Costa Rica: The protection of personal data in e-Commerce

Written by:

Yosser Gonzalez


The use of electronic media in business (better known as electronic commerce or e-commerce) has raised the issue of the level of protection that should be afforded to personal data of users of this media. Due to the Sars-Cov-2 pandemic, an increasing number of merchants have ventured to use digital platforms or media for the exchange of their goods or services. Also, more consumers have chosen to use digital platforms or media for the provision or enjoyment of their daily needs, whether for food, entertainment, recreation, health, and others.  


However, laws do not always advance as quickly as reality, so we often have to analyze the legal implications of our ideas and business models and how they may affect or be affected by current regulations.


In this sense, we must mention that according to chapter X of Regulation No. 37899-MEIC “Regulations to the Law for the Promotion of Competition and Effective Defense of the Consumer no. 7472,” making special emphasis in its section 263, under the Law for the Protection of the Person given the Treatment of his/her Personal Data no. 8968 (hereinafter “Law 8968”) and its regulation, we can establish a “trader-consumer” relationship when we make use of electronic means to acquire or offer goods or services and of the consumer’s personal data as deserving special protection in the consumer relationship.


The above is of great relevance since, under this view, the merchant who offers goods or services by electronic means must not only comply with the same obligations as merchants operating under traditional forms of commerce, but must also comply with certain regulations established in the aforementioned legislation. On the other hand, the consumer not only has the same rights already established in the Law of Protection of Competition and Effective Defense of the Consumer no. 7472 and its regulation but also has other additional rights due to the type of transaction taking place, where the protection of personal data stands out.


To ensure compliance with the national legislation in force, the merchant must first identify and analyze the consumer’s personal data to which it would have access, both directly and indirectly, and establish the purpose for which the data would be used. This should be done by taking into account not only the data that would be accessible at the time of the transaction, such as full name, email, phone number or address, but also the data that from the first moment the user enters the software or hardware can be collected by both the merchant and the hosting service provider or data analysis, such as IP address, internet service provider, browser, location, date, time, and sites visited, as well as the use of so-called “cookies”.


Once the analysis of the data that could be accessed has been performed, it is necessary to carry out a legal analysis of the types of data collected and the legal consequences of their treatment under Law 8968 and its regulation, to have a clear picture of the legal implications that the business faces and the ways to avoid or minimize risks. Then, the drafting and implementation of personalized Privacy Policies following the business model must proceed. In Costa Rica, these policies are closely linked to obtaining Informed Consent, whose formalities are clearly established in section 5 of Law 8968.


Although, over the years, there has been an increase in the use of electronic platforms in commerce, the lack of consumer confidence in the use of these means has been one of the greatest obstacles to the rise of this modality in Costa Rica. Now, as a consequence of the pandemic, many businesses had to leap without being prepared.  At this point, our invitation is to reflect on the benefits that an adequate treatment of personal data can generate for your business, such as increased confidence by consumers in acquiring their goods and services, which in turn, provides reputation and prestige to the merchant allowing it to stand out in the market and increase its competitiveness, without leaving aside, of course, avoidance of penalties for non-compliance with existing legislation, which can consist of one to ten base salaries, i.e. between 400 thousand and 4 million colones.

Scroll to Top