Chile's Law 21.719: What Changes and How to Prepare

If you build a web app or a SaaS in Chile, there's a legal change you'll want to keep on your radar: Law 21.719, the country's new personal data protection law. This isn't a minor bit of paperwork or a passing scare. It replaces a framework that had been falling short for decades and, for the first time, creates an authority with real teeth to oversee how you handle your users' data.

The good news: you don't need to be a lawyer or a security expert to start getting ready. Most of the requirements translate into technical and process practices you probably already half-know. In this article we'll explain what changes, what it means in practice for your product, and we'll leave you with an actionable checklist to review your site today.

An honest note: this text is an orientation guide, not legal advice. The exact penalty figures, deadlines, and implementation details depend on the law as enacted and on the regulations the authority issues. Whenever something is uncertain, we'll tell you and recommend verifying the official source.

What Law 21.719 Is

Law 21.719 modernizes Chile's personal data protection regime. For years, Chile operated under a fairly old law that felt out of step with the digital economy: limited enforcement capacity, weak penalties, and rights that were hard to exercise in practice.

The new law pushes Chile toward a standard closer to modern frameworks like Europe's (the GDPR). In broad terms, that means:

• Clearer rules about when and how you can process personal data.
• The need for a lawful basis for every processing activity (for example, user consent, performance of a contract, or a legitimate interest).
• Greater transparency toward people about what you do with their information.
• A dedicated authority that can review, demand, and impose penalties.

In plain terms: Chile's new data protection law stops treating privacy as a formality and turns it into a verifiable obligation. If you handle emails, names, addresses, payment data, location, or any information that identifies a person, this applies to you.

A Data Protection Agency With Enforcement Powers

One of the most significant changes is the creation of a Personal Data Protection Agency. Until now, Chile had no specialized body with real power to enforce the law. The Agency arrives precisely to fill that gap.

Under the law's design, this authority would have the power to:

• Oversee organizations that process personal data.
• Receive and resolve complaints from people who feel their rights have been violated.
• Issue instructions and guidance on how to comply with the regulations.
• Initiate enforcement proceedings when it detects violations.

The key point for you as a founder or developer: it's no longer just about "having a privacy policy in the footer." There's now an actor that can hold you accountable and check whether what you say you do with data is what you actually do.

On penalties: the law provides for a regime of fines and corrective measures, but the exact amounts and ranges depend on the law as enacted and on how each violation is classified. Don't rely on figures from the internet without verifying them; check the official text or consult a specialist before making decisions based on specific amounts.

The Concept of "Reasonable Security Measures"

This is where the law connects directly with your technical work. The rule doesn't require you to have a bank's level of security, but it does require you to implement reasonable and appropriate security measures to protect the data you process.

What does "reasonable" mean? The law doesn't hand you an exact recipe of "install this and you're done," and that's by design. Reasonableness is assessed based on:

• The type of data you handle (an email isn't the same as health or financial data).
• The volume and sensitivity of that information.
• The state of the art of available technology.
• The concrete risks that data is exposed to.

In practice, "reasonable" for a modern web app usually includes things like: encryption in transit (properly configured HTTPS), access control over the data, correct security headers, not accidentally exposing sensitive information, and having a plan to react to an incident.

The most common trap is thinking of security as a project that gets finished. It isn't. It's a state you maintain and, above all, one you can demonstrate. And that's where a concept worth its weight in gold comes in when facing an audit: evidence of due diligence.

ARCO+ Rights: What Your Users Need to Be Able to Do

The law recognizes and reinforces what are known as ARCO+ rights. The acronym comes from the classic rights, plus a few additional ones that modern regulation adds:

• Access: a person can ask you what data of theirs you hold.
• Rectification: they can correct inaccurate or outdated data.
• Cancellation (or erasure): they can request that you delete their data when appropriate.
• Objection: they can object to certain processing of their information.
• The "+" usually refers to additional rights such as portability (taking their data away in a reusable format) and limits on automated decisions.

For your product this isn't theory: it means you need a real process to respond to these requests. If a user writes asking you to delete their account and all their data, do you have a way to do it completely and within a reasonable timeframe? Do you know which tables, logs, and third-party services that information lives in?

