Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Argentina República Argentina

WEB ANALYTICS · COOKIE COMPLIANCE · SOUTH AMERICA · AR

Argentina — analytics & cookie compliance reference

Law 25.326 + EU adequacy decision since 2003 — bidirectional flow with Europe. AAIP active enforcement (Banco Macro, Despegar, Mercadolibre fines 2024–2025). Comprehensive privacy bill pending in Congress. Spanish-language privacy notices required.

Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Argentina. Sectoral rules (financial, telecom, healthcare) are touched only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

Law 25.326
Ley de Protección de los Datos Personales (Personal Data Protection Act)
Argentina's foundational data-protection statute. Pre-dates GDPR but was the basis for the EU's 2003 adequacy decision (2003/490/EC) — the first non-European country to receive adequacy. Covers consent, purpose limitation, data subject rights, RNBD database registration, international transfers, and AAIP supervisory powers. Now showing its age: the new comprehensive bill (Anteproyecto de Ley de Protección de Datos Personales) has been pending in Congress since 2022 and as of 2026 has not been enacted.
  • Art 5 Consent — must be free, express, informed, and in writing or equivalent means
  • Art 11 Data transfer — assignment requires data subject consent unless exempt
  • Art 12 International transfers — prohibited to countries without 'adequate' protection (mirror of GDPR Art 45)
  • Art 14 Right of access — controller must respond within 10 calendar days
  • Art 16 Right of rectification, update, and deletion — within 5 business days
  • Art 21 RNBD — mandatory registration of personal-data databases with AAIP
  • Art 31 Sanctions — warnings + fines AR$1,000–AR$100,000 (updated by AAIP via UMA index)
Law 25.326 (B.O. 02/11/2000), regulated by Decree 1558/2001
Disp. 18/2015
AAIP Disposition 18/2015 — Breach Notification Standards
Establishes baseline security measures for personal-data databases (basic / medium / critical levels) and breach-notification expectations. Predates GDPR's 72-hour rule — Argentina has no statutory breach-notification deadline, but AAIP expects 'prompt' notification to the regulator and affected data subjects for high-risk incidents.
  • Annex I Three-tier security baseline — basic, medium, critical depending on data sensitivity
  • Annex II Incident response — log, contain, notify AAIP and data subjects when warranted
Disposition 18/2015 of the former DNPDP (now AAIP)
Disp. 47/2018
AAIP Disposition 47/2018 — International Data Transfers
Approves model contractual clauses for international transfers to non-adequate countries. Two templates: controller-to-controller and controller-to-processor. Required when transferring data to jurisdictions not listed as 'adequate' by AAIP (the EU/EEA, UK, Switzerland, and a short whitelist).
  • Art 1 Approves Annex I (controller-to-controller) and Annex II (controller-to-processor) model clauses
  • Art 2 Use of clauses dispenses with prior AAIP authorization for the transfer
Disposition 60-E/2016 (originally) and Disposition 47/2018
New Bill (pending)
Anteproyecto de Ley de Protección de Datos Personales (comprehensive privacy reform)
Would replace Law 25.326 with a GDPR-aligned regime: explicit DPO requirement, DPIA threshold, breach notification within 72 hours, expanded fines (up to AR$ equivalent of 4% turnover), child-consent age 13, and data-portability rights. Status uncertain under the Milei administration's deregulatory agenda — verify with AAIP press releases before relying on any provision.
  • Draft Art 35 DPO (Delegado de Protección de Datos) — mandatory thresholds aligned with GDPR Art 37
  • Draft Art 41 Breach notification — 72 hours to AAIP, 'sin demora' to data subjects
  • Draft Art 53 Fines — up to AR$ equivalent of 4% global annual turnover
AAIP draft published 2022; consultative round 2023; not yet enacted as of May 2026

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
AAIP · Agencia de Acceso a la Información Pública
Sole national data-protection authority. Created by Law 27.275 (2016) to consolidate access-to-information and personal-data oversight. Reports to the Chief of Cabinet. Headed by a Director with 5-year term confirmed by Senate.
https://www.argentina.gob.ar/aaip

Coordination body

AAIP — Dirección Nacional de Protección de Datos Personales · DNPDP within AAIP
The DNPDP is the operational data-protection arm inside AAIP. It runs the RNBD (national registry of personal-data databases), issues Dispositions, conducts inspections, and proposes sanctions. No federal–state coordination needed — Argentina's data-protection regime is exclusively federal.
  • 2003-06-30 · EU adequacy — European Commission Decision 2003/490/EC declares Argentina an 'adequate' country under Directive 95/46/EC (now GDPR Art 45). First Latin American country to receive adequacy; status preserved post-GDPR.
  • 2018-04-30 · Disposition 47/2018 — Updated model clauses for international transfers; aligned with EU 2010/87/EU SCCs of the time.
  • 2022-08 · Comprehensive bill — AAIP submits draft of new Personal Data Protection Act to Congress — GDPR-aligned. Passed AAIP consultation but stalled in committee.
https://www.argentina.gob.ar/aaip/datospersonales

Notable enforcement

AAIP enforcement intensity is moderate but rising. The agency historically focused on RNBD compliance (database registration) and credit-bureau abuse, but since 2023 has expanded into financial-sector breaches (Banco Macro 2024), travel-tech cross-border transfers (Despegar.com 2025), e-commerce platform consent (Mercadolibre 2024–2025), and telecom data minimization. Fines remain modest by GDPR standards (AR$ ceilings updated periodically against the UMA index — approx. USD 50,000–250,000 equivalent at peak), but the pending comprehensive bill would dramatically raise the cap to a 4%-turnover model. Spanish-language transparency obligations are a recurring AAIP finding — English-only privacy notices are routinely flagged as non-compliant for Argentine-targeted services.

GA4 status

GA4 is usable in Argentina with explicit, informed, written-or-equivalent consent under Law 25.326 Art 5. Argentina holds EU adequacy (2003/490/EC), so transfers to AAIP-recognized adequate countries are unconstrained — but Google LLC is in the US, which Argentina does not unilaterally treat as adequate. Controllers should layer Disposition 47/2018 model clauses with Google as a baseline. AAIP has not published a GA4-specific position; enforcement on GA4 has not yet occurred but consent-layer sweeps in adjacent sectors (e-commerce, travel) suggest exposure is rising.

DPAStance
AAIPNo GA4-specific guidance published. Generic Law 25.326 Art 5 + Art 12 logic applies — explicit consent + Disposition 47/2018 clauses with Google. Spanish-language banner expected.

Cross-border transfers + Schrems II

Argentina has held EU adequacy since Commission Decision 2003/490/EC (30 Jun 2003) — the first Latin American country granted adequacy and one of only a handful globally. Status is bidirectional in practice: EU controllers can send data to Argentina without supplementary measures, and Argentine controllers benefit from a streamlined corridor to the EU. Adequacy was re-examined under GDPR Art 45(4) and maintained. Transfers from Argentina to non-adequate countries (most notably the United States, except for DPF-certified entities accepted by AAIP on a case-by-case basis) require Disposition 47/2018 model clauses or BCRs.

Disposition 47/2018 model clauses (controller-to-controller and controller-to-processor) are the standard transfer mechanism for non-adequate destinations. Argentina has not formally recognized the EU-US DPF — controllers transferring to US recipients should layer Disposition 47/2018 clauses regardless of the recipient's DPF certification.

