Costa Rica Data Privacy Laws: Law 8968 Compliance Guide (2026)
Costa Rica holds the distinction of being one of the first countries in Central America to adopt comprehensive data protection legislation. Law 8968, formally titled the Law on the Protection of Individuals Regarding the Processing of Their Personal Data (Ley de Proteccion de la Persona frente al Tratamiento de sus Datos Personales), was enacted on July 7, 2011, and took effect on September 5, 2011.
The law builds on Costa Rica's constitutional right to privacy, established in Article 24 of the Constitution. Executive Decree 37554-JP, published in 2013, provides the implementing regulations that detail the operational requirements of Law 8968.
This guide covers the full scope of Costa Rica's data privacy framework, including the rights of data subjects, the role of PRODHAB, consent requirements, cross-border transfer rules, and enforcement mechanisms.
Overview of Law 8968
Law 8968 applies to personal data held in automated and manual databases in both the public and private sectors. The law regulates the processing of personal data by any natural or legal person, whether public or private, that operates within Costa Rican territory.
The legislation establishes several core principles that govern all data processing activities: informed consent, purpose limitation, data quality, security, and the right to self-determination over personal information.
Scope and Application
The law applies to databases and data processing activities carried out within Costa Rica. It covers data processed by Costa Rican entities as well as entities located outside Costa Rica that process data of individuals within the country.
Exemptions include databases maintained by natural persons for exclusively private or domestic activities, databases created for national security purposes (subject to specific legal frameworks), and journalistic databases used exclusively for media purposes.
Key Definitions
Personal data (datos personales): Any data concerning a natural person that is identified or identifiable.
Sensitive data (datos sensibles): Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health or sexual life information, and biometric data for identification purposes.
Database (base de datos): Any organized set of personal data that allows access to data according to specific criteria, whether centralized, decentralized, or distributed.
Data processing (tratamiento de datos): Any operation or set of operations performed on personal data, including collection, recording, storage, modification, consultation, use, communication, transfer, or destruction.
Responsible party (responsable de la base de datos): The natural or legal person, whether public or private, that decides on the purpose and content of a database.
Consent Requirements
Consent is the cornerstone of Costa Rica's data protection framework. Law 8968 requires that data processing be based on the informed, express, and freely given consent of the data subject.
General Consent Standards
For ordinary personal data, consent must be informed (the data subject must know the purpose and scope of processing), express (implied consent is not sufficient), and free (given without coercion or deception). The data subject must be informed of the identity of the responsible party, the purpose of the processing, and the potential recipients of the data.
Sensitive Data Consent
Processing of sensitive data requires a higher standard: written consent. The data subject must explicitly authorize the processing in writing, and the consent must specify the particular sensitive data being processed and the purpose.
Sensitive data may be processed without written consent only in limited circumstances: when required by law for reasons of general interest, when necessary for the provision of medical care and the data subject is unable to consent, or when processing is carried out by a non-profit entity regarding its own members.
Exceptions to Consent
Law 8968 permits data processing without consent in specific situations:
- When data is collected from publicly accessible sources
- When processing is necessary for the performance of a contract to which the data subject is a party
- When processing is required by law or regulation
- When processing is necessary to protect the vital interests of the data subject
- When data is processed by public entities within the scope of their legal competencies
Data Subject Rights
Costa Rica's data privacy law grants individuals a comprehensive set of rights regarding their personal data.
Right of information: Data subjects have the right to be informed about the existence of databases containing their personal data, the purpose of those databases, and the identity of the responsible party.
Right of access: Individuals may request access to their personal data held in any database. The responsible party must respond within five business days.
Right of rectification: Data subjects may request the correction of inaccurate, incomplete, or outdated personal data. Corrections must be made within five business days.
Right of deletion: Individuals have the right to request the deletion of their data when the data is no longer necessary for the purpose for which it was collected, when consent has been withdrawn, or when the processing violates Law 8968.
Right of objection: Data subjects may object to the processing of their personal data when they have legitimate grounds, even if the processing is otherwise lawful.
These rights are exercised directly with the responsible party in the first instance. If the responsible party fails to respond or the data subject is unsatisfied with the response, the data subject may file a complaint with PRODHAB.
PRODHAB: The Data Protection Authority
The Agencia de Proteccion de Datos de los Habitantes (PRODHAB) is Costa Rica's independent data protection authority. Created by Law 8968, PRODHAB operates as a body attached to the Ministry of Justice and Peace but exercises its functions with technical and operational independence.
Powers and Functions
PRODHAB exercises regulatory, supervisory, and enforcement functions:
- Registration: PRODHAB maintains a public registry of databases. All entities that process personal data must register their databases with the agency.
- Inspection: The agency conducts inspections of registered databases to verify compliance with Law 8968.
