There are no laws or legislation that specifically regulate the digital economy in Colombia. However, many of the statutes regulate certain aspects of it, namely the Telecommunications, Media and Technology Statue (Law 1341); the Law on E-Commerce (Law 527); the Consumer Protection Statute (Law 1480), recently amended by Law 2439 of 2024; and the Law for the Protection of Personal Data (Law 1381). Furthermore, on 1 January 2024, new requirements and tax regulations applicable to digital services were introduced.

The main challenges for Colombia in the implementation of different digital economies have been identified by the Ministry of Information Technologies and Communications (the “ITC Ministry”) in the National Digital Strategy (NDS) for 2023–26. Challenges include enhancing internet connectivity and infrastructure, promoting its use, especially by small businesses, and providing public education programmes for the implementation of new technologies.

From a legal perspective, it is important to highlight the regulation on data privacy and cybersecurity, as ensuring compliance with data protection laws, particularly in relation to cross-border data transfers and cyberthreats, remains a significant challenge considering that Colombia is a consent-based jurisdiction where “legitimate interest” is in principle not valid ground for data processing. Exceptions to the “consent-based” approach are limited and refer to the processing of personal data for the protection of health or life of the data subject, certain financial transactions and processing by competent authorities. Foreign authorities are not deemed competent for the purposes of this exception.

The rapid advancement of technologies such as AI and blockchain has compelled the government to seek regulatory measures. Since 2022, seven bills addressing various aspects of AI have been submitted to Congress. Nonetheless, Congress has not yet passed regulation on AI matters as of the date of this publication.

Finally, the definition of “telecommunications network or service” is broad and challenging to interpret for emerging services such as AI, blockchain and cloud computing. Colombian regulations require local entities that supply (ie, invoice) telecom networks or services to be registered with the ITC Ministry and to pay fees and royalties.

The law does not specifically regulate the offering or rendering of services from abroad by suppliers that have no local presence, or have only a limited local presence (eg, sales, marketing, customer support). However, the law prohibits rendering telecommunications services locally without fulfilling the registration requirements.

The tax treatment of digital services and goods in Colombia depends on the type of service provider and the type of service.

Value Added Tax (VAT)

Digital services provided by local or non-resident providers to Colombian consumers are subject to 19% VAT, except for cloud computing services, which are excluded. VAT is generally collected by filing VAT returns and making payments via local banks. When extraterritorial VAT applies, Colombian consumers who qualify as VAT collectors must use the reverse charge mechanism to withhold and remit 100% of the tax.

Income Tax

Since 1 January 2024, foreign digital service providers with a significant economic presence (SEP) in Colombia have been subject to income tax. These taxpayers can choose to pay the tax by either:

• using the application of the withholding tax (WHT) system, where a 10% WHT is applied to payments or accruals for Colombian users/customers; or
• registering in Colombia and filing the corresponding income tax, which is 3% on the gross income earned from sales to Colombian customers/users.

Other Taxes

Additional taxes may apply depending on the type of service provided. Here, the main challenges are as follows:

• tax instructions are not available in full in English, instead being published in Spanish – this could pose a challenge to foreign service providers;
• the Colombian tax system, especially its website and user platform, is cumbersome;
• all tax obligations must be paid in Colombian pesos, leading to exchange rate issues and contingencies;
• information requests to non-resident providers do not consider data sharing restrictions applicable in the incorporation jurisdiction, nor that foreign service providers may not have such information, as they are not required to request it in the first place under their legislation; and
• not all tax payments can be made to an international bank account – some obligations need to be paid locally through local banks.

The tax treatment of digital advertising is the same as the tax treatment of digital services.

Ensuring compliance with tax laws related to digital advertising in Colombia involves several important steps:

• knowing your tax obligations – understanding Colombian law and possible tax implications;
• consulting with tax professionals – engaging with local tax advisors or legal experts who are familiar with Colombian tax laws and can provide guidance on compliance requirements and help navigate complex tax regulations;
• registering with tax authorities (if applicable) – this registration is necessary for filing tax returns and making tax payments;
• choosing the appropriate tax payment method – depending on the tax obligations, taxpayers may have payment options;
• Filing and paying taxes on time – ensuring timely filing of tax returns and payment of taxes; and
• maintaining accurate records and supporting documentation – keeping detailed records of all transactions and interactions with the Colombian market, where this documentation is crucial for compliance and for responding to any inquiries from tax authorities.

