Data Protection in Latin America: Key Regulatory Trends and Recapping 2025 Developments
This blog was originally posted on 13th January, 2026. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.
AUTHORED BY SAMANTHA ANGUIANO, REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS
Across Latin America, data protection frameworks are undergoing significant transformation as lawmakers respond to rapid digitalization, emerging technologies, and growing public concern over the use of personal data.
In 2025, multiple jurisdictions have introduced proposals and enacted reforms aimed at strengthening informed consent, expanding individual rights, tightening controls over sensitive and biometric data, and reinforcing enforcement mechanisms. From stricter breach notification rules and enhanced corporate accountability to new safeguards for minors and AI-generated personal data, these developments reflect a regional shift toward more robust, rights-focused privacy regimes. This overview highlights the most relevant data protection regulatory updates across Latin America, offering insight into how countries are modernizing their legal frameworks to balance innovation, security, and data privacy rights.
Interested in exploring more regulatory updates across AI, ESG and Chemicals in the Latin American region? Check out our blogs ‘Shaping the Future: AI Legislative Initiatives Across Latin America‘, Green Horizons: Product & Sustainability Developments in Latin America‘ or download a copy of our whitepaper ‘Chemical Compliance in Latin America: Recent Developments and Trends‘.
How Are Latin American Countries Strengthening Informed Consent and User Rights?
Brazil Expands Deletion Rights and Regulates the Use of Publicly Available Data
Brazil is advancing reforms to strengthen individual control over personal data, particularly for young data subjects and in the context of emerging technologies. The proposal seeks to allow individuals, once they turn 18, to request the termination of data processing or the full or partial deletion of their personal data, with controllers required to provide simplified procedures to facilitate these requests.
Mexico Strengthens Prior Consent, Marketing Restrictions, and Corporate Accountability
In 2025, Mexico introduced a series of reforms to reinforce prior consent, restrict the commercial use of personal data, and strengthen corporate accountability under its consumer protection and data protection frameworks.
Under the proposals, companies would be prohibited from using consumer information for marketing or advertising purposes without prior consent and would be required to clearly disclose, through privacy notices, the purposes for which personal data is processed.
Additionally, commercial telephone harassment would be classified as an unfair commercial practice, obliging businesses to obtain prior consent before engaging in commercial outreach and to notify the Consumer Protection Agency in cases of refusal, with financial penalties for non-compliance.
Further proposals strengthen corporate obligations by requiring companies that use consumer data for marketing to fully comply with the Federal Law on the Protection of Personal Data Held by Private Parties. Businesses could be held liable for failing to implement adequate security, confidentiality, and compliance measures. Individuals would also gain the right to be informed, free of charge and within fifteen working days, whether a company holds their personal data.
Finally, express consent would need to be unequivocal, meaning there must be clear evidence that it was granted. Even where legal exceptions apply, data controllers would still be required to obtain prior consent that is free, specific, and informed, and provided with knowledge of the applicable privacy notice.
Together, these reforms reflect a regulatory shift toward stricter consent standards, enhanced transparency, and stronger enforcement of data protection obligations in Mexico’s commercial sector.
Puerto Rico Introduces Comprehensive Informed Consent Protections
Puerto Rico is moving toward a more robust consumer privacy framework based on the Model State Privacy Act developed by Consumer Reports. The proposed law seeks to ensure that consumers provide informed consent for the collection, use, and access of personal data, while strengthening rights to delete, correct, and transfer personal information.
The proposed draft also targets manipulative digital design practices that undermine user autonomy and requires greater transparency regarding data monetization. Companies would be obligated to limit data collection to what is strictly necessary, implement appropriate security safeguards, update privacy policies regularly, and provide opt-out options for targeted advertising. The initiative aims to restore consumer control over personal data in increasingly data-driven commercial environments.
Ecuador Regulates the Use of Legitimate Interest for Data Processing
Ecuador has strengthened its data protection framework by formally regulating the use of legitimate interest as a lawful basis for personal data processing in the private sector. Organizations relying on this basis must now conduct a documented Balancing Test to demonstrate that the rights and freedoms of data subjects prevail over the controller’s interests. Failure to carry out this evaluation constitutes a serious infringement.
The regulation clarifies that legitimate interest must be lawful, proportionate, and aligned with the data subject’s reasonable expectations, with clear and accessible information provided in Spanish through privacy notices. While this legal basis may be used for purposes such as direct marketing with opt-out mechanisms, fraud prevention, internal corporate communication, IT security, and video surveillance, it is strictly prohibited for sensitive data, fully automated profiling with significant legal effects, and most processing involving children’s data.