- Complaint handling: PRODHAB receives and investigates complaints from data subjects regarding alleged violations of their data protection rights.
- Sanctioning: The agency may impose administrative sanctions on responsible parties that violate the law.
- Guidance: PRODHAB issues technical guidelines, recommendations, and codes of conduct for data processing.
Registration Requirement
One distinctive feature of Costa Rica's framework is the mandatory registration of databases. All entities that maintain databases containing personal data must register with PRODHAB. The registration must include the name and address of the responsible party, the purpose of the database, the types of personal data processed, data transfer practices, and security measures in place.
Failure to register constitutes a violation of Law 8968 and may result in administrative sanctions.
Legal Bases for Processing
While consent is the primary basis for lawful processing under Costa Rica's framework, Law 8968 recognizes several additional legal grounds.
Consent: The data subject has given informed and express consent.
Legal obligation: Processing is required to comply with a legal obligation applicable to the responsible party.
Contractual necessity: Processing is necessary for the performance of a contract to which the data subject is a party.
Vital interests: Processing is necessary to protect the vital interests of the data subject.
Public interest: Processing by public entities within their legally defined competencies.
Publicly available data: Processing of data obtained from public sources, provided the data is treated in accordance with the principles of Law 8968.
Unlike the GDPR, Costa Rica does not include "legitimate interests" as a standalone legal basis for processing.
Cross-Border Data Transfers
Law 8968 permits cross-border transfers of personal data under specific conditions. The legislation adopts an adequacy-based model similar to the European approach.
Adequacy Requirements
Personal data may be transferred to countries or international organizations that provide an adequate level of data protection. PRODHAB is responsible for evaluating and maintaining a list of countries deemed to have adequate protection.
Transfer Without Adequacy
Transfers to countries without an adequate level of protection are permitted when:
- The data subject has given express consent to the specific transfer
- The transfer is necessary for the performance of a contract between the data subject and the responsible party
- The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject
- The transfer is necessary for important public interest reasons
- The transfer is necessary for the establishment, exercise, or defense of legal claims
- The transfer is necessary to protect the vital interests of the data subject
Practical Considerations
Organizations transferring personal data from Costa Rica should verify the adequacy status of the recipient country, obtain express consent when adequacy has not been established, and document the legal basis for each transfer.
Enforcement and Penalties
PRODHAB has the authority to impose graduated sanctions for violations of Law 8968.
Sanction Categories
Warning: For minor or first-time violations, PRODHAB may issue a formal warning requiring the responsible party to correct the violation within a specified period.
Order to cease processing: PRODHAB may order the suspension or cessation of unlawful data processing activities.
Fines: Administrative fines range from 1 to 30 base salaries. As of 2026, the base salary (salario base) used for calculating fines is approximately 462,200 colones, making the maximum fine approximately 13.87 million colones (roughly USD 25,000).
Suspension: In severe cases, PRODHAB may order the temporary or permanent suspension of the database or processing operation.
Enforcement Track Record
PRODHAB has gradually increased its enforcement activity since becoming operational. The agency processes several hundred complaints annually and has issued sanctions against both private companies and public entities. Common violations include failure to register databases, processing without valid consent, and failure to respond to data subject access requests within the statutory timeframe.
Recent Developments
Costa Rica's data privacy framework continues to develop as the country adapts to new challenges and aligns with international standards.
Cybersecurity incidents: Costa Rica experienced a series of significant cyberattacks in 2022, including ransomware attacks on government institutions attributed to the Conti group. These incidents prompted the government to declare a national cybersecurity emergency and accelerated discussions about strengthening the country's data protection and cybersecurity frameworks.
Digital transformation initiatives: The government has pursued digital government reforms that require balancing innovation with data protection. PRODHAB has issued guidance on the use of personal data in digital public services.
Potential legislative reforms: Discussions have emerged about modernizing Law 8968 to address gaps such as data breach notification requirements (the current law does not mandate breach notification), algorithmic decision-making, and the processing of personal data by artificial intelligence systems.
Regional leadership: Costa Rica's data protection framework is often cited as a model for other Central American countries, including Panama. The country participates in the Ibero-American Data Protection Network (RIPD) and has contributed to regional standard-setting efforts.
OECD alignment: Costa Rica joined the OECD in May 2021. OECD membership has driven further alignment with international data protection standards, including the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Sources and References
Sources and References
- PRODHAB - Agencia de Proteccion de Datos de los Habitantes(prodhab.go.cr).gov
- Sistema Costarricense de Informacion Juridica - Law 8968(pgrweb.go.cr).gov
- Constitution of Costa Rica - Article 24(pgrweb.go.cr).gov
- OECD - Costa Rica Accession(oecd.org)
- Ibero-American Data Protection Network (RIPD)(redipd.org)
- Executive Decree 37554-JP (Implementing Regulations)(pgrweb.go.cr).gov