In Colombia, the consumer protection statute (Law 1480 of 2011) governs the sale of products or provision of services within the country. This law applies when the purchaser, whether an individual or a corporation, acquires goods or services for personal use or for purposes unrelated to their primary commercial activities.

General consumer rights for digital services are outlined in the statute. Additionally, Law 1341 of 2009, known as the “TMT framework statute”, provides specific regulations regarding rights and obligations related to telecommunications, media, and technology (TMT). As previously mentioned, consumer rights within the digital economy are governed by the general consumer regulation. Therefore, compliance with consumer rights in the digital economy in Colombia is guaranteed by complying with the general consumer regulation.

A recent amendment to the consumer protection regulation, enacted through Law 2439 of 2024, incorporates new provisions specifically applicable to e-commerce. This amendment addresses previously unregulated aspects that have adversely impacted consumers. Companies operating within the digital economy sector should be particularly mindful of the following specific aspects.

• For e-commerce activities, it is crucial to provide accurate information about the products or services offered and the conditions applicable to their purchase. It is essential to adhere to the timeframes for exercising the consumer’s right of withdrawal and ensuring they receive a refund of the amount paid.
• Special attention should be given to failures in digital payment systems and the reimbursement of these payments.
• It is also important to be particularly vigilant regarding issues that compromise commitments related to the shipping and delivery of products.
• Providing direct contact channels for consumers to file complaints or comments is imperative.
• Prices should be listed in Colombian pesos, inclusive of taxes.
• It is important to note that the producer, distributor and retailer are jointly and severally liable to the consumer, and limitations of liability are not enforceable against the consumer.
• The “contact portal” is defined as a platform that solely serves as a marketplace (ie, connects buyers and sellers) without any influence or control over any terms of sales. Platforms not considered contact portals are jointly liable along with the seller vis-à-vis the consumer protection authority (the Superintendence of Industry and Commerce; SIC).

Regarding the TMT sector, the most important practice is to enable channels for timely response within the deadlines set in the regulation. In the TMT sector, four particular problems are frequently seen in relation to consumers:

• delays in the process of changing TMT operators;
• unauthorised charges by TMT operators for additional services (eg, cloud services, subscriptions to streaming platforms);
• unauthorised advertising calls/messages or calls at times that are not allowed by the regulation; and
• unauthorised transfer of consumers’ personal data for advertising purposes.

Internal mechanisms aimed at preventing these problems may help mitigate TMT consumer risks in Colombia.

In Colombia, the legal framework does not encompass specific provisions regarding the purchase and sale of crypto-assets and has not yet altered the regulatory outlook for the TMT sector. This regulatory gap permits the trading of crypto-assets via various digital platforms with minimal complications. As a result, the TMT sector can utilise cryptocurrencies for transactions, investments and innovative business models with relative ease.

Nevertheless, certain regulatory measures exist. Companies under the supervision of the Superintendence of Companies that accept or conduct transactions involving crypto-assets are subject to enhanced scrutiny. This oversight ensures adherence to anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations. The lack of specific regulations offers a flexible environment for the TMT sector to explore and integrate cryptocurrency technologies, potentially fostering increased innovation and the adoption of blockchain solutions within the industry. However, it also necessitates that companies navigate the broader regulatory landscape, including tax obligations and AML/CFT requirements, to maintain legal compliance.

In Colombia, the regulatory privacy framework for cloud and edge computing aligns with the General Data Protection Law (Law 1581 of 2012), which establishes the primary principles and obligations for entities handling personal data, including cloud service providers. Additionally, Decree 1377 of 2013 governs the handling of personal data, requiring companies to obtain explicit consent from individuals before collecting, storing or utilising their personal data. These regulations collectively form the core regulatory body overseeing all personal data processing within Colombian territory.

