logo Lawwwing

What Should a Cookie Banner Look Like in Chile? A Guide to Complying with Law 21.719

Law 21.719 places consent at the centre of the lawful processing of personal data. Consent is considered valid only when it is: One of the most important consequences for cookie banner design is that continuing to browse, closing the banner, or simply allowing time to pass cannot be interpreted as consent, as none of these […]
Legal Lawwwing
July 10, 2026

Law 21.719 places consent at the centre of the lawful processing of personal data. Consent is considered valid only when it is:

  • Freely given: It must not be a condition for accessing a website unless the processing is strictly necessary to provide the requested service.
  • Informed: Individuals must be told how and why their personal data will be used.
  • Specific: Consent must relate to one or more clearly defined purposes rather than a generic "accept all" option.
  • Prior: Consent must be obtained before any non-essential cookies are activated.
  • Unambiguous: It must be expressed through a clear affirmative statement or action demonstrating the data subject's intention.

One of the most important consequences for cookie banner design is that continuing to browse, closing the banner, or simply allowing time to pass cannot be interpreted as consent, as none of these actions constitutes a clear affirmative act.

In addition, cookie walls are prohibited. The law presumes that consent has not been freely given where it is required as a condition for accessing a service that does not actually depend on the processing of personal data.

What Should a Compliant Cookie Banner Include?

1) Equal Options to Accept or Reject Cookies

If consent must be freely given and unambiguous, the option to reject cookies cannot be hidden behind a second click or buried within a "Settings" menu while the "Accept" button is prominently displayed. Both options should have the same level of visibility and accessibility.

For ecommerce websites, this is particularly important because the cookie banner often appears as soon as a visitor arrives to browse products. If the "Reject" option is noticeably harder to find than the "Accept" option, the banner could be considered to steer users towards acceptance, potentially invalidating the consent on the grounds that it was not freely given.

2) Granular Consent by Purpose

The law requires consent to be specific with regard to its purpose or purposes. In practice, this means separating cookies into categories (such as essential, analytics, advertising, and personalisation cookies) instead of requesting a single blanket authorisation.

For ecommerce businesses, this distinction is particularly important because an online store typically uses several different categories of cookies, including:

  • Strictly necessary cookies for functions such as shopping carts, user sessions, and payment processing.
  • Analytics cookies: Google Analytics
  • Personalisation cookies used to recommend products based on user behaviour.
  • Advertising cookies such as Meta Pixel, Google Ads, and dynamic remarketing technologies.

If all of these categories are grouped together under a single "Accept All" button, a customer who simply wants to complete a purchase would also be consenting to advertising tracking without having made a specific and informed choice.

3) Clear Information Before Consent Is Given

The new legislation requires certain information to be made permanently available to users, including: the categories of personal data being processed, the purposes of the processing, the identity of the data controller, whether personal data is transferred to third countries and whether those countries provide an adequate level of protection, and the applicable data retention period.

For this reason, the cookie banner should include a link to the data processing policy, allowing users to access this information before deciding whether to consent.

For ecommerce businesses, this is particularly relevant because many online stores use payment gateways, logistics providers, or marketing tools hosted outside Chile, which may involve international transfers of personal data. The data processing policy should therefore clearly explain these transfers and indicate whether the destination country provides an adequate level of data protection.

4) A Withdrawal Mechanism That Is as Simple as Giving Consent

The law requires that data subjects be able to withdraw their consent at any time and without providing any reason, using means that are similar or equivalent to those used to give consent.

Therefore, if cookies can be accepted with a single click, users must also be able to withdraw their consent just as easily.

5) No Non-Essential Cookies Before Consent

As explained above, consent must be obtained before any processing takes place. Consequently, cookies that are not strictly necessary for the operation of the website must not be activated until the user has made a choice.

From a technical perspective, it is therefore advisable to ensure that your tag management system (such as Google Tag Manager) is configured to block non-essential scripts until an explicit consent signal has been received, rather than relying solely on the display of the cookie banner.

6) Processing Sensitive Data or Children's Personal Data

If cookies are used to create profiles based on sensitive personal data, or if the website is intended for use by children or adolescents, stricter rules apply. These include the requirement for explicit consent and, in the case of minors, the consent of their parents or legal guardians where required by law.

7) Profiling and Advertising Cookies

If your website uses cookies to create user profiles, two additional rights under Law 21.719 become particularly relevant:

  • Right to Object to Direct Marketing: Data subjects have the right to object at any time to the use of their personal data for direct marketing purposes, including profiling carried out for advertising or marketing activities.
  • Right Not to Be Subject to Significant Automated Decisions: This right applies where a decision is made solely through automated processing, including profiling, and that decision produces legal effects concerning the individual or similarly significantly affects them. For example, where cookies are used to feed a scoring system, the data controller must ensure that the data subject has: the right to receive an explanation of the automated decision; the right to request human intervention; the right to express their point of view; and the right to request a review of the decision. For websites that use cookies for scoring or profiling purposes, this means that the cookie banner or the data processing policy should explain, in clear and understandable language, the logic behind the automated processing and how users can request human review, rather than merely informing them that profiling takes place.

This further reinforces the need for cookie banners to allow users to reject advertising or profiling cookies independently, without requiring them to forgo access to the website.

What Happens If Your Cookie Banner Does Not Comply?

Failure to comply with Law 21.719 can result in a range of consequences, from a written warning to the suspension of your ecommerce business's data processing activities, as well as substantial financial penalties that increase depending on the seriousness of the infringement and whether it is a repeat offence.

The law classifies infringements into three categories: 

  • Minor Infringements. Examples include failing to keep information about data processing on the website up to date, responding to users' requests after the statutory deadline, or failing to provide the data controller's contact details. These infringements may result in either a written warning or a fine of up to 5,000 UTM.
  • Serious Infringements. Serious infringements include processing personal data without the data subject's consent or another valid legal basis, obstructing the exercise of data subject rights such as access or erasure, or carrying out international data transfers without the safeguards required by law. These infringements are punishable by fines of up to 10,000 UTM.
  • Very Serious Infringements. Very serious infringements include processing personal data fraudulently, deliberately using personal data for purposes other than those authorised by the data subject, or breaching the confidentiality of sensitive personal data. These infringements may result in fines of up to 20,000 UTM.

The amount of these penalties may increase if the infringement is not remedied or if further violations occur.

For example, a 50% surcharge may be added to the original fine where the company fails to correct the conduct that gave rise to the sanction within the prescribed period. In cases of repeat infringements, the Agency may impose fines of up to three times the standard amount. Furthermore, where a company repeatedly commits very serious infringements within a period of 24 months, the Agency may order the suspension of its personal data processing activities for up to 30 days.

Beyond the financial consequences, there is also a significant reputational impact. Sanctions remain recorded for five years in the National Register of Sanctions and Compliance, a public register that is freely accessible. As a result, customers, business partners, competitors, and any member of the public can verify whether a company has been sanctioned.

Finally, administrative penalties are not the only potential consequence. Where non-compliance causes actual damage to a data subject, that individual may seek compensation once the Agency's decision becomes final.

Applied specifically to cookie banners, a banner that fails to provide a genuine option to reject cookies, activates non-essential cookies before obtaining consent, or relies on pre-ticked consent boxes may be considered to process personal data without a valid legal basis. In addition to exposing the business to financial penalties, the publication of the sanction in a public register may cause significant reputational damage to your ecommerce business.

How Can I Create a Cookie Banner That Complies with Law 21.719?

A cookie banner that complies with Law 21.719 should reflect the legislation's core principles: consent must be freely given, informed, specific, prior, and unambiguous; users must be able to accept or reject cookies with equal visibility and ease of access; clear and transparent information must be provided before any decision is made; and users must be able to withdraw their consent just as easily as they gave it.

Updating your cookie banner before 1 December 2026 is the best way to ensure compliance with the new legal requirements and avoid the risk that a non-compliant design could lead to regulatory breaches or penalties.

With Lawwwing, you can generate and maintain a cookie banner that complies with Law 21.719. Our solution is fully customisable and automatically kept up to date, helping your ecommerce business meet the new legal requirements without unnecessary complexity.

Don't wait until December. Update your cookie banner and comply with Law 21.719 with Lawwwing.

Blog

Related Articles

Businesses trust Lawwwing to ensure their legal compliance, keeping their documents up-to-date and avoiding penalties.
cross