Data subjects retain the right to object to such processing at any time and may request access to the Balancing Test carried out by the controller, reinforcing transparency and individual control.
How Are Latin American Authorities Strengthening Enforcement, Compliance, and Sanctions?
Ecuador Strengthens Risk Management and Supervisory Oversight
Ecuador has reinforced its data protection enforcement framework by introducing detailed guidance on risk management and impact assessments for personal data processing. The new framework provides qualitative and quantitative methods to help organizations identify, analyze, and mitigate data protection risks in line with national law, promoting stronger preventive compliance practices.
At the same time, Ecuador has formalized the role of Data Protection Delegates for public sector entities and specific private sector organizations operating in sensitive sectors. These delegates are responsible for overseeing compliance, advising on legal obligations, and acting as a point of contact with both the supervisory authority and data subjects.
The regulation establishes strict requirements for designation, registration, and independence, including mandatory registration with the authority and professional training obligations.
Mexico Moves to Introduce Stronger Sanctions for Data Breaches
Mexico is pursuing stricter enforcement measures by proposing the introduction of both economic and criminal sanctions for data controllers that fail to notify the authority of personal data breaches. The reform would establish prison sentences for non-compliance, alongside financial penalties calculated based on minimum wage units.
This proposal reflects a shift toward more punitive enforcement mechanisms, signaling increased regulatory scrutiny and a stronger deterrent approach to data protection violations, particularly in cases involving security incidents and breach notification failures.
How Are Latin American Countries Modernizing Their Data Protection Frameworks?
Mexico Introduces a Comprehensive and Modern Data Protection Regime
Mexico has modernized its data protection framework by enacting a new Federal Law on the Protection of Personal Data Held by Private Parties, replacing the 2010 legislation. The new law establishes a comprehensive legal structure governing the collection, processing, storage, and transfer of personal data by private entities, based on principles such as lawfulness, consent, transparency, proportionality, and accountability.
The newly enacted federal law strengthens individuals’ rights through the existing “ARCO” model (access, rectification, cancellation, and opposition), mandates privacy notices, requires the immediate notification of significant data breaches, and obliges organizations to delete personal data once it is no longer necessary. It also reinforces security obligations and introduces substantial financial penalties for non-compliance, signaling a stronger enforcement approach and greater regulatory maturity.
Colombia Seeks to Align Its Data Protection Law with Global Standards
Colombia is pursuing wide-ranging reforms to its data protection legislation to better reflect technological, economic, and social developments. The proposed amendments would expand the law’s territorial scope to include foreign entities that offer goods or services to Colombian residents or monitor their behavior, regardless of where the data is processed. This reflects a growing global trend toward extraterritorial reach in data protection laws.
The reforms introduce new definitions for biometric, genetic, and automated data processing, as well as additional principles such as fairness, data minimization, proportionality, explicability, and demonstrated responsibility. Data subjects would gain new rights, including protection against solely automated decision-making, data portability, and the right to object to direct marketing.
The proposals also strengthen organizational duties by requiring impact assessments for high-risk processing, the adoption of privacy by design and by default, the designation of Data Protection Officers in certain cases, and breach notifications within 72 hours. International data transfer rules would be modernized through adequacy decisions and safeguard mechanisms, while the supervisory authority’s enforcement powers and sanctions would be significantly expanded.
Guatemala Seeks to Establish Its First Comprehensive Data Protection Law
Guatemala is developing its first full data protection framework through a draft law modeled on international standards, particularly the EU GDPR. The proposal would introduce explicit consent requirements, mandatory privacy notices, 72-hour breach notification obligations, and minimum data retention rules.
The draft also regulates international data transfers by requiring safeguards such as consent, contractual necessity, or equivalent protection in the recipient country, with joint liability for exporters and recipients. Organizations would be granted a transition period to adapt their compliance programs, reflecting a gradual but structured approach to regulatory modernization.
Are Latin American Countries Tightening Controls on Sensitive and Biometric Data?
Brazil Moves to Restrict the Commercial Use of Biometric Data
Brazil is advancing multiple legislative initiatives to strengthen the protection of sensitive and biometric data under its General Data Protection Law (LGPD). Proposed reforms would introduce clear definitions of sensitive biometric data, including fingerprints, facial recognition, iris scans, voice data, and DNA, while explicitly prohibiting their commercial use. The transfer, sale, rental, or monetization of biometric data would be banned, and processing would only be permitted when strictly necessary, supported by explicit consent and strong security measures.
Additional proposals seek to prohibit the sale of sensitive personal data more broadly, reinforcing that such data may only be shared with the individual’s explicit and purpose-specific consent, which can be revoked at any time. Individuals would also retain full access to their personal information.
