The new Data Protection Law (nDPL) in Chile establishes strict requirements for collecting, processing, and storing personal data—especially through cookies and online tracking technologies. Are you prepared to do this the right way?
The nDPL (nueva Ley de Protección de Datos Personales) is Chile’s updated data protection legislation, replacing the outdated 1999 law. Inspired by global standards such as the GDPR, it modernizes Chile's data privacy framework, expanding the rights of data subjects and imposing obligations on both public and private organizations handling personal data.
It introduces a dedicated Data Protection Agency, mandates data breach notifications, and requires data protection impact assessments for high-risk processing. Websites must obtain explicit, informed, and prior consent from users before deploying non-essential cookies, such as those used for marketing or analytics. This aligns with global trends in data privacy and emphasizes transparency and user autonomy.
Businesses operating in or serving users in Chile must:
Consent management:
Obtain valid consent for collecting and processing personal data.
Appoint a Data Protection Officer (DPO):
Hire a DPO if large-scale processing is involved.
Give users their rights:
Ensure data subjects can exercise their rights (access, correction, deletion, objection).
Data security:
Implement security and accountability measures.
Recordkeeping:
Keep documentation of data processing activities and risk assessments.
Audits:
Prepare for inspections and audits from the future data protection authority.
The nDPL Chile applies to:
Companies established in Chile.
Foreign businesses offering goods/services or monitoring behavior of people in Chile.
Public institutions processing personal data.
Startups and SMEs, regardless of size, if they handle personal data.
Exemptions are limited and depend on the nature and scale of the data processing.
Chile’s law gives residents a set of data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Request data in a structured, commonly used format
Cookies that collect identifiable information—such as IP addresses or user behavior—fall under the scope of the nDPL Chile. Consent is not optional for non-essential cookies. Cookie banners must:
Appear clearly when users first visit the site.
Allow opt-in, not just opt-out.
Provide detailed cookie policies explaining data usage and retention.
Offer equal ease of acceptance and rejection of cookie use.
Violating the nDPL can lead to significant penalties, including:
Fines categorized into minor, serious, and very serious, ranging up to 10,000 UTM (approx. 750,000 USD) or more depending on severity.
Legal action by affected individuals.
Reputational damage and loss of user trust.
Suspension of data processing operations in extreme cases.
To check your compliance with the nDPL Chile, businesses should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites.
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing).
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs.
Check on partners:
Review third-party data-sharing practices.
The nDPL applies to all individuals and organizations—public or private—that process personal data in Chile or handle data of individuals located in Chile. It covers the collection, storage, use, and sharing of personal data to ensure privacy rights are protected.
Personal data refers to any information relating to an identified or identifiable natural person. This includes details like names, identification numbers, contact information, location data, or any other data that can directly or indirectly identify an individual.
Sensitive data includes personal information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or data concerning a person’s sexual life.
The regulatory authority overseeing the enforcement of the nDPL in Chile is the Transparency Council (Consejo para la Transparencia), responsible for monitoring compliance and handling complaints related to data protection.
Certain data processing activities are exempt, including data processed exclusively for personal, family, or household purposes without any commercial intent. Additionally, some governmental activities may have specific exemptions under the law.
For more detailed information, you can visit the official website of the Transparency Council or consult legal resources specializing in Chilean data protection laws. Official government publications and legal advisories also provide comprehensive guidance on the nDPL.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
