← Back to blog

Marketing and personal data under Law 21.719: how to run campaigns without falling out of compliance

Marketing is one of the areas that moves the most personal data inside a company, and it is usually the first one exposed when someone files a complaint. Here is what changes under Law 21.719 for your campaigns, your email list, your advertising and your loyalty programs, and how to keep selling without falling out of compliance.

Marketing · Law 21.719

The essentials in 30 seconds

  • Every use of data in marketing needs a declared purpose and a lawful basis. In direct marketing, the safest and most common option is consent; legitimate interest may apply in certain cases, but it requires balancing your commercial interest against the rights of the data subject and documenting that balancing exercise in writing.
  • The consent standard worth adopting: freely given, informed, specific and unambiguous, and always revocable. No pre-ticked boxes and no silence interpreted as acceptance.
  • Separate it by purpose: accepting a purchase is not accepting promotions. Each purpose is requested and recorded separately.
  • Unsubscribing must be as easy as subscribing. An unsubscribe link that does not work, or that forces people to call by phone, is the most visible problem from the outside and the easiest one to complain about.
  • Your email and ad platforms act as data processors: formalize that relationship in writing. Purchased or third-party lists are the most expensive risk, because accountability requires you to be able to prove the origin of every data point.

For years, marketing in Chile ran on an unwritten rule: if you have the email address, you use it. Law 19.628, from 1999, was the historical framework and fell far behind how digital advertising works today. Law 21.719, published on December 13, 2024, changes that logic at its root and takes the European GDPR standard as its reference. With full enforcement starting December 1, 2026, and a Personal Data Protection Agency that inspects and sanctions, the question is no longer whether you can send the campaign, but on what basis you send it and how you prove it. If you want the full picture, start with our guide to the data protection law in Chile.

The good news: compliance does not mean shutting down marketing. It means organizing it. Companies that reach this law with consent properly obtained, a clean list and contracted vendors tend to see better metrics, because they stop talking to people who never wanted to hear from them. What follows is the complete map, area by area.

What changes for marketing under Law 21.719

The fundamental shift is accountability: it is no longer enough to avoid causing harm, you have to be able to demonstrate that you process data correctly. Applied to marketing, this means that every list, every segment and every pixel must have a declared purpose behind it, an identified lawful basis and evidence that people were informed.

The other change is the consequence. The Personal Data Protection Agency inspects and sanctions, with fines that can reach 5,000, 10,000 or 20,000 UTM depending on the severity of the infringement, and there is also a National Register of Sanctions. For a brand that lives on its reputation, appearing there can cost more than the fine itself.

And marketing is, by nature, the most visible area. An unhappy customer does not know whether your Record of Processing Activities is in order, but they do know whether they received an email they never asked for and whether the unsubscribe link worked. That is the most frequent entry point for complaints.

  • Every campaign needs an explicit purpose and an associated lawful basis.
  • Consent becomes something you request, record and can prove.
  • ARSOP rights (access, rectification, erasure, objection and portability) apply fully to your lists and your segments.
  • The platforms you use stop being a technical detail: they are data processors and you remain the controller.
  • The duty to notify breaches also reaches your marketing list, not only your critical systems.

Every use needs a lawful basis: consent or legitimate interest

Before sending anything, there is only one question: on what basis do I process this data? In direct marketing, the safest and most common answer is consent. The standard worth applying is consent that is freely given, informed, specific and unambiguous, and that the person can withdraw at any time.

Each of those adjectives has practical consequences. Freely given means you do not condition the service on accepting advertising: if buying requires accepting promotions, that consent is flawed from the start. Informed means the person knows who processes their data, for what purpose and with whom it is shared. Specific means it is requested for a concrete purpose, not in bulk. And unambiguous means a clear affirmative action: a box the user ticks, not one that comes pre-ticked, and not a footnote saying that continuing means accepting.

Legitimate interest exists as an alternative basis and may apply in certain cases, but it is not a wildcard. It requires a genuine balancing between your commercial interest and the rights, expectations and freedoms of the data subject. The more invasive the processing, the harder it is for legitimate interest to support it. Telling an active customer about a product equivalent to the one they already bought is a scenario worth analyzing; building a behavioral profile by cross-referencing sources to sell them something they never looked for is not. And if you rely on legitimate interest, document that balancing exercise in writing: accountability is precisely about being able to demonstrate how you made the decision.

