← Back to blog Compliance

Cookies and web consent under Law 21.719: how to bring your site into compliance.

Your website is, almost certainly, one of the points where you process the most personal data — and the most visible one in an inspection. Here is what Law 21.719 requires for cookies and consent, and how to comply without breaking your analytics.

Published Jun 2026 · Updated 2026 · 8 min read
Cookies · Law 21.719

The essentials in 30 seconds

  • Cookies that identify or profile process personal data: they need a legal basis.
  • Necessary cookies do not require consent; statistics and marketing cookies do —before being enabled.
  • Consent must be free, informed and unambiguous, and as easy to reject as to accept.
  • A banner that only says “Accept” —or that enables cookies before the choice is made— does not comply.
  • You need a cookie policy + a banner organized by category + a record of consent.

It is the most common mistake we see: sites with Google Analytics, advertising pixels and heatmaps running from the very first second, without the visitor having chosen anything. Under Law 21.719 that is processing personal data without a legal basis. The good news is that complying does not mean “killing” your analytics — it means asking for permission properly. If you also want to get your legal texts in order, we cover that in the privacy policy for companies service.

Does Law 21.719 apply to cookies?

Yes, when cookies or other tracking technologies process personal data: analytics that allow identification, advertising cookies, profiling, fingerprinting. In those cases you need a legal basis, and for cookies that are not strictly necessary that basis is usually consent. Purely technical cookies (session, security) do not require prior consent, but they must still be disclosed.

What makes consent valid

The law is demanding when it comes to consent. To be valid it must be:

  • Free: without making access to the site conditional on accepting non-necessary cookies.
  • Informed: the person knows which cookies there are, from whom and for what purpose.
  • Unambiguous: a clear affirmative action. No pre-ticked boxes or “continuing to browse means you accept”.
  • Specific: it can be accepted by category, not all-or-nothing.
  • Revocable: withdrawing consent must be as easy as giving it.

Types of cookies

CategoryExamplesConsent?
NecessarySession, security, load balancingNo (disclosed)
PreferencesLanguage, region, preferred viewYes
Statistics / analyticsGoogle Analytics, heatmapsYes
MarketingAdvertising pixels, remarketingYes
  • It appears before enabling non-necessary cookies.
  • It offers, on equal terms, “Accept all”, “Necessary only / Reject” and “Customize”.
  • It lets you choose by category (preferences, statistics, marketing).
  • It does not enable statistics or marketing until the person accepts.
  • It links to the cookie policy with the details.
  • It records the choice (what was accepted, when) as evidence.
  • It lets the user change the decision later (a “cookie preferences” link).

This very site implements that pattern: a banner organized by category, with the analytics and marketing tags paused until you accept (Consent Mode). It is exactly what we leave working in our projects.

Common mistakes

  • Loading Analytics and pixels from the start, before any choice.
  • A “Accept” only banner, without a real option to reject.
  • Pre-ticked boxes or “by continuing to browse you accept”.
  • Not having a cookie policy or a record of consent.
  • Forgetting the preference center for revoking consent.

How to bring your site into compliance

  1. Inventory which cookies and trackers your site loads (first-party and third-party).
  2. Classify them by category (necessary, preferences, statistics, marketing).
  3. Implement the banner by category so it blocks anything non-necessary until consent.
  4. Publish the cookie policy and link it from the banner and the footer.
  5. Record consents and enable revocation.
  6. Review whenever you add a new tool (a new pixel changes the scenario).

Is your site loading cookies without permission?

We bring your website into compliance: cookie policy, banner by category and valid consent, in line with Law 21.719. Start with a 30-minute assessment, no obligation.

See the privacy policy service

Frequently asked questions

Does Law 21.719 require a cookie banner?

When cookies process personal data (analytics that identify, advertising, profiling) you need a legal basis. For cookies that are not strictly necessary that basis is usually consent, which must be obtained before enabling them: that is where the banner comes in.

Do necessary cookies require consent?

No. Cookies strictly necessary for the site to work (session, security) do not require prior consent; they are still disclosed in the cookie policy. Statistics, preferences and marketing cookies require consent before being enabled.

Is a banner that only says "Accept" enough?

No. Consent must be free, informed and unambiguous, and as easy to reject as to accept. A banner that only allows acceptance, or that enables cookies before the choice is made, does not comply: it must offer the option to reject and to manage preferences by category.

What happens if I enable cookies before the user accepts?

Enabling non-necessary cookies before consent is a violation: the processing takes place without a legal basis. Statistics and marketing cookies must stay paused until the person accepts them.

Written by

The AlayIAtrust team

A team of lawyers and consultants specializing in personal data protection and compliance with Law 21.719 in Chile.

You may also be interested in

Service

A privacy policy for your company, compliant with Law 21.719

 Rights

How to respond to ARCO rights requests: process, deadlines and templates

 Law 21.719

Law 21.719: the definitive guide to comply and avoid multimillion-dollar fines
Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment