Chile Law 21.719 guide for WordPress sites (2026)
What Chile's Law 21.719 on data protection requires from WordPress sites, what changed from the previous regime and how to automate compliance step by step.
What Chile’s Law 21.719 on data protection requires from WordPress sites, what changed from the previous regime, what your site must include and how to automate compliance.
Chile’s Law 21.719 on personal-data protection replaces the older Law 19.628 with a standard much closer to GDPR. If your website processes personal data of Chilean residents (a contact form, a newsletter, a WooCommerce store), the law applies to you. This guide covers what it requires, what your WordPress site must include and how to automate most of the compliance work.
What changes with Law 21.719
| Aspect | Before (Law 19.628) | Now (Law 21.719) |
|---|---|---|
| Consent | Vague, implicit acceptable | Explicit, informed, verifiable, granular |
| Data-subject rights | Limited access and rectification | Full ARCO+ (Access, Rectification, Cancellation, Opposition, Portability) |
| Processing register | Not required | Required |
| Breach notification | Not required | Required within specified timeframes |
| Data protection officer | Optional | Required for organizations above certain thresholds |
| Penalties | Low | Significant tiered fines |
The Personal Data Protection Agency (APDP) is the new regulator.
What your WordPress site must include
1. Cookie banner with granular consent
Your site must let the visitor accept or reject cookie categories (analytics, marketing, functional). A blanket “accept all” banner is not enough.
2. Updated privacy policy
It must explicitly mention Law 21.719, the data-subject’s ARCO+ rights, response deadlines and who to contact to exercise them.
3. Separate cookie policy
A list of cookies, category, duration and provider.
4. ARCO+ workflow
The data subject can request: to see their data, correct it, delete it, object to its processing and obtain it in a portable format. You need a process (a generic email is not enough).
5. Consent log
Auditable record of what each visitor consented to and when. It must be demonstrable if the APDP asks.
6. Processing register
Inventory of what personal data you process, for what, on what legal basis and for how long.
Doing this manually takes weeks and requires a lawyer.
How to automate most of it with WordPress
Doing this manually takes weeks and requires a lawyer. With serious plugins, much of it gets automated.
aGo Legal Pro (USD 9.9 / site · USD 29.9 / 3 sites) delivers out of the box:
- Cookie banner with granular categories.
- Auto-generation of Privacy Policy, Cookie Policy, Terms and Conditions aligned to Law 21.719.
- Full ARCO+ workflow with public form, tracking page and deadlines.
- Consent log with SHA-256 hashing (anti-tampering).
- Google Consent Mode v2 (you do not lose legitimate measurements).
- Pre-consent script blocking (GA, Meta Pixel, Hotjar do not load until the visitor consents).
- Multi-law: Law 21.719 + GDPR + LGPD + CCPA + PIPEDA in a single plugin.
Conclusion
Law 21.719 is not optional and generic global plugins (CookieYes, OneTrust in their free tier) do not cover Chilean ARCO+. There are two paths: implement by hand (weeks plus a lawyer) or use a specialized plugin such as aGo Legal Pro.
For specific questions, let’s talk.
Official sources
Want to dig deeper? Get in touch at [email protected] and we will review your case.
Frequently asked questions
What is Chile Law 21.719 and when does it apply?
[Chile Law 21.719](https://www.bcn.cl/leychile/navegar?idNorma=1209272) on Personal Data Protection was enacted December 2024 with full enforcement December 2026, after a 24-month adaptation period. It replaces old Law 19.628 and aligns Chile with standards similar to European GDPR and Brazilian LGPD. Applies to any controller processing personal data of people in Chile.
Does my SMB WordPress site have to comply with Law 21.719?
Yes if it processes personal data: contact forms, newsletter, comments with email, e-commerce, user login. Business size does NOT exempt you. The argument 'we're too small for fiscalization' is expensive because fines scale from UTM 100 (~CLP 6M in 2026) and the future Data Protection Agency can act ex officio.
What does a WordPress site need to comply with Law 21.719 from December 2026?
Minimum: 1) Clear privacy policy with explicit lawful basis per processing purpose. 2) Cookie consent banner with reject option as visible as accept. 3) ARCO+ workflow (Access, Rectification, Cancellation, Opposition, Portability) with requester identity verification. 4) Processing Activities Record (RAT). 5) Designate responsible or DPO if high-risk processing or > 100k subjects.
Is installing a cookies plugin enough?
No. Cookie banner plugins cover consent but Law 21.719 also requires: ARCO workflow with verified identity, auditable RAT registry, policy with explicit lawful basis, audit trail of granted and revoked consents. aGo Legal Pro (USD 49.90 lifetime) covers the four pillars in a single plugin, with consent log SHA-256 hashed per entry plus batch hash for auditable integrity verification.