A practical rule we give our clients: if you are torn between consent and legitimate interest, ask for consent. It is more expensive in volume and much cheaper in risk.

Email marketing: consent separated by purpose and an unsubscribe that works

The most common mistake in Chilean email marketing is mixing purposes into a single acceptance. Checkout asks you to accept the terms and, hidden inside that same box, sits the authorization to receive promotions, to share the email address with commercial partners and to profile purchasing behavior. That does not survive a complaint: if consent has to be specific, the clean way to obtain it is one box per purpose.

Concretely, accepting the purchase and accepting promotional emails are two different decisions. The first rests on the commercial relationship the person themselves sought out; the second needs its own basis and its own evidence. Mix them and you are left unable to demonstrate the second one, which is exactly the one you use to do marketing.

Withdrawal is the other half of the equation, and it is the half that is visible from the outside fastest. Withdrawing consent must be as easy as giving it: if signing up was one click, unsubscribing has to be one click. An unsubscribe link that requires logging in, that asks for a national ID number, that opens a five-field form or that simply does not process the request is the kind of problem anyone can document with a screenshot.

And effective means genuinely effective: the unsubscribe must propagate to every tool, not just the list where the click happened. If the contact leaves your email platform but stays alive in the CRM and comes back in the next sync, you have not unsubscribed anyone.

  • A separate box per purpose: promotions, third-party communications, profiling.
  • Boxes always unticked by default and written in plain language, not legal jargon.
  • Record what was accepted, when, from where and with what text on screen. That is your evidence.
  • A visible unsubscribe link in every send, with no login and no artificial friction.
  • Propagate the unsubscribe to every system and honor it in your advertising audiences too.
  • Double opt-in is the cleanest way to prove the sign-up was real: it is not the only one, but it is the one that holds up best.

Cookies, trackers and digital advertising

Your website is the point where you collect the most data without anyone noticing. Analytics cookies, advertising platform pixels, heat maps, device identifiers: when those technologies make it possible to identify a person or build a profile, they are processing personal data and they need a lawful basis. For everything that is not strictly necessary for the site to function, the reasonable approach is to ask for consent, and to ask before activating the tracker, not after.

The pattern we recommend is well known: a banner that appears before anything optional loads, accept and reject options on equal footing, choice by category, a linked cookie policy, a record of the decision and a preference center to change it later. A banner with a single accept button, or one that loads pixels while the person is still reading, hardly holds up as freely given consent.

In advertising there is a point that often gets overlooked: custom audiences. When you upload your customer list to an ad platform to build lookalike audiences or run remarketing, you are disclosing personal data to a third party for an advertising purpose. That needs its own lawful basis and its own transparency. It is not enough that the person gave you their email address to receive an invoice.

Profiling, segmentation and loyalty: transparency and ARSOP rights

Loyalty programs are profiling machines, and it is worth saying it in those words. They record what you buy, how often, at what time, at which branch and with which payment method, and from that they build a behavioral profile that then feeds segmentation. All of that is personal data processing and it needs a declared purpose, a lawful basis and clear information for the data subject.

The critical point is transparency. Someone who signs up for your rewards club usually understands that they are earning points; they rarely understand that their history is used to predict their next purchase, adjust offers or feed advertising audiences. If that is happening, it has to be said at sign-up, in language people understand, and not buried in clause twenty-three.

Those profiles also carry ARSOP rights. A customer can request access to the data you hold about them, rectify what is wrong, request erasure, object to processing for marketing purposes and request portability of their information. Your systems have to be able to deliver that in practice, not in theory: if your data is scattered across the CRM, the email platform, the ecommerce store and a spreadsheet someone on the team maintains, you will not be able to comply.

When profiling is intensive, cross-references sources or may significantly affect people, you should assess whether you need a Data Protection Impact Assessment (DPIA). It is the instrument the law contemplates precisely for these cases, and doing it in time costs far less than explaining it afterwards.

Purchased or third-party databases: the most expensive risk

Buying an email list or receiving one from a commercial partner is, today, one of the highest-risk practices in marketing. The problem is not acquiring it: it is that you, as the data controller, must be able to prove the lawful origin of every data point you use. And with a purchased list you almost never can.

