Colombia Data Privacy Laws: Law 1581 Compliance Guide (2026)

Constitutional Foundation: Habeas Data as a Fundamental Right

Colombia's approach to data privacy is distinctive in Latin America because it starts at the constitutional level. Article 15 of the Political Constitution of 1991 guarantees every person the right to personal and family privacy and to their good name.

More importantly, Article 15 establishes what Colombian law calls habeas data: the specific right to know, update, and rectify any information collected about an individual in databases or records maintained by public or private entities. This is not a statutory afterthought. It is a fundamental constitutional right that carries the same weight as freedom of expression or due process.

Article 20 of the Constitution reinforces this framework by guaranteeing the right to receive truthful and impartial information. Together, these two provisions create a constitutional mandate that the Colombian Congress was required to implement through legislation.

The Constitutional Court of Colombia has issued extensive jurisprudence interpreting habeas data. The Court has consistently held that data protection is an autonomous fundamental right, not merely a subset of the right to privacy. This distinction matters because it means individuals can file a tutela (a fast-track constitutional action) to enforce their data rights directly, without waiting for administrative proceedings.

Law 1581 of 2012: The Core Data Protection Statute

Congress fulfilled its constitutional mandate by enacting Ley Estatutaria 1581 de 2012, which established the general framework for personal data protection in Colombia. Because it implements a fundamental right, this law has the elevated status of a "statutory law" (ley estatutaria), which requires a stricter legislative process and mandatory review by the Constitutional Court before taking effect.

Scope and Application

Law 1581 applies to all personal data recorded in any database that can be processed by public or private entities within Colombian territory. It also applies extraterritorially when the data of Colombian residents is processed abroad.

The law distinguishes between three categories of data:

• Public data: Information that is not semi-private, private, or sensitive (e.g., publicly available government records)
• Semi-private data: Data that is not intimate but whose access is limited to specific persons or purposes (e.g., financial and credit information)
• Private data: Data that is intimate in nature and relevant only to the data subject (e.g., personal correspondence)
• Sensitive data: Data that affects the data subject's most intimate sphere, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual orientation, and biometric data

Processing Principles

Law 1581 establishes core principles that govern all data processing:

• Legality: Processing must comply with applicable laws
• Purpose limitation: Data may only be collected for a legitimate, specific purpose communicated to the data subject
• Freedom: Processing requires the data subject's prior, express, and informed consent
• Truthfulness: Information must be accurate, complete, and up to date
• Transparency: The data subject has the right to obtain information about their data at any time
• Restricted access: Only authorized persons may process the data
• Security: Data must be protected with technical, human, and administrative measures
• Confidentiality: All persons involved in processing must maintain confidentiality

Consent Requirements Under Colombian Law

Consent is the cornerstone of Colombia's data protection regime. Article 9 of Law 1581 requires that data subjects provide prior, express, and informed authorization before their personal data can be collected or processed.

What Makes Consent Valid

Colombian law demands that consent meet four criteria:

1. Prior: Authorization must be obtained before data collection begins, not after
2. Express: The data subject must actively indicate consent through a clear affirmative action
3. Informed: The data controller must explain what data will be collected, why, and how it will be used
4. Revocable: Data subjects can withdraw their consent at any time

Implicit or tacit consent is generally not sufficient. Pre-ticked boxes, consent buried in lengthy terms of service, or assumptions of consent from continued use of a service do not meet the standard set by the SIC.

Exceptions to Consent

Law 1581 recognizes limited exceptions where consent is not required:

• Information required by a public or administrative entity in the exercise of its legal functions
• Data related to civil registry information
• Cases of medical or health emergencies
• Processing authorized by law for historical, statistical, or scientific purposes
• Data related to the public registry of commercial documents

Sensitive Data Protections

Article 5 of Law 1581 defines sensitive data as information that could lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious beliefs, philosophical convictions, membership in trade unions or human rights organizations, health information, sexual life, and biometric data.

Processing sensitive data is generally prohibited. The exceptions are narrow: explicit consent by the data subject, processing necessary to protect a vital interest, processing by a nonprofit for its members, data related to civil registry, or processing required for the recognition or defense of a right in judicial proceedings.

Decree 1377 of 2013: Implementation Regulations

On June 27, 2013, the executive branch issued Decreto 1377 de 2013 to implement the operational requirements of Law 1581. This decree fills in the practical details that the statute left to regulation.