Topic: International transfers

Employee data

Key thresholds

Child consent age
18 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Argentina vs Brazil
COMPARE
Argentina vs Chile
COMPARE
Argentina vs Uruguay
COMPARE
Argentina vs Mexico

Common questions

Does Argentina have EU adequacy?
Yes, since Commission Decision 2003/490/EC (30 Jun 2003) — Argentina was the first Latin American country granted adequacy and remains one of only a handful globally. Adequacy was re-examined under GDPR Art 45(4) and maintained. EU controllers can transfer personal data to Argentine recipients without supplementary measures, and the corridor flows both ways: AAIP recognizes EU/EEA, UK, and Switzerland as adequate destinations.
Is Google Analytics legal in Argentina in 2026?
Yes, conditionally. GA4 is usable with explicit, informed, written-or-equivalent consent under Law 25.326 Art 5. Because Google LLC is US-based and Argentina does not unilaterally treat the US as adequate, controllers should layer Disposition 47/2018 model clauses with Google as a baseline. AAIP has not published a GA4-specific finding yet, but consent-layer sweeps in adjacent sectors are rising.
What is the RNBD and do I need to register?
The Registro Nacional de Bases de Datos (RNBD) is the AAIP-run national registry of personal-data databases, mandated by Law 25.326 Art 21. Registration is mandatory for any controller that processes personal data of Argentine residents on a non-incidental basis — including web-analytics databases, CRM, marketing lists, and HR systems. Registration is annual, free, and done via the AAIP online portal.
What language must my privacy notice be in?
Spanish. AAIP consistently treats Spanish-language transparency as a baseline obligation for services targeting Argentina — English-only privacy policies are flagged as non-compliant. The targeting test mirrors GDPR Art 3(2) — Spanish-language website, .com.ar domain, ARS pricing, Argentine-language marketing, etc. all signal targeting.
What is AAIP's enforcement posture in 2026?
Moderate but rising. AAIP historically focused on RNBD compliance and credit-bureau abuse, but since 2023 has expanded into financial-sector breaches (Banco Macro 2024), travel-tech cross-border transfers (Despegar.com 2025), e-commerce consent layers (Mercadolibre 2024–2025), and telecom data minimization. Fines remain modest by GDPR standards but are climbing as the UMA-indexed cap is raised and the pending comprehensive bill threatens a 4%-turnover model.
What is the new privacy bill and is it in force?
Not yet. The Anteproyecto de Ley de Protección de Datos Personales is a GDPR-aligned reform that would replace Law 25.326 — adding mandatory DPO, 72-hour breach notification, DPIA thresholds, child-consent age 13, and fines up to 4% of turnover. AAIP submitted the draft to Congress in 2022 and consultation ran through 2023, but as of May 2026 it has not been enacted. Status is uncertain under the Milei administration's deregulatory agenda — verify with AAIP press releases before relying on any draft provision.
What is the child-consent age in Argentina?
18 by default under Law 25.326 (no carve-out matching GDPR Art 8). However, Civil and Commercial Code Art 26 introduces a sliding capacity scale: minors aged 13–17 can consent to non-invasive processing with progressive autonomy, parents/guardians retain co-consent rights, and parental consent is required for any meaningful processing of under-13 data. The pending bill would lower the default to 13 in line with GDPR.
Do I need an Article 27-style representative in Argentina?
Yes if you are a non-Argentine controller offering goods/services to or monitoring behavior of people in Argentina without a local establishment. Law 25.326 + AAIP doctrine require designation of a local representative or domicile for service of AAIP requests. Practical effect mirrors GDPR Art 27 — appoint a local agent before launch.
How fast must I respond to a data-subject access request?
10 calendar days under Law 25.326 Art 14 — significantly faster than GDPR's one-month default. Rectification and deletion (Art 16) must be completed within 5 business days of confirming the request. Failure to respond is itself a sanctionable infraction independent of the underlying processing question.
Does double opt-in apply to email marketing in Argentina?
Effectively yes. Law 25.326 Art 27 governs marketing data and requires informed consent; combined with Art 5 (express + written-or-equivalent consent), AAIP doctrine treats the standard as opt-in with a documented confirmation step. Soft opt-in for existing customers is recognized by analogy but narrower than the EU's UWG-style carve-out — every commercial communication must include opt-out instructions and an unsubscribe link.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Argentina's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.