Reforming Personal Data Governance in Peru: Proportionality Constraints and the Right to Rectification Against Unsolicited Communications

Table of Contents

In the Southern Hemisphere in Lima and the misty highlands of Cusco, where ancient Incan wisdom meets the relentless pulse of digital commerce, Peru is quietly rewriting the rules of the data game in LatAm. It’s a pivot long in the making—one that transforms the country’s Personal Data Protection Law from a well-intentioned relic into a robust shield against the encroachments of the surveillance economy. On the heels of 2025’s sweeping amendments, Peru isn’t just catching up to global privacy heavyweights like the EU’s GDPR; it’s carving out a distinctly Andean path, one that marries proportionality with the raw right to say “no” to the spam deluge. This isn’t mere legalese—it’s a declaration of digital sovereignty for a nation on the cusp of explosive tech growth.

At the epicenter of this shift stands Law 29733, Peru’s foundational privacy statute from 2011, now supercharged by recent regulatory tweaks and congressional actions. The star of the show? The explicit codification of the proportionality principle in personal data processing. No longer can companies treat data as an all-you-can-eat buffet; under the new regime, every collection, every analysis, every share must be strictly necessary, adequate, and relevant to a clearly defined purpose. Imagine a bank hoarding your shopping habits to “assess risk”—proportionality slams the door on that overreach, demanding evidence that such intel is truly essential, not just convenient. This principle, drawn from international best practices but tailored to Peru’s vibrant informal economy, ensures that data serves people, not the other way around.

But the real crowd-pleaser—and a balm for weary inboxes—is the fortified right to avoid unsolicited communications. Peru’s Congress, in a bold stroke via amendments to the Consumer Protection Code (Law No. 32323), has expanded bans on intrusive telemarketing. Call centers peddling dubious loans? Out. Automated robocalls blasting promotions at dawn? History. Bulk SMS campaigns without ironclad opt-in consent? A thing of the past. Effective from mid-2025, these measures combat the spam epidemic that’s plagued Peruvian consumers, where aggressive tactics from fintech startups and e-commerce giants have eroded trust faster than a coastal El Niño. Now, individuals wield a statutory “do not disturb” button, with the National Authority for the Protection of Personal Data (ANPD) poised to enforce it through fines that sting—up to PEN 2.7 million for repeat offenders, as seen in 2023’s enforcement spree.

These changes arrive not a moment too soon. Peru’s digital economy is booming: e-commerce surged 30% in 2024, fueled by widespread smartphone adoption and remittances from abroad. Yet, this growth has shadows—data breaches at major retailers, unchecked profiling by ad networks, and a Wild West vibe in app-based services. The amendments address these head-on, mandating clearer notice requirements and bolstering accountability for data controllers. Businesses must now conduct proportionality assessments before launching new initiatives, akin to a privacy impact statement but leaner, more actionable for SMEs that dominate Peru’s market. For the ANPD, it’s a mandate to evolve from reactive watchdog to proactive guardian, with new guidelines on international transfers and AI-driven processing on the horizon.

Zoom out, and Peru’s pivot resonates beyond its borders. In Latin America, where Brazil’s LGPD and Mexico’s federal law set the pace, Peru’s emphasis on consumer-centric tweaks stands out. Unlike the EU’s one-size-fits-all fines, Peru’s approach feels grounded—proportionality here isn’t abstract; it’s a cultural fit for a society valuing community over unchecked individualism. Yet, challenges loom: enforcement capacity strains under budget cuts, and cross-border data flows with U.S. partners (think remittances via Western Union) demand harmonization. For global firms eyeing Andean expansion, this means auditing local ops now—swapping blanket consents for granular ones, integrating “no-spam” toggles into apps, and viewing compliance as a competitive edge in a trust-starved market.

The Proportionality Principle: A Scalpel for Data Excess

Dive deeper into proportionality, and you’ll find a principle that’s equal parts philosophy and pragmatism. Rooted in Peru’s 2011 law but now front-and-center in 2025 regulations, it requires data processing to be “limited to what is necessary” for the stated goal. This isn’t vague virtue-signaling; the ANPD’s forthcoming circulars spell it out: Collect only what’s indispensable, retain it no longer than needed, and delete it securely when done. For sectors like healthcare—where telemedicine apps exploded post-pandemic—this means ditching extraneous biometrics if a simple ID suffices. Violations? Expect audits and penalties scaled to harm caused, fostering a culture where data minimization isn’t optional, it’s operational DNA.

Critics might cry overregulation, but in Peru’s context, it’s restorative justice. Informal vendors, who handle cash transactions without digital trails, have long been data outsiders; now, the law levels the field by curbing big players’ appetites. It’s a nod to equity, ensuring that the digital divide doesn’t widen into a chasm of unequal surveillance.

Silencing the Spam Symphony: The Unsolicited Communications Ban

Ah, the unsolicited call—the digital equivalent of a door-to-door salesman at siesta time. Peru’s amendments turn the volume down to zero, extending prohibitions to include AI-voiced pitches and predictive dialing systems. Consumers can unregister via a national portal, much like the U.S. Do Not Call list, but with teeth: opt-outs must be honored within 48 hours, and persistent violators face class-action friendly remedies. This isn’t anti-business; it’s pro-relationship. Marketers, rejoice—focus shifts to value-driven engagement, like personalized newsletters born from explicit consents, boosting loyalty in a savvy, spam-weary populace.

Enforcement will be key. The ANPD, fresh off 2023’s PEN 2.7 million in fines for breaches, now collaborates with Indecopi (the consumer watchdog) for hybrid probes. Early wins? Pilot programs in Lima have slashed complaint volumes by 40%, hinting at a quieter, more respectful digital dialogue.

Beyond Borders: Peru’s Place in the Global Privacy Tapestry

Peru’s reforms ripple regionally. As Latin America’s third-largest economy, its model could inspire neighbors grappling with similar spam plagues and data hunger. Globally, it aligns with the OECD’s privacy guidelines, positioning Peru for adequacy talks with the EU—a boon for exporters in agribusiness and mining. But hurdles remain: harmonizing with Brazil’s stringent LGPD for Mercosur trade, or navigating U.S. CLOUD Act tensions in cloud storage.

For innovators, this is opportunity disguised as obligation. Peruvian startups in fintech and agritech can lead with “privacy by design,” attracting ethical investors and eco-conscious consumers. Imagine drone-delivered produce tracked with minimal data footprints—proportional, precise, Peruvian.

As the sun sets over Machu Picchu’s timeless stones, Peru’s privacy pivot reminds us: In the data age, true progress isn’t measured in terabytes amassed, but in rights reclaimed. These amendments aren’t the end of the trail—they’re a high-altitude launchpad. Businesses, adapt or altitude-sicken; citizens, claim your vista. The view from here? A freer, fairer digital horizon.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.