies on an approved transfer mechanism, such as the data subject’s consent, model contractual clauses, or binding corporate rules.
The list of countries deemed adequate has not yet been published.
Data protection officer
Under the Act, it is not mandatory to appoint a data protection officer.
Data protection impact assessment
The Act states that organizations will be required to conduct and complete a data protection impact assessment if an envisioned data processing activity is likely to result in a high risk to the rights of data subjects. Moreover, the Act grants the data protection authority to publish a list of data processing activities that may require a data protection impact assessment.
What are the penalties under the Chile privacy law?
Under the LPPD, fines can vary from approximately 5,000 to 20,000 national tax units (equivalent to about USD 387,000 to USD 1.55 million; however, the exact figure might vary).
If an organization commits repeated “very serious” offenses, the Chilean Personal Data Protection Agency has the power to temporarily halt all or part of its data processing operations for up to thirty days. During this suspension, the organization must prove that it has taken corrective steps to meet legal requirements.
For medium and large companies that repeatedly commit serious or very serious breaches, the Personal Data Protection Agency may also levy penalties equal to 2% or 4% of their total revenue from the previous fiscal year.
Does the new Chile privacy law apply to cookies, trackers, and similar technologies?
The new Chilean Data Protection Act does not explicitly address the use of cookies, trackers, SDKs, or similar online technologies such as social media plugins.
However, given the Act’s broad definition of personal data, information collected through cookies and similar technologies is likely to fall within its scope. For example, if you use cookies, social media plugins, or other tools to collect information such as IP addresses, device details, or user behavior data, your processing activities may be subject to the new Act.
Therefore, it is advisable to stay informed about future regulatory guidance or decisions clarifying how the Act applies to cookies and related tracking technologies.
How Didomi can help you comply with the Chile Data Protection Act
If your business collects and handles personal data of Chilean residents, there are a few key compliance matters you need to consider:
- If you collect sensitive data such as individuals’ health data, their gender, sexual orientation, and other information, you must obtain consent from individuals unless an exemption applies.
- You must have a readily available privacy notice that you can provide to individuals and the data protection agency upon request. A privacy notice that explains how you collect and handle people’s personal data can help you comply with this obligation.
Considering that consent is the general legal basis to collect and process personal data under the Chilean Data Protection Act, you will likely need a consent management solution that can streamline your compliance efforts.
Our Consent Management Platform (CMP) allows global organizations to collect consent and keep a record of it all, as part of a comprehensive set of privacy-preserving solutions including privacy request management, first-party data management, compliance monitoring, and server-side tagging. Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you comply with the new Chilean Data Protection Act:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ
When will the new Chilean Data Protection Law take effect?
While the new Chilean Data Protection Act has already been enacted, its provisions will fully take effect on December 1st, 2026.
Does the new Chilean Data Protection Act apply to cookies, trackers, and similar technologies?
The new Chilean Data Protection Act does not explicitly address cookies, trackers, SDKs, or similar online technologies such as social media plugins.
However, given the new Chile privacy law’s broad definition of personal data, information collected through cookies and similar technologies is likely to fall within its scope. For example, if you use cookies, social media plugins, or other tools to collect data such as IP addresses, device information, or user behavior, your processing activities may be subject to the new Act.
Do I need consent to collect and process sensitive data under the new Chilean Data Protection Act?
As a general rule, you must obtain the data subject’s consent before collecting or processing their sensitive personal data. This includes data revealing ethnic or racial origin, political opinions, trade union membership, socioeconomic status, ideological or philosophical beliefs, religious convictions, health data, human biological profiles, biometric data, and information related to sexual life, sexual orientation, or gender identity.
What are the requirements for valid consent?
Under the new Personal Data Protection Law (Law no 21.719), consent must be free, informed, and specific as to its purpose.
Additionally, consent must be given before the relevant data processing activity and must be an unambiguous affirmative act. In other words, pre-ticked boxes, scrolling through a website, or downloading a mobile app will not constitute valid consent under the Act.
Finally, data subjects must be able to withdraw their consent at any time.
