Chile’s Law No. 21,719 will enter into force on December 1. Find out whether your privacy policy, cookie practices, and Terms and Conditions would withstand an audit by the new Data Protection Agency.
Would your privacy policy withstand a regulatory audit today?
Your website is the public face of your compliance framework. It is the first thing a regulator, a customer, or anyone considering filing a complaint will review.
Yet today, most websites in Chile do not meet even the most basic requirements:
1. A genuine privacy policy not a copied template
Your policy must clearly explain what personal data you collect, why you collect it, how long you retain it, and with whom you share it.
If your privacy policy is still based on a generic template from 2018, you are already falling short.
2. Cookies based on explicit consent
The days of banners stating, “By continuing to browse, you accept cookies,” are over.
Users must be able to reject cookies just as easily as they can accept them.
3. Consistent Terms and Conditions
If your Terms and Conditions say one thing while your actual business practices say another, the document will no longer protect you. Instead, it may become evidence against you.
4. Compliant online forms
Consent boxes must be left unticked by default, and your website must provide a clearly visible channel through which individuals can exercise their rights of access, rectification, erasure, objection, and data portability.
What if you operate a marketplace? Your exposure multiplies.
A marketplace does not process only the personal data of buyers and sellers.
Your platform may also handle payments, billing information including Chilean tax identification numbers (RUT), addresses, and receipts shipping addresses, purchase histories, and sellers’ bank details for payment settlements.
Financial and economic data are subject to enhanced protection under the new law. This requires additional safeguards:
1. Define who is responsible for each category of data
You must determine when your business acts as a data controller and when it acts merely as a data processor.
2. Put data processing agreements in place
You should have appropriate agreements with every seller, payment gateway, billing provider, and logistics operator that processes personal data on your behalf.
3. Strengthen the protection of payment and billing data
You must clearly establish what information your business retains, what information is stored by the payment gateway, and how long each party keeps it.
4. Establish clear rules for profiling and automated recommendations
Your marketplace must define how it uses customer data to create profiles, personalize services, or generate automated product recommendations.
5. Ensure that international data transfers are properly covered
This includes transfers involving your cloud infrastructure, CRM, marketing tools, and any other service providers located outside Chile.
Fines may reach up to 20,000 UTM, approximately CLP 1.4 billion and, in the case of repeated infringements by large companies, up to 4% of their annual revenue.
Less than five months remain.
At BRANDLEX, we support businesses throughout this process. We understand the regulation and translate it into practical measures that work with your business operations and the technology you already use.
This includes privacy policies, Terms and Conditions, cookie compliance, third-party agreements, and other essential measures.
Let’s talk. Send us a direct message or email us at 📨 info@brand-lex.com
#Law21719 #DataProtection #Ecommerce #Marketplace #Chile