Think of it in terms of evidence. If the Agency or a data subject asks how you obtained that email address, your answer must include who collected the data, on what lawful basis, what text the person saw when they provided it, and whether that authorization covered the message you sent as a company the data subject never chose. A file with two hundred thousand records and an invoice from the vendor answers none of those questions.

The same applies to scraping public profiles and to exchanging lists between companies in the same group or the same ecosystem. Data being accessible does not make it free to use, and two companies sharing an owner does not make them a single entity for data protection purposes.

Our recommendation is direct: audit the origin of every segment of your list before December 2026. If you cannot document where a set of contacts came from and what they authorized, do not use it. A clean, smaller list is worth more than a large, indefensible one.

Your platforms are processors: the processing agreement and how to bring marketing into compliance

Your email platform, your CRM, your automation tool, your analytics vendor and your advertising platforms process personal data on your behalf. In the language of the law, they are data processors and you are the controller. That relationship has to be put in writing: the agreement we recommend sets out purposes and instructions, security measures, use of sub-processors, confidentiality, cooperation with ARSOP requests and with breaches, and what happens to the data when the service ends.

Delegating execution does not delegate responsibility. If your email vendor suffers a breach and your list is leaked, the one who answers to the Agency and to your customers is you. That is why the contract matters: it is the instrument that lets you demand compliance, and also demonstrate that you acted diligently.

Bringing marketing into compliance is a contained project if it is organized well. These are the steps we follow with our clients.

  • Take a real inventory: what lists, segments and tools exist, including the ones someone on the team maintains on their own.
  • Map purpose and lawful basis for each use. If it is legitimate interest, document the balancing exercise in writing.
  • Redesign your forms and your checkout with consent separated by purpose and unticked boxes.
  • Audit the origin of your list and set aside whatever you cannot prove. What is indefensible does not get sent.
  • Fix the unsubscribe: one click, no friction, propagated to every system and honored in your advertising audiences.
  • Implement a cookie banner by category that blocks analytics and marketing until consent is obtained.
  • Sign processing agreements with every platform and review where the data is hosted.
  • Add your marketing processing activities to the Record of Processing Activities (RAT) and assess whether any profiling requires a DPIA.
  • Define the response flow for ARSOP requests and the breach notification protocol, with the DPO or the internal owner as the point of contact.

Would your marketing survive an inspection?

We review your list, your forms, your consent flows and your platform contracts, and leave you with a concrete plan to reach December 2026 in compliance, without slowing down your campaigns. Start with a 30-minute assessment, no strings attached.

Schedule an assessment

Frequently asked questions

Can I keep emailing the list I already have?

It depends on the lawful basis you built it on and on whether you can prove it. If you have a record of freely given, informed, specific and unambiguous consent that covers sending commercial communications, yes. If the contacts came in through a pre-ticked box, mixed in with the acceptance of terms, or you have no record at all of what they authorized, that part of the list is indefensible: the sensible move is to re-contact those people and obtain valid consent before full enforcement begins on December 1, 2026.

Can I rely on legitimate interest for direct marketing?

It may apply in certain cases, but it is not a shortcut. It requires a genuine balancing between your commercial interest and the rights, expectations and freedoms of the data subject, and that balancing has to be documented. The more invasive the processing and the less the person expects it, the harder it is to sustain. For direct marketing, consent remains the safest basis, and the data subject always retains the right to object.

I bought a database a while back. What do I do with it?

The critical point is that you must be able to prove the lawful origin of the data: who collected it, on what basis, what the person was told and whether that authorization covered messages from your company. If the vendor cannot hand you that evidence, you do not have it. In that scenario the recommendation is not to use those contacts for marketing, because the sanction and reputational risk outweighs any return you could reasonably expect from the campaign.

Do I need a contract with my email or advertising platform?

Yes. Those platforms process personal data on your behalf, so they act as data processors and you remain the controller before the Agency and before your customers. Put the relationship in writing and cover purposes and instructions, security measures, sub-processors, confidentiality, cooperation with ARSOP requests and breaches, and what happens to the data when the service ends. Many international vendors offer a standard addendum, but it has to be reviewed and signed, not assumed to apply on its own.

You may also be interested in

Web

Cookies and web consent under Law 21.719

Lawful bases

Lawful bases and consent: when you need it

Essential guide

Data Protection Law in Chile: the complete guide

Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment