

Law 21.719 places consent at the centre of the lawful processing of personal data. Consent is considered valid only when it is:
One of the most important consequences for cookie banner design is that continuing to browse, closing the banner, or simply allowing time to pass cannot be interpreted as consent, as none of these actions constitutes a clear affirmative act.
In addition, cookie walls are prohibited. The law presumes that consent has not been freely given where it is required as a condition for accessing a service that does not actually depend on the processing of personal data.
If consent must be freely given and unambiguous, the option to reject cookies cannot be hidden behind a second click or buried within a "Settings" menu while the "Accept" button is prominently displayed. Both options should have the same level of visibility and accessibility.
For ecommerce websites, this is particularly important because the cookie banner often appears as soon as a visitor arrives to browse products. If the "Reject" option is noticeably harder to find than the "Accept" option, the banner could be considered to steer users towards acceptance, potentially invalidating the consent on the grounds that it was not freely given.
The law requires consent to be specific with regard to its purpose or purposes. In practice, this means separating cookies into categories (such as essential, analytics, advertising, and personalisation cookies) instead of requesting a single blanket authorisation.
For ecommerce businesses, this distinction is particularly important because an online store typically uses several different categories of cookies, including:
If all of these categories are grouped together under a single "Accept All" button, a customer who simply wants to complete a purchase would also be consenting to advertising tracking without having made a specific and informed choice.
The new legislation requires certain information to be made permanently available to users, including: the categories of personal data being processed, the purposes of the processing, the identity of the data controller, whether personal data is transferred to third countries and whether those countries provide an adequate level of protection, and the applicable data retention period.
For this reason, the cookie banner should include a link to the data processing policy, allowing users to access this information before deciding whether to consent.
For ecommerce businesses, this is particularly relevant because many online stores use payment gateways, logistics providers, or marketing tools hosted outside Chile, which may involve international transfers of personal data. The data processing policy should therefore clearly explain these transfers and indicate whether the destination country provides an adequate level of data protection.
The law requires that data subjects be able to withdraw their consent at any time and without providing any reason, using means that are similar or equivalent to those used to give consent.
Therefore, if cookies can be accepted with a single click, users must also be able to withdraw their consent just as easily.
As explained above, consent must be obtained before any processing takes place. Consequently, cookies that are not strictly necessary for the operation of the website must not be activated until the user has made a choice.
From a technical perspective, it is therefore advisable to ensure that your tag management system (such as Google Tag Manager) is configured to block non-essential scripts until an explicit consent signal has been received, rather than relying solely on the display of the cookie banner.
If cookies are used to create profiles based on sensitive personal data, or if the website is intended for use by children or adolescents, stricter rules apply. These include the requirement for explicit consent and, in the case of minors, the consent of their parents or legal guardians where required by law.
If your website uses cookies to create user profiles, two additional rights under Law 21.719 become particularly relevant:
This further reinforces the need for cookie banners to allow users to reject advertising or profiling cookies independently, without requiring them to forgo access to the website.
Failure to comply with Law 21.719 can result in a range of consequences, from a written warning to the suspension of your ecommerce business's data processing activities, as well as substantial financial penalties that increase depending on the seriousness of the infringement and whether it is a repeat offence.
The law classifies infringements into three categories:
The amount of these penalties may increase if the infringement is not remedied or if further violations occur.
For example, a 50% surcharge may be added to the original fine where the company fails to correct the conduct that gave rise to the sanction within the prescribed period. In cases of repeat infringements, the Agency may impose fines of up to three times the standard amount. Furthermore, where a company repeatedly commits very serious infringements within a period of 24 months, the Agency may order the suspension of its personal data processing activities for up to 30 days.
Beyond the financial consequences, there is also a significant reputational impact. Sanctions remain recorded for five years in the National Register of Sanctions and Compliance, a public register that is freely accessible. As a result, customers, business partners, competitors, and any member of the public can verify whether a company has been sanctioned.
Finally, administrative penalties are not the only potential consequence. Where non-compliance causes actual damage to a data subject, that individual may seek compensation once the Agency's decision becomes final.
Applied specifically to cookie banners, a banner that fails to provide a genuine option to reject cookies, activates non-essential cookies before obtaining consent, or relies on pre-ticked consent boxes may be considered to process personal data without a valid legal basis. In addition to exposing the business to financial penalties, the publication of the sanction in a public register may cause significant reputational damage to your ecommerce business.
A cookie banner that complies with Law 21.719 should reflect the legislation's core principles: consent must be freely given, informed, specific, prior, and unambiguous; users must be able to accept or reject cookies with equal visibility and ease of access; clear and transparent information must be provided before any decision is made; and users must be able to withdraw their consent just as easily as they gave it.
Updating your cookie banner before 1 December 2026 is the best way to ensure compliance with the new legal requirements and avoid the risk that a non-compliant design could lead to regulatory breaches or penalties.
With Lawwwing, you can generate and maintain a cookie banner that complies with Law 21.719. Our solution is fully customisable and automatically kept up to date, helping your ecommerce business meet the new legal requirements without unnecessary complexity.
Don't wait until December. Update your cookie banner and comply with Law 21.719 with Lawwwing.