Privacy Policy Requirements

Decree 1377 requires every data controller and processor to adopt a personal data management program (programa integral de gestión de datos personales). This internal policy must include at minimum:

• Identification of the data controller
• Description of the purposes and methods of data processing
• The rights of data subjects and how to exercise them
• Identification of the person or department responsible for data processing
• Procedures for data subjects to file queries and complaints
• The timeframe for which the policy applies

Privacy Notice

Beyond the internal policy, Decree 1377 requires controllers to provide a privacy notice (aviso de privacidad) to data subjects at the time of collection. This notice must clearly state the controller's identity, the data being collected, the purpose of collection, and the data subject's rights.

Documentation Obligations

Controllers must maintain documented evidence of consent obtained from each data subject. This proof must be available for inspection by the SIC at any time.

Data Subject Rights

Colombian data protection law grants data subjects a comprehensive set of rights:

• Right to access: Individuals can request copies of all personal data held about them
• Right to update: Data subjects can demand that inaccurate or incomplete information be corrected
• Right to rectification: Related to update, but specifically addressing errors in databases
• Right to erasure: Individuals may request deletion of their data when consent is revoked or when processing is no longer necessary
• Right to revoke consent: Data subjects can withdraw their authorization at any time and for any reason
• Right to object: Individuals can object to data processing for marketing or profiling purposes
• Right to file complaints: Data subjects can file claims with the SIC when their rights are violated

Controllers must respond to access requests within 10 business days and to complaints within 15 business days. If the controller cannot resolve the issue within those periods, the data subject may escalate directly to the SIC.

The SIC: Colombia's Data Protection Authority

The Superintendencia de Industria y Comercio (SIC) is Colombia's national data protection authority. Within the SIC, the Deputy Superintendence for the Protection of Personal Data handles enforcement, investigation, and guidance.

Powers and Functions

The SIC has broad authority to:

• Investigate complaints filed by data subjects
• Conduct inspections and audits of data controllers and processors
• Issue binding instructions and guidelines (circulars)
• Impose administrative sanctions including fines and operational restrictions
• Order the temporary or permanent suspension of data processing activities
• Maintain the National Registry of Databases (Registro Nacional de Bases de Datos, or RNBD)

National Registry of Databases (RNBD)

One of Colombia's distinctive requirements is the RNBD registration obligation. Companies and nonprofit entities with total assets exceeding 100,000 UVT (Unidades de Valor Tributario, approximately USD 1.1 million) and all public entities must register their databases with the SIC.

For 2025, the registration update window ran from February 2 to March 31. Entities must also report claims filed by data subjects and update their registry entries within 10 business days of any substantial change. New databases must be registered within two months of creation.

Penalties and Sanctions

Law 1581 gives the SIC a graduated enforcement toolkit:

Monetary Fines

The maximum fine is 2,000 times the monthly legal minimum wage (SMMLV). With Colombia's 2026 minimum wage set at COP 1,750,905, the maximum fine reaches approximately COP 3.5 billion (roughly USD 830,000). The SIC considers several factors when setting fine amounts: the severity of the infraction, the volume of data affected, the duration of non-compliance, and the organization's level of cooperation.

Operational Sanctions

• Temporary suspension: The SIC can halt all data processing activities related to the violation for up to six months
• Permanent cessation: In cases of severe or repeated violations, the SIC can order the permanent closure of data processing operations
• Database closure: The SIC can order the definitive closure of a non-compliant database

Enforcement Trends

The SIC reported a 22% increase in sanctions in 2024 compared to the previous year. Enforcement priorities have expanded to cover emerging technologies: Circular 002 of 2024 established binding guidelines for AI systems that process personal data, requiring privacy impact assessments, differential privacy techniques, and compliance verification before collection begins.

The most high-profile enforcement action came in October 2025, when the SIC issued Resolution 78798 ordering the immediate and permanent shutdown of World Foundation and Tools for Humanity (Worldcoin) operations in Colombia. The seven-month investigation found that Worldcoin collected biometric iris scans from nearly two million Colombians without fully informed consent, using financial incentives that the SIC deemed coercive. The SIC ordered deletion of all biometric data and prohibited both entities from any further data processing in Colombia.

