Cookies cannot be placed without consent if they are installed in devices of individuals located in Colombia, and they collect personal data. In such cases, consent is needed according to the dispositions of the Colombian Data Protection Act N° 1581 ("CDPA").
There is no specific regulation regarding cookies in Colombia. However, the Superintendence of Industry and Commerce issued administrative decisions where it stated that cookies installed in devices of individuals located in Colombia are means to collect personal data, and therefore local law applies for such data. They are generally followed in practice.
CDPA does provide exemptions for consent, but they shall not be applicable to cookies in cases where the data collected is considered as personal data. In this sense, if personal data is not processed, consent will not be required.
According to Colombian regulations, if the data subject is identifiable, consent must be provided before processing. This would mean that automatic placement of cookies would be illegal in all cases.
No, consent without ticking accept is not permitted in Colombia. Express consent for the use of cookies is required when the data collected is personal data. Also, before a user accepts, the Company must provide the data subject clear, truthful, sufficient, timely, verifiable, understandable, accurate and suitable information. Therefore, an "I accept” button is needed to provide valid consent.
The CDPA does not require companies to have a separate Cookie Policy, however, there still should be express and informed consent from the data subject, and the general Privacy Policy should comply with the requirements set forth by local law.
Provided that the data subject has been informed and consented to the use of cookies which collect personal data, a cookie banner is not strictly necessary. Terms on the use of cookies may be placed in the Privacy Policy and/ or Consent Mechanism, with a link directing the data subject to the relevant sections. Moreover, data controllers are required to keep evidence of consent for subsequent consultation.
A cookie wall can be used when a data subject does not provide consent for use of their personal data and the use of cookies, but only when:
Otherwise, where the withheld data is not essential to the service, the cookie wall cannot be implemented.
The CDPA does not have a particular regulation that covers cookies. However, the Superintendence of Industry and Commerce issued administrative decisions where it stated that cookies installed in devices of individuals located in Colombia are means to collect personal data, and therefore, local law applies to the processing of such data, including any breach of the law when using cookies. In this regard, the SIC issued orders against foreign companies that process personal data through cookies. In most cases the SIC did not impose a penalty against them but instead issued administrative orders to request compliance with specific standards of the Colombian legal framework.
No, we are not aware of any.
As in Europe, there is a regional tendency to protect data subject's personal information. Therefore, we expect heavier regulation on these matters in the future.
