Colombia – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Colombia. Sectoral rules (financial via SFC, healthcare, telecoms via CRC) are touched only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

Law 1581 (2012)

Ley Estatutaria 1581 de 2012 — Régimen General de Protección de Datos Personales

Colombia's omnibus personal-data-protection statute. Opt-in consent is the default basis (Art 9) — prior, express, and informed authorization is required before any non-strictly-necessary processing. Establishes data-subject rights (Art 8), processing principles (Art 4), and the SIC's supervisory powers. Applies extraterritorially when a controller/processor based abroad processes data of people in Colombia (per SIC interpretive guidance).

Art 4 Processing principles — legality, purpose, freedom, truthfulness, transparency, restricted access, security, confidentiality
Art 8 Data-subject rights — access, rectification, deletion, revocation of authorization, complaint to SIC
Art 9 Prior and informed authorization — opt-in consent baseline; tacit/silent consent invalid
Art 17 Controller duties — including registration of databases with the SIC (RNBD)
Art 25 Habeas data complaints procedure with the SIC
Art 26 International transfers — prohibited unless destination country provides adequate protection or one of seven exceptions applies

Ley 1581 de 17 de octubre de 2012 (statutory law); develops the constitutional right of habeas data under Article 15 of the 1991 Colombian Constitution.

Decree 1377 (2013)

Decreto 1377 de 2013 — Reglamentación parcial de la Ley 1581 de 2012

Implementing regulation operationalizing Law 1581. Defines mechanisms for obtaining authorization, the content and form of privacy notices, the policy for handling personal information (PTI), data-subject request workflows, and special protections for children and adolescents. Confirms that authorization may be obtained in writing, orally, or through unequivocal conduct.

Art 5 Form of authorization — written, oral, or unequivocal conduct; controller bears burden of proof
Art 7 Children and adolescents — processing must respect best interests and fundamental rights; parental consent required for under-18 minors
Art 10 Privacy notice — minimum content (controller identity, processing purposes, rights, channels)
Art 13 Internal Policy for Personal Data Handling (PTI) — mandatory written policy
Art 25 Data-subject request handling — 10-business-day response window for queries; 15 for claims

Decreto 1377 de 27 de junio de 2013 (compiled into Decreto Único Reglamentario 1074 de 2015, Libro 2 Parte 2 Título 2 Capítulo 25).

Circular 002 of 2015

Circular Externa 002 de 2015 — Transferencia Internacional de Datos Personales

SIC's binding guidance on international data transfers under Law 1581 Art 26. Publishes the SIC adequacy list (currently includes EU member states, UK, Argentina, Israel, and a handful of others), defines the contractual-safeguards path for non-adequate destinations, and establishes the prior-declaration requirement for controllers transferring data abroad outside the listed countries.

Sec II Adequacy list — countries deemed to provide adequate protection
Sec III Contractual safeguards — required clauses for transfers to non-adequate destinations
Sec IV Prior declaration to SIC — controllers must declare transfers to non-adequate countries

SIC Circular Externa 002 de 3 de noviembre de 2015

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

SIC · Superintendencia de Industria y Comercio — Delegatura para la Protección de Datos Personales

National data-protection authority — supervises Law 1581, manages the RNBD, investigates complaints, and imposes sanctions. The Delegatura is the dedicated DP arm within the broader competition/consumer-protection SIC.

https://www.sic.gov.co/

Coordination body

RNBD · Registro Nacional de Bases de Datos

Mandatory public registry of personal-data databases operated by Colombian-resident controllers. Administered by the SIC; consultable by data subjects to verify which controllers hold their data.

2018-08-09 · RNBD scope reform — Decree 090 of 2018 limited mandatory RNBD registration to controllers that are legal entities of a private nature with assets above 100,000 UVT, and to all public-sector legal entities.
2020-12 · COVID-19 contact-tracing — SIC issued guidance restricting employer use of CoronApp data and reaffirming opt-in baseline for any health-status processing.
2024-03 · Cookies and trackers — SIC reiterated that browser-based trackers fall under Law 1581 — Spanish-language banner, prior authorization for non-strictly-necessary cookies, and registration of analytics databases in the RNBD.

https://rnbd.sic.gov.co/

Notable enforcement

The SIC has emerged as one of Latin America's most active data-protection regulators. Multi-million-peso fines are imposed multiple times per year, and the regulator has shown willingness to pursue large banks, airlines, breweries, and telecoms. Colombian sanctions are calculated in monthly minimum legal wages (SMLMV) up to a statutory cap of 2,000 SMLMV per infraction (~COP 2.85 billion / ~USD 700K in 2026). The SIC publishes sanctions on its website, creating reputational pressure beyond the headline amount. Notable targets in recent years include Banco Davivienda (COP 1.165B, 2023), Avianca, Bavaria (the AB-InBev subsidiary), and major telecom operators.

