Internet & Online Safety · Costa Rica
Online safety & content laws in Costa Rica (2026)
Costa Rica shaded by its internet & online safety status
Online safety rules in Costa Rica: partial, under Digital Services and E-Commerce Governance Law (Law 23,184, approved April 2026, not yet in force); Data Protection Law No. 8968 (2011); Cybercrime Law; SUTEL (telecom regulator) and MICITT (Ministry of Science, Innovation, Technology and Telecommunications).
Costa Rica currently operates under sector-specific rules, a 2011 data-protection law, cybercrime statutes, and consumer-protection provisions, rather than a comprehensive online-safety regime. In April 2026 the Legislative Assembly approved a DSA-inspired Digital Services and E-Commerce Governance Law (23,184) in its second (final) debate, which will enter into force 12 months after publication in the Official Gazette; a separate bill (25,336) to ban children under 14 from social media is advancing in committee. Freedom House scored the country 86/100 in its 2025 Freedom on the Net report, placing it among the world's most open online environments with no government censorship or blocking.
Key points
Freedom House rated Costa Rica 86/100 in Freedom on the Net 2025, ranking it the top country for internet freedom in Latin America and among the top four globally. No government-imposed website blocks or connectivity restrictions have been recorded.
Draft Law 23,184, modelled closely on the EU Digital Services Act, was approved by the Legislative Assembly in its second and final debate on 16 April 2026. It requires hosting providers, search engines and online platforms to implement illegal-content reporting mechanisms, bans dark patterns, and mandates transparency obligations; it covers any provider offering digital services in the Costa Rican market. It enters into force 12 months after publication in La Gaceta.
Bill 25,336, advanced unanimously by the Legislative Assembly's Youth, Children and Adolescents Committee in April 2026, would prohibit children under 14 from creating or using social-media accounts. SUTEL would enforce compliance with fines of 15-50 base salaries, rising to 30-50 for repeat violations; platforms could also face operational restrictions and mandatory remediation plans.
Bill 24,063, also active in the legislature, would introduce criminal offences of electronic sexual harassment of minors, sexual disturbance and sexual extortion specifically targeting online conduct, extending protections for children against digital exploitation.
The 2011 Law on the Protection of Individuals Against the Processing of Their Personal Data (Law No. 8968), regulated by Executive Decree 37554-JP, is the primary horizontal privacy instrument and applies to online data processing. The PRODHAB agency supervises enforcement. Three reform bills were active as of early 2026, including regulation of biometric-data consent.
The Supreme Electoral Tribunal proposed reforms to the electoral code that would prohibit anonymous/inauthentic accounts for campaign propaganda, require platforms to designate a legal representative in Costa Rica, and empower the TSE to order removal of electoral misinformation during campaign periods. These proposals had not been enacted as of May 2026.
Timeline - major decisions & events
Costa Rica deposited its instrument of ratification for CETS No. 224 on enhanced co-operation and disclosure of electronic evidence, becoming the fourth country globally to ratify. The protocol expands cross-border access to electronic evidence and direct cooperation with service providers for cybercrime investigations.
Council of Europe – Cybercrime Division ↗The Costa Rican legislature advanced a bill prohibiting children under 14 from accessing mainstream social platforms and requiring platforms to disable addictive design features (infinite scroll, autoplay, dark patterns) for all users under 18. SUTEL would oversee enforcement with fines of 15–50 base salaries for non-compliant platforms.
Tico Times ↗The Ministry of Science, Innovation, Technology and Telecommunications published Costa Rica's second national cybersecurity strategy, building directly on lessons from the 2022 ransomware crisis. The five-pillar framework covers governance, legal reform, risk management, a national security culture, and international cooperation.
MICITT – Costa Rica ↗In the immediate aftermath of the 2022 ransomware crisis, Costa Rica's representative signed the Second Additional Protocol on enhanced co-operation and disclosure of electronic evidence, signalling commitment to stronger cross-border law enforcement cooperation on cybercrime.
Council of Europe ↗The Hive ransomware group struck the Costa Rican Social Security Fund (CCSS) on May 31, 2022, compromising 759 servers and more than 10,400 computers and forcing cancellation of over 30,000 medical appointments. The attack on critical public health infrastructure came just weeks after the Conti emergency and demonstrated systemic vulnerability across state institutions.
CCDCOE – International Cyber Law Interactive Toolkit ↗Costa Rica deposited its instrument of accession to the Council of Europe's Budapest Convention on Cybercrime, becoming one of only three Central American states party to the treaty. Ratification gave law enforcement access to the T-CY network for real-time cross-border cooperation and aligned domestic law with international cybercrime standards.
Council of Europe – Cybercrime Division ↗President Laura Chinchilla signed Law 9048, overhauling the Penal Code's cybercrime section to criminalise system intrusion, malware deployment, cyber-espionage, disclosure of government secrets via ICT, and social-media impersonation, with sentences of five to ten years. The law raised controversy over potential restrictions on press freedom but was ultimately upheld.
SCIJ – Procuraduría General de la República ↗Published in La Gaceta on 5 September 2011, Law 8968 established Costa Rica's first comprehensive personal data protection framework and created the independent Agency for the Protection of Personal Data of the Inhabitants (PRODHAB) as enforcement authority, empowered to investigate complaints, impose fines of $3,000–$18,000, and suspend non-compliant databases.
PRODHAB – Agencia de Protección de Datos de los Habitantes ↗Law 8934 required operators of public internet access facilities to install content-filtering software blocking pornography, drug content, and other material harmful to children and adolescents, with SUTEL assigned oversight responsibilities. It became the foundational child-safety internet law and a direct precursor to later social-media regulation proposals.
SUTEL – Superintendencia de Telecomunicaciones ↗In ruling 2010-012790, Costa Rica's Constitutional Chamber declared internet access a constitutionally protected fundamental right, holding that the State must promote and guarantee universal ICT access as essential to free expression, education, and democratic participation. It was the first such ruling in Latin America and legally obligated the government to expand connectivity.
Poder Judicial – Sala Constitucional ↗Costa Rica - other topics
Internet & Online Safety in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →