Costa Rica's Data Protection Law (Ley 8968): A Plain-Language Guide for Companies

By Lic. Ricardo Castillo Castillo · AEGIS Legal Partners · Published May 16, 2026

Reading time: 9 minutes

Most companies operating in Costa Rica have heard of Ley 8968. Few have actually read it — and fewer still have structured their data practices around it.

That gap is increasingly costly. Costa Rica's data protection authority, PRODHAB, has accelerated enforcement activity since 2021. International companies, cloud-first startups, and domestic businesses alike are receiving requests for information, audit notices, and in some cases formal sanctions.

This guide explains what Ley 8968 actually requires, who it applies to, what PRODHAB can do when it finds a violation, and the practical steps that bring a company into compliance.

What Is Ley 8968?

Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales — Law 8968 — is Costa Rica's primary data protection legislation, enacted in 2011 and regulated by Executive Decree 37554-JP.

The law is built on a simple premise: personal data belongs to the person it describes. Any entity that collects, stores, uses, transfers, or otherwise processes that data must do so with a legal basis and must respect the rights of the individual at every stage.

The legislation aligns broadly with the international data protection framework established by the OECD Guidelines and influenced by European data protection principles — though it predates the GDPR by six years. In practice, this means companies already familiar with GDPR compliance have a structural head start on Ley 8968 compliance, and vice versa.

Who Does Ley 8968 Apply To?

The law applies to any public or private entity — in Costa Rica or abroad — that collects or processes personal data of Costa Rican residents, or that processes such data within Costa Rican territory.

The territorial reach is broader than most companies assume:

• A US company with a Costa Rican team processes employee data subject to Ley 8968
• An e-commerce platform with Costa Rican customers processes customer data subject to Ley 8968
• A cloud service provider storing Costa Rican personal data on servers outside the country must still comply with Ley 8968's transfer requirements
• A multinational corporation's local subsidiary is subject to the law regardless of the parent company's jurisdiction

There is no exemption based on company size, revenue, or sector. Ley 8968 applies equally to a two-person startup and a multinational corporation.

Key Definitions: What Counts as "Personal Data"?

Ley 8968 defines personal data as any information concerning an identified or identifiable natural person. The law distinguishes two categories:

General personal data — information that identifies a person without creating heightened risk: names, addresses, emails, phone numbers, purchase history, employment records, IP addresses.

Sensitive personal data — categories requiring elevated protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health data, sexual orientation, criminal records, financial information.

The practical implication: if your company collects health data, financial records, or similar sensitive information, the compliance bar is higher. Consent must be explicit, documented, and specific to purpose.

Core Obligations Under Ley 8968

1. Legal Basis for Data Processing

You cannot collect or process personal data simply because you want to. Ley 8968 requires a lawful basis for every processing activity. The recognized bases include:

Consent — the data subject gives informed, specific, and unambiguous consent for a defined purpose. Consent must be documented and revocable at any time.

Contractual necessity — processing is necessary to perform a contract with the data subject (for example, processing a customer's address to deliver their order).

Legal obligation — processing is required by Costa Rican law (for example, retaining employee records under the Labor Code).

Legitimate interest — the organization has a legitimate purpose that does not override the individual's rights. This is a narrower basis than it sounds and requires documented analysis.

Vague language in a privacy policy — "we may use your information to improve our services" — is not a valid legal basis under Ley 8968.

2. The Duty to Inform

Before collecting personal data, the responsible party must inform individuals of:

• The identity and contact information of the data controller
• The purpose of data collection
• The categories of data being collected
• Whether the data will be transferred to third parties (and to whom)
• The individual's rights under the law
• Whether providing the data is mandatory or voluntary

This obligation is fulfilled in practice through a privacy notice — but only if the notice is accurate, current, and actually presented to the individual before collection begins. A privacy notice buried in the footer of a website after the user has already submitted a form does not satisfy the requirement.

3. Data Quality and Accuracy

Personal data must be adequate, relevant, and not excessive for the purpose for which it was collected. It must be accurate and kept up to date. Data that is no longer necessary for its original purpose must be deleted or anonymized.

This principle has direct implications for data retention. Many companies accumulate data indefinitely — CRM records of leads who never converted, employee records of staff who left a decade ago, customer data from discontinued products. Each of these may violate the data minimization and retention principles of Ley 8968.

4. Security Measures

The responsible party must implement technical and organizational security measures appropriate to the nature of the data and the risks involved. Ley 8968 and its regulations specify that these measures must protect against unauthorized access, accidental loss, destruction, or alteration.

In practice, this means: encrypted storage for sensitive data, access controls limiting who can view personal information, audit logs, incident response procedures, and documented security policies. "We have a firewall" is not sufficient documentation.

5. Data Transfer Restrictions

Transferring personal data outside Costa Rica requires that the receiving country offer an adequate level of protection, or that specific contractual safeguards are in place.

PRODHAB maintains a list of countries considered adequate — currently including EU member states and others that have implemented GDPR-equivalent protections. The United States is not on this list by default. Companies sending Costa Rican personal data to US-based cloud services, analytics platforms, or AI tools must ensure appropriate safeguards are documented.

6. Appointment of a Responsible Party

Every organization that processes personal data must designate a responsible party (responsable de la base de datos) — the individual or entity accountable for compliance. For larger organizations or those processing sensitive data, designating an external Data Protection Officer (DPO) is both a practical compliance measure and a service AEGIS Legal Partners provides directly.

