01/Glossary · Clinics
Law 8968 — Personal Data Protection Law (Costa Rica)
Costa Rican law that regulates the processing of personal data. Applies to any system that stores information about identifiable people.
02/Full definition
Law 8968 is Costa Rica's legal framework for personal data protection, the local equivalent to European GDPR or US HIPAA. It applies to any system that stores identifiable information about people (customers, patients, employees). Requires: explicit consent from the data subject, declared purpose of processing, right to be forgotten (deletion on demand), auditable access logs, and notification to Prodhab (Data Protection Agency) in case of breach.
03/In Costa Rica context
Any app or website that collects personal data in Costa Rica must comply with Law 8968. In practice this means: clear privacy policy, explicit consent in forms, encryption at rest and in transit, and being able to respond to Prodhab if there's a request or complaint. Implementing basic requirements doesn't require major architecture changes if thought about from the start — adding it later is 3–5x more expensive.
04/Related reading on the site
05/Related terms
06/Frequently asked questions
Frequently asked questions
Does Law 8968 apply to websites without login?▾
Yes, if the site captures any identifiable data (contact form with name/email, tracking cookies, IP logs). Privacy policy + explicit consent are the minimum.
Ready to get a quote?
4 questions, 30 seconds. We give you the USD range + WhatsApp with your scope pre-filled.