Data protection & privacy laws in Puerto Rico (2026)

Act No. 111-2005 (10 LPRA §§ 4051-4055) requires any entity holding databases of Puerto Rico residents' personal information to notify affected individuals and report breaches to DACO when unencrypted/unprotected data is subject to unauthorized access.

The Department of Consumer Affairs (DACO) is the enforcing authority for the breach-notification regime. Reports must reach DACO within a non-extendable 10 days; DACO issues a public announcement within 24 hours and may impose fines of $500-$5,000 per violation.

Article II, Section 8 of Puerto Rico's Constitution establishes privacy as a fundamental right; the Supreme Court treats it as of the 'highest hierarchy,' and it is self-executing and enforceable between private parties without enabling legislation.

Protected data under Act 111 includes name plus identifiers such as Social Security number, driver's license, official ID, financial account credentials, passwords/access codes, HIPAA-protected medical information, tax information, and work evaluations.

Act No. 40 of 2024 (Cybersecurity Act) imposes security obligations on government bodies and private entities handling public funds, and the Office of the Commissioner of Insurance enforces insurance-sector cybersecurity rules (Rule 108).

A comprehensive 'Consumer Data and Personal Information Protection Act' (House Bill 1548), modeled on California/GDPR — mandating privacy policies, controller obligations and consumer rights — advanced through the legislature but has not been signed into law, so the in-force regime remains sectoral.