It is important to note that in Colombia, “processing” encompasses the use, collection, transfer, deletion and storage of personal data, as broadly interpreted by the SIC. Consequently, methods such as using cookies or data scraping on devices in Colombia are deemed as processing, thereby invoking all relevant obligations for the controller, even if no further processing occurs locally or by a local entity. Foreign technology companies with minimal or no local presence have been subject to administrative orders to comply with local laws (eg, modifying privacy policies, registering databases, providing a local point of contact for data subjects), although no sanctions have yet been imposed for non-compliance by foreign parties.

Specific regulations for cloud computing include External Circular 005 of 2019, issued by the Financial Superintendence of Colombia (Superintendencia Financiera de Colombia; SFC), which delineates rules for the use of cloud computing services by financial institutions covering the requirements for risk management, data security and reporting obligations. Furthermore, Decree 338 of 2022 offers guidelines for digital security, identifying critical cyber infrastructures and managing risks associated with digital services.

The SIC has issued several guides related to the processing of personal data in digital environments, including the Security Guide for the Processing of Personal Data, the Security Incident Management Guide, the Guide for the Processing of Personal Data for E-commerce Purposes, the Guide for the Processing of Personal Data for Cloud Computing Services, the Personal Data Protection Officer’s Guide and the Guide for Keeping Personal Data Secure in the Digital Environment. These guides encompass obligations and recommendations derived from the aforementioned laws, tailored to specific sectors.

Certain regulated industries, such as banking and insurance, are subject to more stringent regulations regarding the use of cloud computing services. Financial institutions must adhere to the specific requirements outlined in External Circular 005 of 2019, which mandates rigorous risk management and data security measures. Similarly, insurance companies are required to comply with regulations ensuring the security and confidentiality of customer data when utilising cloud services. These additional regulations are intended to protect sensitive financial information and maintain the integrity of the financial system.

There are several other specific issues concerning the processing of personal data in the context of cloud computing in Colombia. One critical issue is data localisation, where companies must ensure that personal data processed in the cloud adheres to Colombian data protection laws if collected locally, regardless of whether the data is stored on servers located outside Colombia. Ensuring the security and privacy of personal data in the cloud is essential, and the controllers of the data must implement robust security measures, such as encryption and access controls, to safeguard it from unauthorised access and breaches. Data controllers must also obtain explicit consent from individuals before processing their personal data in the cloud and be transparent about how the data will be used, ensuring it is only used for the purposes for which consent was given, and execute data transmission/transfer agreements if required.

In Colombia, the regulatory framework for AI is currently under development. As of now, there is no specific legislation governing AI, but several regulatory bills are under discussion. Notably, Bill 059 of 2023 has been introduced to establish legal guidelines for the development, use and implementation of AI. This bill primarily aims to create policies for data protection, intellectual property (IP) rights and a code of ethics for AI usage. Additionally, it mandates that any AI-related proposals be registered with the Ministry of Science, Technology, and Innovation.

Colombia is currently examining regulatory measures to protect individuals’ likenesses and moral rights in the context of deepfake technologies. The nation faces considerable challenges in association with deepfakes, particularly regarding their potential to disseminate misinformation and influence elections. Although specific legislation has not yet been enacted, ongoing discussions are focused on criminalising the creation and distribution of deepfakes, holding social networks responsible for their content, and balancing these actions with freedom of speech protections. There are some precedents from the Colombian Constitutional Court regarding the liability of social media companies for certain content posted on their platforms, mandating that they apply more robust procedures to address complaints and mitigate risks at an early stage.

In the transportation sector, Colombia currently lacks specific legislation governing AI applications such as self-driving cars, commercial drones and drone delivery services. The discourse surrounding technology within the transport sector has not yet evolved to address these areas. Presently, discussions are focused on how digital transportation platforms should be regulated. Platforms like Uber, Cabify and Didi are under investigation for potential anti-competitive practices, as they operate similarly to taxis without adhering to regulatory permits.

