Colombia

Can you place cookies without consent?

Cookies cannot be placed without consent if they are installed in devices of individuals located in Colombia, and they collect personal data. In such cases, consent is needed according to the dispositions of the Colombian Data Protection Act N° 1581 ("CDPA").

Are cookie rules (whether specific or within general data protection laws) followed in practice?

There is no specific regulation regarding cookies in Colombia. However, the Superintendence of Industry and Commerce issued administrative decisions where it stated that cookies installed in devices of individuals located in Colombia are means to collect personal data, and therefore local law applies for such data. They are generally followed in practice.

Are there any exemptions if consent is required?

CDPA does provide exemptions for consent, but they shall not be applicable to cookies in cases where the data collected is considered as personal data. In this sense, if personal data is not processed, consent will not be required.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

According to Colombian regulations, if the data subject is identifiable, consent must be provided before processing. This would mean that automatic placement of cookies would be illegal in all cases.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No, consent without ticking accept is not permitted in Colombia. Express consent for the use of cookies is required when the data collected is personal data. Also, before a user accepts, the Company must provide the data subject clear, truthful, sufficient, timely, verifiable, understandable, accurate and suitable information. Therefore, an "I accept” button is needed to provide valid consent.

Can you set cookies without a cookie notice? 

The CDPA does not require companies to have a separate Cookie Policy, however, there still should be express and informed consent from the data subject, and the general Privacy Policy should comply with the requirements set forth by local law.

Can you set cookies without a cookie banner/ management tool?

Provided that the data subject has been informed and consented to the use of cookies which collect personal data, a cookie banner is not strictly necessary. Terms on the use of cookies may be placed in the Privacy Policy and/ or Consent Mechanism, with a link directing the data subject to the relevant sections. Moreover, data controllers are required to keep evidence of consent for subsequent consultation.

Are you able to use cookie walls? 

A cookie wall can be used when a data subject does not provide consent for use of their personal data and the use of cookies, but only when:

  • the data subject has been correctly informed of the consequences of such decision; and
  • the personal data they have refused to provide is essential for the use of the platform.

Otherwise, where the withheld data is not essential to the service, the cookie wall cannot be implemented.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

The CDPA does not have a particular regulation that covers cookies. However, the Superintendence of Industry and Commerce issued administrative decisions where it stated that cookies installed in devices of individuals located in Colombia are means to collect personal data, and therefore, local law applies to the processing of such data, including any breach of the law when using cookies. In this regard, the SIC issued orders against foreign companies that process personal data through cookies. In most cases the SIC did not impose a penalty against them but instead issued administrative orders to request compliance with specific standards of the Colombian legal framework.

Are there any current consultations relating to ad tech/cookies?

No, we are not aware of any.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

As in Europe, there is a regional tendency to protect data subject's personal information. Therefore, we expect heavier regulation on these matters in the future.