2023-09 €246k

Banco Davivienda SIC · Law 1581 Art 4, 17 stood

Multiple sanctions totalling approximately COP 1.165 billion for security failures, unauthorized data sharing, and inadequate response to data-subject requests. One of the largest single SIC sanctions to date.
2024-05 €180k

Claro Colombia SIC · Law 1581 Art 4, 8 stood

Sanction for security failures resulting in customer-data exposure and inadequate breach-response procedures.
2022-10 €130k

Avianca SIC · Law 1581 Art 17 stood

Sanction for inadequate handling of habeas data complaints from passengers — failure to respond within statutory windows and to keep RNBD registration current.
2021-11 €95k

Bavaria S.A. SIC · Law 1581 Art 9 stood

Sanction for processing marketing data without prior, informed authorization — pre-checked consent boxes invalid under Law 1581 Art 9.
2023-04 €75k

Rappi SIC · Law 1581 Art 9, 17 stood

Sanction for opt-in deficiencies in marketing communications and incomplete RNBD registration of customer databases.

GA4 status

GA4 is usable in Colombia only with prior, express, informed authorization (opt-in) under Law 1581 Art 9. Tacit or silent consent — including pre-ticked boxes or 'continued browsing implies acceptance' banners — is invalid. The privacy notice must be in Spanish, and the analytics database must be registered in the RNBD where the controller meets the registration threshold. Transfers to Google's US servers fall under Law 1581 Art 26 — the US is not on the SIC adequacy list, so contractual safeguards or specific data-subject consent are required.

DPA	Stance
SIC	Cookies and analytics fall under Law 1581 (2024 guidance). Opt-in baseline + Spanish-language banner + RNBD registration where threshold met. US transfers require contractual safeguards under Circular 002.

Cross-border transfers + Schrems II

Colombia is not in the EU's adequacy list and is not a DPF participant. Under Law 1581 Art 26 + SIC Circular 002 of 2015, international transfers require either (a) destination on the SIC adequacy list — currently includes EU member states, UK, Argentina, Israel, and a small group of others; (b) standard-contractual safeguards with the importer; (c) BCRs; (d) specific data-subject consent for the transfer; or (e) one of the narrow exceptions (medical urgency, banking/stock-exchange transfers, treaty obligations). Transfers to non-listed destinations require prior declaration to the SIC.

Colombia has no published official SCC template — the SIC accepts contractual safeguards drafted around Circular 002's required clauses. EU SCCs (2021/914) are commonly adopted as a baseline by multinational controllers; the SIC has accepted them in practice but does not formally endorse a template.

Topic: International transfers

Employee data

Employee monitoring — when analytics enters HR

When analytics tools can monitor employees (Hotjar on internal dashboards, productivity-tracking pixels, server-side logs of staff behavior), Colombian employee-privacy rules sit on top of Law 1581. The SIC's employment-monitoring guidelines require: (1) prior, informed, opt-in authorization from each employee; (2) a documented purpose proportionate to the employer's legitimate interest; (3) advance notice of monitoring scope, retention, and access controls; (4) registration of the resulting database in the RNBD where applicable. The Constitutional Court's habeas data jurisprudence (T-414/92, T-176A/14) frames employer monitoring as an interference with the fundamental right that must be necessary and proportionate. Generic 'employee handbook' clauses are not sufficient as authorization — express opt-in is required.

Key thresholds

DPO mandatory at

≥1 employees

Child consent age

18 years

Article 27 representative

Required

Marketing consent

Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red

Vendor	Status	Rationale
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

Colombia vs Argentina

COMPARE

Colombia vs Chile

Common questions

Is Google Analytics legal in Colombia in 2026?

