Law 21.719: Chile's New Data Law Takes Effect December 2026 - Is Your Business Ready?

After more than 25 years operating under an outdated law, Chile is modernizing its personal data protection framework and aligning it with international standards like GDPR. Law 21.719 enters into force on December 1, 2026, bringing real sanctions, an enforcement authority with teeth, and technical obligations that affect virtually every business operating in Chilean territory.

1. Chile Modernizes: From a 1999 Law to GDPR Standard

For more than 25 years, personal data protection in Chile was governed by Law 19.628, enacted in 1999. Back then, the digital world was barely emerging: there were no mass social networks, smartphones were science fiction, and e-commerce was just taking its first steps. That law, although a pioneer in Latin America, became deeply outdated. It did not contemplate breach notification, did not require explicit consent, and above all, did not have a supervisory body with real powers.

All that changes with Law 21.719, published in the Official Gazette in December 2024 and whose full entry into force is scheduled for December 1, 2026. It is a comprehensive reform that aligns Chile with the standards of the European Union's General Data Protection Regulation (GDPR), positioning it as a regional reference on the matter.

The institutional ecosystem also transformed. The National Cybersecurity Agency (ANCI) began its activities on January 1, 2025 (with rules on operators of vital importance, incident notification, and the sanctions regime entering into force on March 1, 2025), and the new Personal Data Protection Agency (APDP) will have real sanctioning powers starting December 1, 2026. Chile moves from a declarative model to one with real enforcement and punishment capability.

Key fact: Chile reformed its Constitution in 2018 to explicitly enshrine personal data protection as a fundamental right, joining a select group of Latin American countries that recognize this right at the constitutional level. Law 21.719 gives operational teeth to that guarantee.

2. What Changes for Your Business?

The new law introduces profound changes in how organizations must collect, store, process, and delete personal data. These are the most relevant differences between the old Law 19.628 and the new Law 21.719:

• Consent: previously implicit or generic; now must be explicit, specific, informed and revocable.
• Breach notification: previously not required; now mandatory to the authority and to those affected within defined deadlines.
• Right to be forgotten: previously not regulated; now data subjects can exercise the right to erasure.
• Data portability: previously did not exist; now data subjects can request their data in a structured format.
• Data Protection Officer (DPO): previously not required; now mandatory for companies that process sensitive data or operate at scale.
• International transfers: previously without clear restrictions; now only to countries with adequate level or under contractual guarantees.
• Supervisor: previously no dedicated authority existed; now the Data Protection Agency has real sanctioning power.
• Sanctions: previously low fines almost never applied; now up to 20,000 UTM (~USD 1.55 million) or 2%-4% of annual revenue in Chile.

In practice, this means reviewing every form, every database, every third-party integration, and every flow where data is collected. It is no longer enough to have a generic «privacy policy» page that no one reads.

3. Who Must Comply?

The short answer: virtually any company that operates in Chile or processes data of people in Chilean territory. It doesn't matter whether you're a three-person startup or a multinational with offices in Santiago.

The law applies to:

• Chilean companies of any size that collect personal data from customers, employees, or suppliers.
• Foreign companies that offer goods or services to people in Chile, or that monitor their behavior.
• Public bodies, with additional transparency obligations.

Obligations intensify for organizations that process:

• Sensitive data: health, ethnic origin, sexual orientation, biometric data, union or political affiliation.
• Financial data: credit history, debts, income.
• Data of minors: requires consent from the legal representative.
• Large-scale processing: automated profiling, mass geolocation, databases with millions of records.

If your company has a CRM, sends marketing emails, uses web analytics with cookies, or simply manages payroll, this law applies to you. There is no exception by size.

4. The Sanctions Are Serious

One of the chronic problems of Law 19.628 was its lack of teeth. Fines were trivial and rarely applied. Companies had no economic incentive to invest in compliance. That's over.

Law 21.719 establishes a tiered sanctions regime:

• Minor infractions: written warning or fines of up to 5,000 UTM (approximately USD 380,000). Includes, for example, breaches of the duty of information and transparency.
• Serious infractions: fines of up to 10,000 UTM (approximately USD 770,000). Processing without a valid legal basis, omission of breach notification, or obstruction of the authority.
• Very serious infractions: fines of up to 20,000 UTM (approximately USD 1.55 million). Fraudulent processing, illicit international transfers, or breach of the duty of confidentiality over sensitive data.

For companies that do not qualify as smaller (Law 20.416), sanctions for serious and very serious infractions can alternatively reach 2% or 4% of annual revenue from sales and services in Chile in cases of recidivism. Sanctions are also recorded in the National Sanctions Registry for up to 5 years, which has commercial consequences beyond the amount of the fine.