Several key elements are pertinent to AI regulation in Colombia, including transparency, data protection, IP and fundamental rights. Transparency is essential to ensure that AI systems are comprehensible and accountable. Data protection laws, specifically Law 1581 of 2012, are applicable to AI systems handling personal data, thereby ensuring adherence to privacy standards. IP rights are also an area of focus, with ongoing efforts to safeguard innovations in AI and all information and images reviewed by AI, which fall under the IP regime. Lastly, the deployment of AI technologies must uphold fundamental rights, including privacy and freedom of expression.

Colombia does not have specific machine-to-machine (M2M) communications or internet of things (IoT) legislation, but the general existing data protection and telecommunications regulations provide a framework for the responsible deployment of these technologies, as stated in the foregoing.

In Colombia, companies deploying IoT solutions face some compliance challenges. One of the primary challenges is ensuring data protection and privacy. Under Law 1581 of 2012, companies must obtain explicit consent from data subjects before collecting and processing their personal data. This requirement can be complex when dealing with IoT devices that continuously collect data locally but with no further processing occurring in Colombia. Companies must also implement robust security measures to protect data from breaches and unauthorised access, which can be technically demanding. Additionally, a problem related to the international transfer of personal data is ensuring compliance with Colombia’s stringent data protection laws. Law 1581 of 2012 and Decree 1377 of 2013 impose restrictions on transferring personal data to countries that do not provide an adequate level of data protection. Companies must obtain explicit and unequivocal consent from data subjects for such transfers, with blanket consents granted at the time of collection being invalid. This can complicate global IoT deployments.

Regarding the regulatory framework for telecommunications, the Communications Regulation Commission (CRC) and the ITC Ministry oversee telecommunications services, including those used by IoT devices. Resolution CRC 5968 of 2020 particularly applies to IoT and M2M communications. This resolution establishes the administration of identification resources for mobility services provided by telecommunications operators. It assigns a specific range of numbers for M2M and IoT services, ensuring that these devices are properly identified and managed within the telecommunications network. This regulation helps streamline the integration of IoT devices into existing networks and ensures that they operate within a standardised framework.

From an AML and CFT perspective, companies also face compliance challenges. Colombian regulation requires companies to implement comprehensive AML/CFT measures, such as conducting business-wide risk assessments, performing customer due diligence and reporting suspicious transactions to the Financial Information and Analysis Unit (Unidad de Información y Análisis Financiero; UIAF). For IoT deployments, this means ensuring that IoT devices and platforms are not used to facilitate money laundering or terrorism financing activities. Companies must integrate AML/CFT compliance into their IoT governance frameworks.

In Colombia, the primary legal framework governing data protection and sharing is established by Law 1581 of 2012 and Decree 1377 of 2013. Key requirements for data sharing include the following.

• Obtaining consent: IoT companies must obtain explicit consent from data subjects before sharing their personal data with external processors or controllers.
• Data processing agreements: When sharing data with third parties, companies must have data transfer agreements (with external controllers) or transmission agreements (with external processors) in place to ensure compliance with data protection laws. Data transmission refers to the sharing of personal data between a data controller and a data processor, either within Colombia or internationally, who is responsible for processing the data on behalf of the data controller. Data transfer, on the other hand, refers to the sharing of personal data between a data controller and another data controller, who is responsible for processing the data and applying his or her own privacy policy.

The aforementioned data sharing requirements apply to all companies that process personal data, regardless of their size or sector. Note that processing personal data is defined as any operation or set of operations performed on personal data, such as collection, storage, use, circulation or deletion.

Colombia has heightened requirements for specific categories of data, particularly sensitive data and data concerning minors.

Sensitive data in Colombia is defined under Law 1581 of 2012 as any data that affects the privacy of the data subject or whose improper use might cause discrimination. This includes information revealing racial or ethnic origin; political orientation; religious or philosophical beliefs; membership of trade unions, social organisations or human rights organisations; and data related to health, sexual life and biometrics. The processing of sensitive data is subject to stricter regulations, being generally prohibited except in specific circumstances. These exceptions include when the data subject has given explicit authorisation, when the processing is necessary to protect the vital interests of the data subject and when the data is processed for historical, statistical or scientific purposes, provided that adequate measures are taken to anonymise the data.