Yes, conditionally. GA4 is usable only with prior, express, informed authorization (opt-in) under Law 1581 Art 9. Tacit or silent consent — including pre-ticked boxes or 'continued browsing implies acceptance' banners — is invalid. The privacy notice must be in Spanish, and US transfers require contractual safeguards under SIC Circular 002 of 2015 (the US is not on Colombia's adequacy list).

Is habeas data really a constitutional right in Colombia?

Yes. Article 15 of the 1991 Colombian Constitution explicitly recognizes habeas data — the right of every person to know, update, and rectify information about themselves held in databases of public or private entities. The Constitutional Court has issued landmark rulings (T-414/92, SU-082/95, T-176A/14) developing this right. Law 1581 (2012) is the statutory development of Article 15 for non-financial personal data; Law 1266 (2008) covers financial/credit data.

Do I need to register my database with the SIC (RNBD)?

Maybe. Since Decree 090 of 2018, the RNBD registration obligation applies to: (a) all public-sector legal entities; (b) private legal entities with total assets above 100,000 UVT (~COP 4.7 billion in 2026, ~USD 1.15M). Below that threshold, registration is voluntary. If you operate analytics databases on a Colombia-targeted website and meet the threshold, registration is mandatory and must be kept current. The RNBD is publicly searchable at rnbd.sic.gov.co.

What language must my privacy notice be in?

Spanish. SIC interpretive guidance and Decree 1377 Art 10 require that privacy notices be intelligible to the data subject — for Colombia-targeted websites this means Spanish. English-only notices have been the basis of SIC sanctions. The targeting test follows the Law 1581 Art 3 logic: Colombia-language website, .co domain, COP pricing, Spanish-language marketing all signal targeting.

Is 'legitimate interest' a valid basis for analytics in Colombia?

No, by default. Law 1581 Art 9 establishes opt-in authorization as the baseline for processing — there is no legitimate-interest catch-all equivalent to GDPR Art 6(1)(f). The narrow exceptions in Art 10 (e.g., information of public nature, medical urgency, judicial order) do not cover routine web analytics. For non-strictly-necessary cookies and tracking, prior express authorization is required.

Do I need a Colombian Encargado / DPO?

Yes — Law 1581 Art 17(k) and Decree 1377 require controllers to designate a person or area responsible for handling data-subject requests (Encargado). There is no employee-headcount threshold equivalent to BDSG §38. Whether the role is dedicated or shared depends on the volume and risk of processing, but designation itself is mandatory for every controller.

Do I need a Colombian representative if I'm based abroad?

Yes if you target the Colombian market. Although Law 1581 does not use the GDPR Art 27 'representative' construct, the SIC takes the position that controllers based outside Colombia who process the data of people in Colombia must (a) comply with Law 1581 in full and (b) designate a local point of contact for data-subject requests and SIC inquiries. Without one, SIC complaints are still actionable but enforcement against the foreign entity is harder — and SIC has shown willingness to sanction in absentia.

What about international transfers — what are the rules?

Law 1581 Art 26 + SIC Circular Externa 002 of 2015 govern transfers. Permitted paths: (1) destination on the SIC adequacy list (currently EU member states, UK, Argentina, Israel, and a small group of others); (2) standard-contractual safeguards with the importer covering Circular 002's required clauses; (3) BCRs; (4) specific data-subject consent for the transfer; (5) narrow exceptions (medical urgency, banking, treaty obligations). Transfers to non-listed countries require prior declaration to the SIC. The US is NOT on the adequacy list.

What's the parental-consent age for processing children's data?

Under-18. Law 1581 Art 7 + Decree 1377 Art 12 require parental authorization for processing personal data of any minor (under 18). Adolescents (12–18) may exercise some rights themselves consistent with their evolving capacity, but the controller must obtain parental authorization for any processing where consent is the legal basis. Best-interests-of-the-child test applies throughout. This is stricter than GDPR's 16-year baseline.

How active is SIC enforcement?

Very active. The SIC issues multi-million-peso sanctions multiple times per year — Banco Davivienda (~COP 1.165 billion, 2023), Avianca, Bavaria (AB-InBev), Claro, and Rappi are among recent targets. Sanctions are calculated in monthly minimum legal wages (SMLMV) up to 2,000 SMLMV per infraction (~COP 2.85 billion / ~USD 700K in 2026). The SIC publishes sanctions on its website. A 2025 cookie-banner sweep is in progress targeting e-commerce sites with pre-ticked boxes or English-only notices.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Colombia's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.