ConmaCMP
LegalGDPRLATAM

GDPR, Law 1581 and LGPD: the legal framework for consent in LATAM and Spain

ByConma TeamJune 12, 20263 min read

Asking for cookie consent has gone from best practice to a legal obligation with real penalties. But which rule applies depends on where your users are, not where your company is. Here is the picture of the legal framework across the markets where most of our customers operate, with enough detail to know what you need to change.

Disclaimer: this article is informational and not legal advice. For your specific case, consult a lawyer specialized in data protection.

The first common misconception is thinking cookies "aren't personal data." In practice, a cookie identifier that lets you recognize a device over time is: it's considered personal data because it can be linked to a person, directly or indirectly. That's why analytics and marketing cookies fall squarely within these laws, and why a passive "we use cookies" notice isn't enough.

Spain and the European Union: GDPR + ePrivacy

Two complementary rules coexist in the European Economic Area:

  • The GDPR (General Data Protection Regulation) governs the processing of personal data and requires a legal basis for each use. For marketing and analytics, that basis is consent.
  • The ePrivacy Directive (and its national transpositions, such as Spain's LSSI) specifically governs access to and storage of information on the user's device — i.e. cookies and similar technologies.

Together they require consent to be freely given, specific, informed and unambiguous, through a clear affirmative action. In practice this rules out several very common patterns:

  • No analytics or marketing cookies before the user accepts.
  • Pre-ticked boxes and hidden "reject" buttons are forbidden.
  • "Continued browsing means acceptance" is not valid consent.
  • Rejecting must be as easy as accepting (same level, same clicks).

Typical non-compliance example: a banner with a prominent gold "Accept" button and a tiny grey "Reject" at the bottom. European authorities consider that imbalance enough to invalidate consent.

Colombia: Law 1581 of 2012

Colombia is governed by Statutory Law 1581 of 2012 and Decree 1377 of 2013, overseen by the Superintendence of Industry and Commerce (SIC). Authorization must be prior, express and informed, and the controller must be able to prove it was obtained.

The key piece for cookies is the SIC's Resolution 32126 of 2022, which:

  • Classifies cookies into four categories (necessary, preferences, analytics and advertising).
  • States that none are exempt from requiring authorization except the strictly necessary ones, because Law 1581 is built on the principle of the data subject's authorization.
  • Applies to any company collecting data from people residing or domiciled in Colombia via cookies, regardless of where the server is or the company's nationality.

The data subject also retains the rights to know, update, rectify and delete their data, and to withdraw authorization at any time.

Brazil and the rest of the region

Brazil has the LGPD (Lei Geral de Proteção de Dados), supervised by the ANPD and closely aligned with the GDPR, including the processor figure and the legal bases for processing. Mexico (LFPDPPP, with INAI), Argentina, Chile, Peru and Ecuador have their own frameworks at varying levels of maturity, several being reformed to move closer to the European standard.

JurisdictionMain lawAuthorityConsent
Spain / EUGDPR + ePrivacyAEPD / DPAsPrior, explicit, granular
ColombiaLaw 1581 / 2012SICPrior, express, informed
BrazilLGPDANPDPrior, specific
MexicoLFPDPPPINAIPrior (privacy notice)

If your site receives traffic from several of these countries — normal across LATAM — the practical standard is to align with the strictest (the European one) and comply with the rest by extension.

The penalties are not theoretical

The GDPR allows fines of up to 4% of global annual revenue or €20 million, whichever is higher. And they're enforced: the Swedish authority imposed €15 million on pharmacy chains for using the Meta pixel without a legal basis, and the Austrian authority ruled that the Meta pixel transferred data to the U.S. in breach of the GDPR. In LATAM, the SIC has sanctioned data processing without valid authorization. On top of the fine come reputational damage and, increasingly, class actions.

What you need to comply

Regardless of the country, consent that survives an audit shares four traits:

  1. Block first: no tracker runs before the user clicks "accept".
  2. Granularity: the user decides per purpose (analytics, marketing…).
  3. Revocability: withdrawing consent must be as easy as giving it.
  4. Proof: a record of what each user accepted, when, and on which version of the text, kept in case an authority asks for it.

Conma covers all four: it blocks until consent, offers granular control, allows revocation and issues a signed certificate of every decision with evidentiary value. And if you use Google, pair it with our Google Consent Mode v2 guide.

Share
← Back to blog

Keep reading

Consent Mode v2

What G100, G111 and Google Consent Mode's GCS codes mean

Decode the gcs parameter (G100, G101, G110, G111) and the gcd of Consent Mode v2, and understand what data travels to Google when a user declines cookies.

June 24, 20263 min read
Consent Mode v2

Benefits and uses of Google Consent Mode v2

Beyond compliance: how Consent Mode v2 protects your ad revenue, recovers data and improves user experience. Benefits and use cases.

June 23, 20262 min read
Sales