Brazil is also seeking to protect individuals from being forced to use facial recognition systems. New measures would require organizations to offer alternative identification methods, both online and in person, and would prohibit denying access to services or spaces simply because a person refuses to provide facial biometric data. Digital platforms would be required to clearly present non-biometric options throughout authentication processes, ensuring that biometric data collection remains voluntary rather than mandatory.
At the regulatory level, Brazil’s National Data Protection Authority has launched a public consultation on biometric data processing to assess whether additional guidance or safeguards are needed. The initiative reflects growing concern over privacy risks, potential discrimination, and the impact of biometric technologies on vulnerable groups, while seeking to balance innovation with fundamental rights protection.
Mexico Strengthens Protections for Minors and AI-Generated Personal Data
Mexico is pursuing stricter protections for sensitive data, particularly in relation to minors and emerging technologies. Proposed amendments would require parental or guardian consent for the processing of minors’ personal data and introduce limitations on data collection, ensuring that only information strictly necessary for basic service functionality is processed.
Simultaneously, Mexico is seeking to modernize its legal definitions of personal and sensitive data to cover digital attributes generated by artificial intelligence. The proposal would include AI-generated reproductions of personal characteristics within the scope of data protection law, requiring express consent for their use.
What Are the Latest Trends in Data Security and Breach Notification in Latin America?
Brazil Moves to Formalize Breach Notification Deadlines
Brazil is seeking to introduce clear deadlines for personal data breach notifications. A proposed amendment to the General Data Protection Law would require data controllers to report security incidents affecting personal data within ten business days of becoming aware of the breach, with additional information to be provided within forty business days. Extended deadlines would apply to microenterprises, small businesses, and innovation-driven startups, reflecting a proportional approach to compliance obligations.
Ecuador Strengthens Technical Safeguards and Privacy by Design
Ecuador has reinforced its data security framework through detailed regulations on pseudonymization, anonymization, blocking, suspension, and deletion of personal data. These measures are now mandatory for all members of the national data protection system and apply across the entire data lifecycle. The regulation clarifies that pseudonymized data remains subject to data protection obligations, while anonymized data may be transferred without consent if re-identification is no longer reasonably possible.
The framework also strengthens data subject rights by enabling individuals to request the suspension or deletion of their data, including in cases involving deceased persons or credit information. Controllers must provide proof of deletion and ensure that third parties also remove the data.
At the same time, Ecuador has adopted formal guidance on Data Protection by Design and by Default, requiring organizations to integrate privacy and security measures into the design and execution of data-processing projects. The guidance promotes a Zero Trust Data Protection Architecture, combining privacy, cybersecurity, and risk management strategies throughout the development and operational lifecycle.
El Salvador and Peru Reinforce Security Obligations and Risk Awareness
El Salvador has introduced mandatory policies for managing and safeguarding personal data across both public and private sectors. These policies require the implementation of organizational, technical, and physical security measures, including the designation of a data protection delegate, the use of encryption and access controls, and secure data storage and disposal practices. Security breaches must be reported to both the authority and affected individuals within seventy-two hours, strengthening accountability and incident response standards.
In Peru, a draft law explicitly acknowledges the risks associated with personal data leaks and establishes the protection of personal data as a central legal objective. The proposal aligns with the country’s existing data protection framework and emphasizes the need to address security vulnerabilities that may compromise individuals’ rights.
Mexico Moves Toward Stronger Security Standards
Mexico is also updating its personal data security requirements by proposing amendments to the Law on Protection of Personal Data Held by Private Parties. The draft Decree seeks to define the organizational, physical, and technical measures required to protect personal data.
Organizational measures include internal policies, guidelines, and procedures designed to ensure the proper management of databases at the organizational level, raise awareness, provide training, and maintain control over personnel involved in personal data processing. Physical security measures consist of actions and mechanisms to safeguard the physical environment where personal data is processed, including controlling access to databases and maintaining equipment that contains or stores such data.
Technical security measures involve the use of hardware and software technologies to protect the digital environment and the resources used to process personal data. These may include the regular review and updating security configurations during the acquisition, operation, development, and maintenance of software and hardware.
Stay Ahead Of Regulatory Changes
Want to stay ahead of these regulatory developments?
Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.
C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.
- Accelerate time-to-market for products
- Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
- Enable business continuity by digitizing your compliance process and building corporate memory
- Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
- Save time with access to Compliance & Risks’ extensive Knowledge Partner network
AI Rules Are Changing: Key Regulatory Updates for 2025 & 2026
This webinar offers a practical overview of the latest AI regulation and policy updates covering the EU AI Act, recent Digital Omnibus adjustments, key developments in US federal and sector-specific AI guidance, and regulatory trends across Asia.