Many apps fail not out of bad intent, but because they never designed data deletion or export as a first-class feature. It's worth solving before the first formal request arrives.

Will There Be a Softer Period for Small Businesses?

There's an understanding that the law's entry into force includes a transition period, and there's even been talk of a more gradual initial approach or lighter penalties for small and medium-sized businesses, so they have time to adapt before being exposed to the more severe consequences.

That's a reasonable intention and in line with how other countries have implemented similar reforms. But be prudent: verify the law as enacted and its regulations before assuming you have a "cushion" of time or tolerance. Entry-into-force timelines, phase-in periods, and the criteria for small businesses are exactly the kind of detail that can change between the bill, the published law, and its regulations.

The healthy reading isn't "I have time, I'll leave it for later." It's "I have a window to put my house in order without the pressure of an audit looming." Taking advantage of it is far cheaper than scrambling at the end.

From Technical Findings to "Evidence of Due Diligence"

Here we connect the two halves of this article: the legal and the technical.

When an authority audits you, it doesn't ask "are you good?" It asks "can you demonstrate that you took reasonable measures?" The difference between a fine and a warning often comes down to being able to show evidence of due diligence: that you identified your risks, applied controls, and reacted when something failed.

This is where a technical scan becomes useful beyond the obvious. Every security finding you detect and fix is, at its core, a record that you're doing your job:

• You detected that forced HTTPS or a security header was missing, you fixed it, you have a record.
• You found cookies without security attributes, you adjusted them, you have a record.
• You saw that you were exposing sensitive information in an API response, you closed it, you have a record.

That history of "found it, prioritized it, and fixed it" is precisely the kind of story that backs up the idea of reasonable measures. It's not paperwork for its own sake: it's concrete proof that the security of your data actually matters to you.

With Pursecure you can generate exactly that kind of evidence: paste your site's URL, get a score from 0 to 100 and a list of findings ranked by severity, and each finding comes with a ready-to-use prompt for your AI coding tool (Claude, Cursor) to fix it. It's a fast way to turn "I think I'm fine" into "I can show what I reviewed and what I fixed."

What to Check on Your Site Today

You don't need the entire legal framework settled to improve your posture. You can review all of this this very afternoon:

1. HTTPS across the whole site. Make sure the entire app loads over HTTPS, with no mixed content, and that the redirect from HTTP works. Personal data traveling in the clear is one of the most expensive and most easily avoidable mistakes.
2. Security headers. Check that you have headers like Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, and similar ones configured. They signal and reinforce that you protect your users' traffic.
3. Secure cookies. Session cookies should have Secure, HttpOnly, and an appropriate SameSite. A stealable session is a direct personal data problem.
4. Data exposure in responses and errors. Verify that your APIs don't return more information than necessary and that error pages don't leak internal paths, stack traces, or other users' data.
5. Access to the data. Who can see the database? Are there shared or exposed credentials? Fewer, better-controlled access points are almost always safer.
6. Data deletion and export. Confirm that you can delete and export all of a user's data when they ask. Map where their information lives, including third-party services.
7. A real privacy policy. One that genuinely describes what data you collect, why, and with whom you share it. A policy that doesn't match reality is worse than not having one.
8. An incident plan. Be clear on what you'd do if you detect a breach tomorrow: who you notify, how you contain it, and how you document it.

If you want to speed up the technical points on this list, run a scan at pursecure.app and let the report tell you where to start, ranked by severity.

In Summary

Law 21.719 marks a before and after in how Chile handles privacy. An Agency with enforcement power arrives, the idea of reasonable security measures takes hold, people's ARCO+ rights are reinforced, and there will very likely be a transition window worth using rather than waiting until the last minute.

What you shouldn't do is freeze. Privacy done right isn't a legal wall: it's a series of good technical and process decisions that, taken together, demonstrate diligence. Start with what you control today, your site, your headers, your data, and build from there.

When you're ready to get a clear picture of your security posture and concrete evidence of what you've already fixed, paste your URL into Pursecure and get your score and findings in minutes. Preparing for Law 21.719 starts with knowing where you stand.