Individual Rights Under Ley 8968

The law grants individuals four core rights with respect to their personal data, collectively known as ARCO rights:

Access (Acceso) — the right to know what personal data an organization holds about them and how it is being used.

Rectification (Rectificación) — the right to correct inaccurate or incomplete data.

Cancellation (Cancelación) — the right to request deletion of data that is no longer necessary, was collected without a valid legal basis, or is being processed in violation of the law.

Opposition (Oposición) — the right to object to data processing for specific purposes, including direct marketing and certain automated decisions.

Organizations must respond to ARCO requests within five business days. Failure to respond, or responding inadequately, is itself a sanctionable violation.

PRODHAB: What the Authority Can Do

PRODHAB — Agencia de Protección de Datos de los Habitantes — is the independent supervisory authority for Ley 8968. It has broad investigative and sanctioning powers:

Investigation: PRODHAB can open investigations on its own initiative or in response to complaints. It can request documents, inspect databases, and interview personnel.

Corrective orders: PRODHAB can order the suspension of data processing activities, the deletion of unlawfully collected data, or the implementation of specific security measures — with a defined compliance deadline.

Fines: Sanctions range from written warnings to fines calculated based on the severity of the violation, the organization's size, and whether the violation was deliberate or negligent. Fines can reach several million Costa Rican colones for serious violations.

Criminal referrals: For the most serious violations — deliberate breach of sensitive data, identity fraud, unauthorized database disclosure — PRODHAB can refer matters to the Public Ministry for criminal investigation.

What has changed since 2021 is the pace and volume of enforcement. PRODHAB has published decisions against companies in telecommunications, healthcare, financial services, and technology. The assumption that enforcement is theoretical is no longer accurate.

Ley 8968 and AI Tools: The Intersection

If your company uses artificial intelligence — and most do, whether or not they label it that way — Ley 8968's requirements apply directly to how those tools process personal data.

AI-powered HR tools that screen candidates or evaluate employees are processing personal data. The legal basis, disclosure obligations, and accuracy requirements all apply.

Customer analytics platforms that build behavioral profiles are processing personal data. Consent or another lawful basis is required before that profiling begins.

Chatbots and virtual assistants that collect names, emails, and conversation history are collecting personal data. Data retention limits and deletion obligations apply.

Third-party AI APIs — when you send your customers' data to an AI service provider to process, you are making a data transfer that requires a Data Processing Agreement and, potentially, cross-border transfer safeguards.

The convergence of Ley 8968 with the EU AI Act and GDPR means companies operating internationally face a layered compliance environment where every AI deployment decision has legal dimensions.

A Practical Compliance Baseline

For most companies, achieving meaningful Ley 8968 compliance requires addressing five areas:

Privacy notice. Accurate, current, and presented before data collection — not buried in a footer.

Consent mechanism. Documented opt-in for non-necessary processing, with a mechanism to record and honor revocations.

Data processing register. A documented inventory of what personal data you collect, why, from whom, for how long, and with whom you share it. This is the document PRODHAB requests first in an investigation.

Vendor agreements. Every third-party provider that handles your customers' or employees' personal data — cloud services, payroll platforms, CRM providers, AI tools — needs a Data Processing Agreement in place.

ARCO response procedure. A documented process for receiving, tracking, and responding to individual rights requests within the five-day window.

None of these require months of work. An experienced data protection practitioner can produce a compliant baseline framework for a mid-sized company in two to four weeks.

The Cost of Non-Compliance

Beyond PRODHAB fines, the real cost of data protection non-compliance shows up in three places:

Client due diligence. International corporations — especially those subject to GDPR — conduct supplier due diligence on data protection. A company that cannot demonstrate Ley 8968 compliance risks losing contracts with sophisticated clients. This is not a hypothetical: several Costa Rican companies have lost or failed to close international business relationships because they could not answer basic data protection questions.

Data breach exposure. When a breach occurs, a company with documented compliance has a defined response plan, a responsible party, and records that demonstrate good-faith efforts. A company with no compliance infrastructure faces both the breach and a compliance investigation simultaneously.

Regulatory trajectory. Costa Rica is actively seeking integration with international trade frameworks that include data protection standards as prerequisites. The compliance bar will not go down.

Next Steps

If your company has not conducted a structured Ley 8968 compliance review, the first step is to understand your current exposure. This means mapping what personal data you collect, assessing your current practices against the law's requirements, and identifying the gaps that present the most immediate risk.

AEGIS Legal Partners offers an AI & Data Compliance Audit that covers exactly this — Ley 8968, GDPR applicability, AI tool inventory, and a prioritized compliance roadmap. Most clients have a clear picture of their situation within two weeks.

Book a free 20-minute consultation: aegispartners.law

Lic. Ricardo Castillo Castillo is the founder of AEGIS Legal Partners, Costa Rica's first law firm specializing in AI Law, Data Privacy, and International Real Estate. He holds Carné #36,687 with the Colegio de Abogados y Abogadas de Costa Rica and serves clients in North America, Europe, and Latin America.

© 2026 AEGIS Legal Partners S.R.L. · This article is for informational purposes only and does not constitute legal advice. For advice specific to your company's situation, contact a licensed attorney.

‍