Breach Notification Requirements

Under Sections 17 and 18 of Law 1581, both data controllers and data processors have a duty to notify the SIC in case of a security breach that affects personal data of Colombian residents.

Notification Timeline

Breaches must be reported to the SIC within 15 business days of detection. For databases registered in the RNBD, the notification is submitted through the RNBD portal.

Scope of the Obligation

The notification requirement applies to any type of personal data. Colombian law does not impose a harm threshold, meaning that all security incidents affecting personal data must be reported regardless of whether actual damage has occurred.

Notice to Affected Individuals

There is no specific statutory deadline for notifying affected individuals. However, the SIC has stated that one purpose of individual notification is to give data subjects tools to mitigate potential harm (such as changing passwords or monitoring financial accounts). The SIC expects notification within a reasonable timeframe and has indicated that unreasonable delays could constitute an aggravating factor in enforcement proceedings.

Cross-Border Data Transfers

Article 26 of Law 1581 generally prohibits transferring personal data to countries that do not provide an adequate level of data protection.

Countries with Adequate Protection

The SIC maintains an official list of countries deemed to have adequate data protection standards. As of 2025, the list includes: all European Union and European Economic Area member states, the United States, the United Kingdom, Canada, Japan, South Korea, Mexico, Peru, Serbia, Costa Rica, and Australia.

Transfers to Non-Adequate Countries

When a transfer must go to a country not on the adequate list, the data controller needs either:

• A Declaration of Conformity (declaración de conformidad) from the SIC
• A valid statutory exception, including:
  • Express, informed consent from the data subject who has been told about the lack of adequate protection
  • International medical data transfers for health treatment
  • Bank transfers and international commercial transactions
  • Transfers required by international treaties to which Colombia is a party
  • Transfers necessary for contract performance in the data subject's interest

Model Contractual Clauses

In December 2025, the SIC issued Circular Externa No. 003 of 2025, introducing model contractual clauses for international transfers and transmissions of personal data. This development brings Colombia's cross-border transfer framework closer to the European model and provides organizations with a standardized mechanism for transfers to non-adequate jurisdictions.

Law 1266 of 2008: Financial Habeas Data

Alongside Law 1581, Colombia maintains a specialized regime for financial data under Ley 1266 de 2008. This law regulates the processing of financial, credit, commercial, and service-related data collected in databases.

Under Law 1266, financial data processing does not require prior consent from the data subject in most cases. However, data subjects retain the right to access, update, and rectify their credit information. The law sets specific time limits for how long negative financial information can remain in databases.

Law 1266 was amended by Law 2157 of 2021, which introduced the key reform that negative credit data must be erased immediately or as promptly as possible once the underlying debt has been resolved.

Artificial Intelligence and Emerging Technology

Colombia has been proactive in extending its data protection framework to cover AI. The SIC's Circular 002 of 2024 applies to all data controllers, processors, and users that develop or use AI systems based on personal data.

The circular requires:

• Adherence to principles of necessity, suitability, reasonableness, and proportionality when using AI to process personal data
• A privacy impact assessment before initiating any AI-related data processing, with minimum content requirements specified in the circular
• Secure processing environments that comply with existing regulations before data collection begins
• Implementation of differential privacy techniques where feasible to prevent re-identification of data subjects
• Transparency about the use of AI in data processing decisions

This positions Colombia as one of the first Latin American countries to issue binding regulatory guidance specifically addressing AI and personal data.

Compliance Checklist for Organizations

Organizations processing personal data in Colombia should ensure they meet these requirements:

1. Obtain valid consent: Prior, express, and informed authorization for all data processing
2. Adopt a privacy policy: Comprehensive internal policy meeting Decree 1377 requirements
3. Provide privacy notices: Clear notice to data subjects at the time of collection
4. Register databases: Register with the RNBD if the organization meets the asset threshold
5. Appoint a data protection officer: Designate a person or department responsible for data protection
6. Implement security measures: Technical, human, and administrative safeguards for all personal data
7. Establish complaint procedures: Internal processes for data subjects to exercise their rights within statutory deadlines
8. Prepare a breach response plan: Procedures to detect, investigate, and report breaches within 15 business days
9. Audit cross-border transfers: Verify that all international transfers go to adequate countries or have a valid legal basis
10. Conduct AI impact assessments: If using AI systems, complete the required privacy impact assessment