Colombia Data Privacy Laws: Law 1581 and Habeas Data Guide (2026)

Colombia's personal data protection is grounded in Article 15 of the 1991 Constitution, which establishes habeas data as a fundamental right. Law 1581 of 2012 builds on that foundation, requiring prior, express, and informed consent before any personal data may be collected or processed, with enforcement by the Superintendencia de Industria y Comercio.

What Is Colombia's Data Protection Law?

Colombia protects personal data through a layered regime: a constitutional guarantee in Article 15 of the 1991 Political Constitution, two primary statutes (Law 1581 of 2012 for general data and Law 1266 of 2008 for financial data), implementing regulations in Decree 1377 of 2013, and binding circulars issued by the Superintendencia de Industria y Comercio (SIC). The framework is one of the most developed in Latin America, notable for treating data protection not as a statutory privilege but as a fundamental constitutional right called habeas data. Any company collecting, storing, or processing the personal data of Colombian residents must comply with Law 1581 regardless of where the company is incorporated.

Jurisdiction scope: This article covers Colombia's national data protection framework, including Law 1581 of 2012, Decree 1377 of 2013, Law 1266 of 2008, SIC enforcement circulars, and pending legislative reform. It does not address Colombia's recording consent laws or Argentina, Chile, or Brazil's separate data protection regimes.

Constitutional Foundation: Habeas Data as a Fundamental Right

Colombia's approach to data privacy is distinctive in Latin America because it starts at the constitutional level. Article 15 of the Political Constitution of 1991 guarantees every person the right to personal and family privacy and to their good name. More importantly, Article 15 establishes what Colombian law calls habeas data: the specific right to know, update, and rectify any information collected about an individual in databases or records maintained by public or private entities. This is not a statutory afterthought. It is a fundamental constitutional right that carries the same weight as freedom of expression or due process.

Article 20 of the Constitution reinforces this framework by guaranteeing the right to receive truthful and impartial information. Together, these two provisions create a constitutional mandate that Congress was required to implement through legislation. Because the mandate flows from the Constitution itself, the implementing statute required the elevated legislative form of a ley estatutaria, subject to mandatory advance review by the Constitutional Court of Colombia before taking effect.

Key Constitutional Court Decisions

The Constitutional Court has built a substantial body of habeas data jurisprudence since 1992. Four decisions anchor the field:

• Sentence T-414 of 1992 first recognized that personal financial data protection constitutes an individual freedom the Court called "information processing liberty," distinct from the general right to privacy.
• Sentence T-022 of 1993 extended the analysis to the collection and circulation of financial information, framing it as a privacy problem amenable to constitutional protection through the tutela mechanism.
• Sentence C-748 of 2011 reviewed the constitutionality of the draft ley estatutaria that became Law 1581, interpreting many of the statute's core provisions before they came into force. This pre-clearance ruling is binding on all courts and public authorities.
• Ruling T-260 of 2012 held that opening a Facebook account in a child's name without parental consent violated the child's fundamental rights to data privacy and to honour. The Court ordered immediate cancellation of the account, applying the constitutional principle that children's rights prevail over others' rights in cases of conflict.

The significance of constitutional-level protection is procedural as well as substantive. A data subject does not have to wait through months of administrative proceedings before the SIC. Any person who believes their habeas data rights have been violated may file a tutela directly with any court. Under Article 86 of the Constitution, the court must rule within 10 days.

Law 1581 of 2012: The Core Data Protection Statute

Congress fulfilled its constitutional mandate by enacting Ley Estatutaria 1581 de 2012, which established the general framework for personal data protection in Colombia. The statute applies to all personal data recorded in any database that can be processed by public or private entities within Colombian territory. It also applies extraterritorially when the data of Colombian residents is processed abroad.

Data Categories Under Law 1581

The law distinguishes four categories of data, each carrying different protections:

Core Processing Principles

Law 1581 establishes eight principles that govern all data processing:

• Legality: Processing must comply with applicable laws.
• Purpose limitation: Data may only be collected for a legitimate, specific purpose communicated to the data subject.
• Freedom: Processing requires the data subject's prior, express, and informed consent.
• Truthfulness: Information must be accurate, complete, and up to date.
• Transparency: The data subject has the right to obtain information about their data at any time.
• Restricted access: Only authorized persons may process the data.
• Security: Data must be protected with technical, human, and administrative measures.
• Confidentiality: All persons involved in processing must maintain confidentiality, even after the processing relationship ends.

Consent Requirements Under Colombian Law

Consent is the cornerstone of Colombia's data protection regime. Article 9 of Law 1581 requires that data subjects provide prior, express, and informed authorization before their personal data can be collected or processed.

What Makes Consent Valid

Colombian law demands that consent meet four criteria:

1. Prior: Authorization must be obtained before data collection begins, not after.
2. Express: The data subject must actively indicate consent through a clear affirmative action.
3. Informed: The data controller must explain what data will be collected, why, and how it will be used.
4. Revocable: Data subjects can withdraw their consent at any time and for any reason.

Implicit or tacit consent is not sufficient. Pre-ticked boxes, consent buried in lengthy terms of service, or assumptions of consent from continued use of a service do not meet the standard set by the SIC. The Worldcoin enforcement action of October 2025 illustrated this directly: the SIC found that financial incentives used to induce iris scan collection rendered consent coercive and therefore legally invalid under Article 9 of Law 1581.

Exceptions to the Consent Requirement

Law 1581 recognizes limited exceptions where consent is not required:

• Information required by a public or administrative entity in the exercise of its legal functions.
• Data related to civil registry information.
• Medical or health emergencies where obtaining consent is not practicable.
• Processing authorized by law for historical, statistical, or scientific purposes.
• Data related to the public registry of commercial documents.

Sensitive Data: Heightened Protection

Article 5 of Law 1581 defines sensitive data as information that could lead to discrimination. This includes data revealing racial or ethnic origin, political orientation, religious beliefs, philosophical convictions, membership in trade unions or human rights organizations, health information, sexual life, and biometric data.

Processing sensitive data is generally prohibited. The exceptions are narrow: explicit consent from the data subject (with a higher clarity standard than general consent), processing necessary to protect a vital interest, processing by a nonprofit for its members within its lawful purposes, data related to civil registry, and processing required for the recognition or defense of a right in judicial proceedings.

Decree 1377 of 2013: Implementation Regulations

On June 27, 2013, the executive branch issued Decreto 1377 de 2013 to implement the operational requirements of Law 1581. This decree fills in the practical details the statute left to regulation.

Privacy Policy Requirements

Decree 1377 requires every data controller and processor to adopt a personal data management program (programa integral de gestión de datos personales). This internal policy must include at minimum:

• Identification of the data controller.
• Description of the purposes and methods of data processing.
• The rights of data subjects and how to exercise them.
• Identification of the person or department responsible for data protection.
• Procedures for data subjects to file queries and complaints.
• The timeframe for which the policy applies.

Privacy Notice

Beyond the internal policy, Decree 1377 requires controllers to provide a privacy notice (aviso de privacidad) to data subjects at the time of collection. This notice must clearly state the controller's identity, the data being collected, the purpose of collection, and the data subject's rights. The notice requirement is independent of the consent requirement: notice must be given even in circumstances where consent is not required.

Documentation Obligations

Controllers must maintain documented evidence of the authorization obtained from each data subject. This proof must be available for inspection by the SIC at any time. The SIC has made documented consent a focus of enforcement audits since 2022, and the absence of documented authorization was one of several violations cited in the Worldcoin investigation.

Data Subject Rights (ARCO Rights and Beyond)

Colombian data protection law grants data subjects a comprehensive set of rights, often referred to as ARCO rights (Access, Rectification, Cancellation, Opposition) in the Latin American tradition:

• Right to access: Individuals can request copies of all personal data held about them at no charge.
• Right to update: Data subjects can demand that inaccurate or incomplete information be corrected.
• Right to rectification: Specifically addresses errors in databases, including the correction of false or misleading entries.
• Right to erasure: Individuals may request deletion of their data when consent is revoked or when processing is no longer necessary for the stated purpose.
• Right to revoke consent: Data subjects can withdraw their authorization at any time and for any reason, without prejudice.
• Right to object: Individuals can object to data processing for direct marketing or profiling purposes.
• Right to file complaints: Data subjects can file claims with the SIC when their rights are violated.

Controllers must respond to access requests within 10 business days and to complaints or rectification requests within 15 business days. If the controller cannot resolve the issue within those periods, the data subject may escalate directly to the SIC.

Watch out: The pending reform bills 214/2025 and 274/2025 would add three new rights not currently in Law 1581: the right not to be subject to solely automated decisions, the right to data portability, and the right to restrict processing. Organizations should begin preparing for these rights now, as the bills advanced through the First Constitutional Commission of the House of Representatives in late 2025.

The SIC: Colombia's Data Protection Authority

The Superintendencia de Industria y Comercio (SIC) is Colombia's national data protection authority. Within the SIC, the Deputy Superintendence for the Protection of Personal Data handles enforcement, investigation, and regulatory guidance. The SIC is a multi-function regulator, also overseeing consumer protection and competition law, but its data protection division operates with independent enforcement authority under Law 1581.

Powers and Functions

The SIC has broad authority under Law 1581 to:

• Investigate complaints filed by data subjects.
• Conduct inspections and audits of data controllers and processors, with or without prior notice.
• Issue binding instructions and guidelines (circulars).
• Impose administrative sanctions including monetary fines and operational restrictions.
• Order the temporary or permanent suspension of data processing activities.
• Maintain the National Registry of Databases (RNBD).
• Declare whether a foreign country provides adequate data protection for transfer purposes.

National Registry of Databases (RNBD)

One of Colombia's most distinctive requirements is the RNBD registration obligation. The RNBD is a publicly accessible directory of personal databases operating in Colombia, managed by the SIC and viewable by any citizen. Registration serves both transparency and regulatory oversight purposes.

Who must register: Companies and nonprofit entities with total assets exceeding 100,000 UVT (Unidades de Valor Tributario, approximately USD 1.1 million or COP 5 billion at 2025 values) and all public entities must register their databases.

Annual update window: For 2025, the window ran from February 2 to March 31. The SIC establishes a similar window each year; failing to update within the prescribed period is an independent infraction.

Ongoing obligations: Entities must report claims filed by data subjects and update their registry entries within 10 business days of any substantial change. New databases must be registered within two months of creation.

Breach portal: For RNBD-registered entities, security breach notifications to the SIC must be submitted through the RNBD portal.

Penalties and SIC Enforcement

Law 1581 gives the SIC a graduated enforcement toolkit, and the authority has used it with increasing frequency since 2022.

Monetary Fines Under Current Law

The maximum fine is 2,000 times the monthly legal minimum wage (SMMLV). With Colombia's 2026 minimum wage set at COP 1,750,905, the ceiling reaches approximately COP 3.5 billion (roughly USD 830,000). The SIC weighs several factors when setting fine amounts: the severity of the infraction, the volume of data affected, the duration of non-compliance, whether the violation involved sensitive data, and the organization's level of cooperation during investigation.

Operational Sanctions

Beyond fines, the SIC may impose:

• Temporary suspension: Halt of all data processing activities related to the violation for up to six months.
• Permanent cessation: In cases of severe or repeated violations, permanent closure of data processing operations.
• Database closure: Definitive closure and deletion of a non-compliant database.

Enforcement Trends

The SIC reported a 22% increase in sanctions in 2024 compared to the previous year. Enforcement priorities have expanded from traditional consent-and-notice violations to cover emerging technologies, cross-border transfers, and biometric data collection.

The most high-profile enforcement action in the SIC's history came on October 3, 2025, when the SIC issued Resolution 78798 ordering the immediate and permanent shutdown of World Foundation and Tools for Humanity (Worldcoin) operations in Colombia. The investigation, which ran for seven months, found that Worldcoin had collected biometric iris scans from nearly two million Colombians without fully informed or freely given consent. Key violations included: no Colombia-specific privacy addendum (while addenda existed for the EU, Japan, Argentina, and Peru); failure to disclose the Secure Multi-Party Computation protocol used to fragment and store iris codes with third parties; and use of financial incentives the SIC found rendered consent coercive. The SIC ordered deletion of all biometric data collected in Colombia since operations began and prohibited both entities from any further data processing in Colombia. World Foundation announced it would file legal appeals, stating the resolution had a suspensive effect pending review.

Breach Notification Requirements

Under Sections 17 and 18 of Law 1581, both data controllers and data processors have a duty to notify the SIC in case of a security incident that affects personal data of Colombian residents.

Notification Timeline and Process

Breaches must be reported to the SIC within 15 business days of detection. For databases registered in the RNBD, the notification is submitted through the RNBD portal. The report must describe the nature of the incident, the categories and approximate volume of data affected, the likely consequences, and the measures taken or proposed.

No Harm Threshold

Colombian law does not impose a harm threshold. All security incidents affecting personal data must be reported to the SIC regardless of whether actual damage has occurred or is likely. This is a stricter standard than many comparable regimes and has caught foreign-headquartered companies off-guard.

Notice to Affected Individuals

There is no specific statutory deadline for notifying affected individuals. However, the SIC has stated that individual notification should allow data subjects to take protective measures, and has indicated that unreasonable delays in individual notification can constitute an aggravating factor in enforcement proceedings.

Cross-Border Data Transfers

Article 26 of Law 1581 generally prohibits transferring personal data to countries that do not provide an adequate level of data protection. The SIC assesses adequacy based on whether a receiving country's legal framework provides protections at least equivalent to those under Colombian law.

Countries the SIC Has Recognized as Adequate

The SIC has issued adequacy determinations for the following jurisdictions (as of 2025): all EU and EEA member states, the United States, the United Kingdom, Canada, Japan, South Korea, Mexico, Peru, Serbia, Costa Rica, and Australia. Transfers to these countries do not require additional authorization beyond the underlying consent and notice obligations of Law 1581.

Transfers to Non-Adequate Countries

When a transfer must go to a country not on the adequate list, the data controller must use one of the following mechanisms:

• A Declaration of Conformity (declaración de conformidad) issued by the SIC based on an analysis of the recipient's data protection practices.
• A valid statutory exception under Article 26(3) of Law 1581, including: express, informed consent from the data subject who has been specifically advised of the absence of adequate protection in the destination country; international medical data transfers for health treatment; bank transfers and international commercial transactions; transfers required by international treaties to which Colombia is a party; or transfers necessary for contract performance in the data subject's interest.

Model Contractual Clauses (December 2025)

On December 19, 2025, the SIC issued Circular Externa No. 003 of 2025, introducing voluntary model contractual clauses for international transfers and transmissions of personal data. Adoption of the clauses is facultative, but once a controller or processor chooses to use them, the obligations in the clauses become binding and failure to comply can constitute a breach of Law 1581. The circular brings Colombia's transfer framework significantly closer to the European model of standard contractual clauses and provides organizations with a well-defined compliance path for transfers to countries not on the adequate list.

Law 1266 of 2008: Financial Habeas Data

Alongside Law 1581, Colombia maintains a specialized regime for financial data under Ley 1266 de 2008. This law governs the processing of financial, credit, commercial, and service-related data collected in credit bureaus and similar databases.

Under Law 1266, financial data processing generally does not require prior consent from the data subject. However, data subjects retain the right to access, update, and rectify their credit information. The law specifies how long negative financial information can remain in databases: the permanence period is twice the duration of the underlying debt default, with a maximum of four years.

Law 1266 was amended by Law 2157 of 2021, which introduced a significant reform: negative credit data must be erased immediately once the underlying debt has been paid or otherwise resolved, regardless of any remaining permanence period. This amendment responded to longstanding complaints that credit bureau data remained accurate in origin but outdated in practice, hindering consumers who had resolved debts from accessing credit markets.

The SIC enforces both Law 1266 and Law 1581 through the same Deputy Superintendence for the Protection of Personal Data.

Artificial Intelligence and the SIC's Technology-Specific Guidance

Colombia has moved faster than most Latin American countries to issue binding regulatory guidance for AI systems that process personal data. Two circulars anchor this framework.

Circular 002 of 2024: AI Systems

The SIC issued Circular Externa No. 002 of August 21, 2024 to establish guidelines for personal data processed through AI systems. The circular applies to all data controllers, processors, and users that develop or deploy AI systems that use personal data. Key requirements include:

• Adherence to the principles of necessity, suitability, reasonableness, and proportionality when designing AI data pipelines.
• A privacy impact assessment (estudio de impacto en privacidad) must be completed before initiating any AI-based data collection, with minimum content requirements specified in the circular.
• Secure processing environments that comply with existing data protection regulations must be in place before collection begins, not after.
• Implementation of differential privacy techniques where feasible to prevent re-identification of data subjects in aggregate analysis.
• Transparency obligations: data subjects must be informed when AI systems are used to process their data.

Circular 001 of 2025: Fintech and Financial Services

On September 18, 2025, the SIC issued Circular Externa No. 001 of 2025, establishing binding guidelines for the processing of personal data in the fintech ecosystem. The circular applies to digital financial products and services including electronic wallets, SEDPE (electronic payment deposit specialists), low-amount deposit services, and acquiring services. It also covers any natural or legal person conducting credit, deposit, or quasi-financial services using technological means, even if not supervised by the Financial Superintendence of Colombia.

Key requirements under Circular 001 of 2025:

• Data minimization: Companies may only collect information that is strictly necessary and proportionate to the service purpose.
• Consent clarity: When requesting authorization, companies must clearly distinguish between consent essential to service delivery and accessory purposes such as marketing campaigns or additional product offers. Bundled consent does not satisfy Law 1581.
• Biometric data: Controllers must obtain explicit authorization for biometric data used in authentication or fraud prevention, apply data minimization principles, and implement additional security measures beyond the baseline Law 1581 standard.
• Automated decisions: Where automated systems produce decisions affecting data subjects, the company must provide information about the logic involved and ensure a human review mechanism exists.
• Security measures: Controls must be evaluated and documented periodically, with a demonstrable accountability record available for SIC inspection.

Pending Reform: Modernizing Law 1581 Toward GDPR Alignment

The national government and the SIC have acknowledged that Law 1581, in force since 2012, does not adequately address the data processing realities of 2025 and beyond. In August 2025, SIC Superintendent Cielo Rusinque stated publicly that reform of the statutory law framework is necessary. Two bills were filed in the House of Representatives in late August 2025.

The Reform Bills

Bill 214/2025 was promoted by a group of congress members allied with the executive branch and filed on August 22, 2025. Bill 274/2025 was filed jointly by the Ministries of Commerce, Industry and Tourism and of Science, Technology and Innovation on August 27, 2025. Both bills propose substantial amendments to Law 1581. The First Permanent Constitutional Commission of the House consolidated the two bills for joint review and approved a combined measure in late October 2025. The combined bill must still complete additional legislative rounds and, because it amends a ley estatutaria, requires constitutional review by the Constitutional Court before it can take effect. No passage date has been confirmed as of May 2026.

Key Proposed Changes

Both bills would introduce:

• Extended territorial scope: The law would apply to any controller or processor that offers goods or services to persons in Colombia or monitors their behavior, regardless of domicile, mirroring the GDPR's Article 3(2) approach.
• Mandatory local representative: Foreign controllers or processors subject to the extended scope must appoint a local representative in Colombia.
• New legal bases: Beyond consent, the bills would recognize contract performance, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and legitimate interests as valid legal bases for processing.
• Accountability principle: Controllers would be required to demonstrate proactive compliance rather than merely comply reactively.
• New data subject rights: Right not to be subject to solely automated decisions with significant effects; right to data portability; right to restriction of processing; right to object to processing.
• Strengthened children's protections: Heightened requirements for processing the data of minors.
• Updated penalty regime: Both bills propose fines of up to 5% of the violator's annual operational revenues. Bill 214/2025 caps fines at 4,000 SMMLV (approximately USD 1.46 million at 2026 wage rates); Bill 274/2025 caps them at 10,000 SMMLV (approximately USD 3.65 million). Either would represent a significant increase over the current 2,000 SMMLV ceiling.

Watch out: Until the reform bills complete the full legislative and constitutional review process, Law 1581 of 2012 and Decree 1377 of 2013 remain the operative legal framework. Compliance programs should be built on current law, with a documented review scheduled when the combined bill's status becomes clear.

Business Compliance: What Organizations Must Do

Organizations processing personal data in Colombia should satisfy all of the following:

1. Obtain valid authorization: Prior, express, and informed consent for all data processing. Document it.
2. Adopt a privacy policy: A comprehensive internal policy meeting Decree 1377 requirements, covering all active databases.
3. Provide privacy notices: Clear, readable notice to data subjects at the time of collection identifying the controller, purposes, data collected, and rights.
4. Register databases with the RNBD: Required if the organization's assets exceed 100,000 UVT or if it is a public entity. Annual update window must not be missed.
5. Appoint a responsible person or department: Designate and name the data protection function in internal policy and in RNBD filings.
6. Implement layered security measures: Technical, administrative, and physical controls. Document and periodically evaluate them.
7. Establish internal complaint procedures: Processes allowing data subjects to exercise ARCO rights within the statutory deadlines (10 business days for access; 15 for complaints).
8. Maintain a breach response plan: Procedures to detect, investigate, and report to the SIC within 15 business days of detection. No harm threshold applies.
9. Audit cross-border transfers: Verify that all international transfers flow to adequate countries or have a valid legal mechanism. Circular 003/2025 model clauses are available for non-adequate transfers.
10. Conduct AI privacy impact assessments: Mandatory under Circular 002/2024 before any AI-based personal data collection begins.
11. Fintech-specific controls: If offering digital financial services, review Circular 001/2025 requirements on data minimization, biometric authorization, consent clarity, and automated decision-making.
12. Monitor reform bill progress: When the combined bill passes and receives Constitutional Court clearance, update the compliance program for new legal bases, new data subject rights, and the revised penalty regime.