Complete guide to Chile Law 21.719 for WordPress sites (2026)
What Chile's Law 21.719 on data protection requires from WordPress sites, what changed from the previous regime, what your site must include and how to automate compliance.
Chile’s Law 21.719 on personal-data protection replaces the older Law 19.628 with a standard much closer to GDPR. If your website processes personal data of Chilean residents (a contact form, a newsletter, a WooCommerce store), the law applies to you. This guide covers what it requires, what your WordPress site must include and how to automate most of the compliance work.
What changes with Law 21.719
| Aspect | Before (Law 19.628) | Now (Law 21.719) |
|---|---|---|
| Consent | Vague, implicit acceptable | Explicit, informed, verifiable, granular |
| Data-subject rights | Limited access and rectification | Full ARCO+ (Access, Rectification, Cancellation, Opposition, Portability) |
| Processing register | Not required | Required |
| Breach notification | Not required | Required within specified timeframes |
| Data protection officer | Optional | Required for organizations above certain thresholds |
| Penalties | Low | Significant tiered fines |
The Personal Data Protection Agency (APDP) is the new regulator.
What your WordPress site must include
1. Cookie banner with granular consent
Your site must let the visitor accept or reject cookie categories (analytics, marketing, functional). A blanket “accept all” banner is not enough.
2. Updated privacy policy
It must explicitly mention Law 21.719, the data-subject’s ARCO+ rights, response deadlines and who to contact to exercise them.
3. Separate cookie policy
A list of cookies, category, duration and provider.
4. ARCO+ workflow
The data subject can request: to see their data, correct it, delete it, object to its processing and obtain it in a portable format. You need a process (a generic email is not enough).
5. Consent log
Auditable record of what each visitor consented to and when. It must be demonstrable if the APDP asks.
6. Processing register
Inventory of what personal data you process, for what, on what legal basis and for how long.
How to automate most of it with WordPress
Doing this manually takes weeks and requires a lawyer. With serious plugins, much of it gets automated.
aGo Legal Pro (USD 9.9 / site · USD 29.9 / 3 sites) delivers out of the box:
- Cookie banner with granular categories.
- Auto-generation of Privacy Policy, Cookie Policy, Terms and Conditions aligned to Law 21.719.
- Full ARCO+ workflow with public form, tracking page and deadlines.
- Consent log with SHA-256 hashing (anti-tampering).
- Google Consent Mode v2 (you do not lose legitimate measurements).
- Pre-consent script blocking (GA, Meta Pixel, Hotjar do not load until the visitor consents).
- Multi-law: Law 21.719 + GDPR + LGPD + CCPA + PIPEDA in a single plugin.
Frequently asked questions
Does it apply if my site is small?
Yes. The law applies to the processing of personal data, not to site size. A blog with a comments form already processes personal data.
Are free plugins enough?
For a basic banner and a simple auto-generated policy, yes. For a real ARCO+ workflow, pre-consent script blocking and Google Consent Mode v2 you need the Pro version or custom development.
Are the fines high?
Yes. Law 21.719 introduces tiered fines that can be significant, especially for serious violations. The APDP has enforcement powers.
Do I need a lawyer?
For the technical implementation, no. To validate your Processing Register and handle complex cases (international transfers, breaches), yes, it is worth it.
Conclusion
Law 21.719 is not optional and generic global plugins (CookieYes, OneTrust in their free tier) do not cover Chilean ARCO+. There are two paths: implement by hand (weeks plus a lawyer) or use a specialized plugin such as aGo Legal Pro.
For specific questions, let’s talk.
Official sources