USD conversions calculated using February 2026 UTM (~CLP 69,611) and approximate exchange rate. Actual values vary month to month.

Beyond the fine: Reputational damage is usually worse than the economic sanction. A data breach published in the media can destroy years of customer and partner trust within hours. In the era of social media, there is no way to control the narrative once the data leaks.

In addition, the new law contemplates the possibility of temporary suspension of data processing as a precautionary measure, which for many digital companies amounts to operational shutdown.

5. Your Preparation Checklist: 8 Months to Comply

If you're reading this in April 2026, you have exactly 8 months to reach compliance. It's a tight but realistic timeframe if you start now. This is a month-by-month action plan:

• April – May: Data flow audit. Identify what personal data you collect, where it is stored, who has access and on what legal basis you process it. Map every flow from capture to deletion. This is the foundation for everything else.
• May – June: Privacy policy update. Rewrite your policies to comply with the information requirements of the new law: purpose, retention period, data subject rights, DPO contact. They must be clear and in accessible language.
• June – July: Consent management implementation. Deploy mechanisms to obtain explicit consent: cookie banners, updated forms, double opt-in for marketing. Implement the ability to easily revoke consent.
• July – August: Staff training. Train your team — not just IT, but sales, marketing, HR, and customer service — on the new obligations. Document training as evidence of compliance.
• August – September: Breach notification process. Define a clear protocol: who detects, who evaluates, who notifies, within what deadlines. Run a simulation. If you don't have 24/7 security monitoring, this is the time to implement it.
• September: DPO appointment. If your company is required to have a Data Protection Officer, formally appoint one. They can be internal or external, but must have independence and direct access to senior management.
• October – November: Testing and internal audit. Review everything: are forms capturing consent correctly? Are retention deadlines being met? Does the breach protocol work? Conduct a full audit as if the Agency were already inspecting you.
• December: Compliance go-live. Starting December 1, the law is in force. Make sure all your documentation is up to date, your operating systems are ready, and your team is prepared to respond to data subject requests within the legal deadlines.

Sounds like a lot? It is. That's why companies that start today have a competitive advantage over those that wait until October to panic.

6. Cybersecurity and Data Protection: Two Sides of the Same Coin

A common mistake is to think that complying with personal data law is just a legal matter: updating contracts and policies. In reality, Law 21.719 requires technical and organizational measures to protect data. And that's where cybersecurity stops being optional.

The law requires, among other things:

• Data encryption at rest and in transit, especially for sensitive data.
• Role-based access control: only authorized personnel access the data they need.
• Continuous monitoring to detect unauthorized access, data exfiltration, or anomalous behavior.
• Documented and tested incident response, with the ability to notify breaches within legal deadlines.
• Data Protection Impact Assessments (DPIAs) for high-risk processing.
• Vendor management: ensuring that third parties processing data on your behalf also comply with adequate measures.

Without a solid cybersecurity foundation, regulatory compliance is a fiction. You can have the best privacy policy in the world, but if an attacker accesses your customer database because your server wasn't patched, the fine arrives just the same — and so does the trust breach.

A managed security service provider (MSSP) provides exactly that technical layer: 24/7 monitoring, threat detection, vulnerability management, and incident response. It's the security infrastructure the law requires, without you having to build it in-house.

7. How Enclave Guard Can Help

Enclave Guard is an MSSP (Managed Security Service Provider) with presence in Latin America and the United States, designed for companies that need enterprise-grade security without the complexity or cost of an in-house cybersecurity team.

Here's what we bring to Law 21.719 compliance:

• Security and data audit: We map your assets, data flows, and vulnerabilities. We identify gaps between your current posture and what the law requires.
• Continuous monitoring and threat detection: Remote SOC that watches your infrastructure 24/7. We detect and respond before an incident becomes a mandatory notification to the Agency.
• Vulnerability management: Periodic scanning, patch prioritization, and remediation tracking. We keep your attack surface under control.
• Incident response: Established and tested protocol. If a breach occurs, we activate the plan, contain the damage, and help you with regulatory notification.
• Compliance documentation in Spanish: Policies, procedures, and evidence ready for inspection. We don't deliver generic English templates: everything is contextualized for Chilean regulation.
• Bilingual team with local and international knowledge: We understand both Law 21.719 and GDPR, CCPA, and international frameworks. Ideal for companies with cross-border operations.
• Pricing designed for LATAM: Packages adapted to the economic reality of the region, without sacrificing service quality.

Conclusion

Law 21.719 marks a before-and-after for data protection in Chile. Companies that get ahead of its entry into force will not only avoid sanctions — they will also build a solid competitive advantage based on customer trust and the operational maturity of their processes.

This article is informational and does not constitute legal advice. For a personalized assessment of your situation regarding Law 21.719, consult a professional specialized in data protection law in Chile.