Data protection & privacy laws in Costa Rica (2026)

Law 8968 was approved on 7 July 2011 and published in La Gaceta No. 170 on 5 September 2011; it guarantees the fundamental right to informational self-determination and regulates processing of personal data by any natural or legal person, public or private, operating in Costa Rican territory.

The Agencia de Protección de Datos de los Habitantes (PRODHAB) is the data-protection authority created by Law 8968 as a body of maximum deconcentration attached to the Ministry of Justice and Peace; it maintains the national database registry, investigates complaints, conducts inspections, and imposes sanctions, and can order precautionary measures.

The law grants rights of access, rectification, deletion/suppression, and the right to consent to (and revoke consent for) the transfer of one's personal data; controllers must respond free of charge, generally within five business days of receiving a request.

Controllers must obtain the data subject's express consent to collect and process personal data; Article 21 requires registration with PRODHAB of public or private databases administered for distribution, dissemination or commercialization purposes, though databases of financial entities regulated by SUGEF are exempt.

PRODHAB can impose administrative fines and, in serious cases, order a controller or processor to cease use of a database for one to six months; reported fine ranges run roughly from about USD 3,000 up to USD 18,000 depending on severity.

Bill No. 23097, a comprehensive reform that would repeal Law 8968 and align Costa Rica with the EU GDPR, was introduced in May 2022; the Science and Technology Commission issued a report in January 2025, but the bill has not been enacted, so Law 8968 remains the governing regime.