Data concerning minors is also given special protection under Colombian law. A minor is defined as any person under the age of 18. The processing of personal data of minors is generally prohibited unless it is necessary to protect the minor’s fundamental rights. In such cases, consent must be obtained from the minor’s parents or legal guardians. Furthermore, the opinions of minors should be considered when processing their data, and additional safeguards must be in place to ensure their data is handled with the utmost care.

In Colombia, the main requirements for providing audiovisual media services, such as TV and radio, are governed by regulations and overseen by key regulatory bodies including the National Television Authority (Autoridad Nacional de Televisión; ANTV) and the ITC Ministry. These requirements ensure that media outlets operate within legal and regulatory frameworks to maintain content standards and protect public interests.

Broadcasters must adhere to content regulations that prohibit harmful or misleading content and ensure programming meets appropriateness criteria for different audiences. These regulations are outlined in Law 182 of 1995, which establishes the general framework for television services including content standards. Compliance with technical standards for broadcasting quality and signal transmission is also mandatory. These standards are specified in various technical regulations issued by the ITC Ministry and the ANTV to ensure high-quality service delivery.

The requirements for traditional audiovisual media services do not extend to video-sharing platforms and streaming platforms. Currently, there is no specific regulation for these new streaming services. These platforms must comply with the general regulations related to content, advertising and data protection set forth in the data protection regulation and the data privacy regulation.

However, a recent modification to Article 20-3 of the Colombian Tax Code levies income tax on a supplier of digital services that has an SEP in Colombia. SEP is understood to apply when:

• a deliberate and systematic interaction is maintained in the Colombian market, that is, with customers and/or users located in the national territory; and
• the person concerned obtains gross income of 31,300 tax units (approximately USD250,000) or more in the taxable year for transactions that involve the sale of goods and services with customers and/or users located in the national territory.

In turn, a “deliberate and systematic interaction” occurs if:

• a non-resident person or entity not domiciled in the country maintains a marketing interaction or deployment with 300,000 or more users or customers located in Colombian territory during the previous or current taxable year; or
• the person or entity not domiciled in the country maintains the possibility of viewing prices in Colombian pesos or allows payment therein.

Only the following activities and digital services provided from abroad are captured by SEP measures:

• online advertising services;
• digital services, whether online or downloadable, including mobile applications, e-books, music and movies;
• free streaming services including television programmes, movies, music, multimedia, podcasts and any other form of digital content;
• any form of monetisation of the information and/or data of users located in the national territory generated by the activity of said users in the digital market;
• the online services of intermediary’s platforms;
• digital subscriptions to audiovisual media including, among other types, news, magazines, newspapers, music, videos and games of any kind;
• the administration or management of electronic data including web storage, online data storage, file sharing services or cloud storage;
• the use or licensing of standardised or automated online search engines, including custom software;
• the provision of the right to use or exploit intangibles;
• other electronic or digital services for users located in the national territory; and
• any other service provided through a digital market for users located in the national territory.

In Colombia, the scope of local telecommunications rules encompasses a wide range of technologies and services, and includes companies offering telecommunication networks and telecommunication services (proveedores de redes y servicios de telecomunicaciones; PRSTs). These include traditional telecommunications activities such as fixed and mobile telephony, internet services and broadcasting, as well as newer technologies like voice over Internet Protocol (VoIP), satellite communications and various forms of data transmission and processing. The primary legal framework governing these services is established by Law 1341 of 2009, which was updated by Law 1978 of 2019 to modernise the telecommunications sector.

Supply of telecommunications networks is defined in local regulations as the supply to third parties of nodes and links, whether physical, optical or digital, that allow the sending, transmitting or receiving of any kind of information. Supply of telecommunications services is defined as the supply to third parties of services that allow the sending, transmitting or receiving of any kind of information through telecommunications networks, whether proprietary or owned by a third party.

Colombian telecommunications regulations require that all PRSTs register in the ITC registry managed by the ITC Ministry. This registration enables the general provision of telecommunications services in the country. If a PRST also plans to make use of the spectrum in the provision of its telecommunication services, a specific authorisation must be obtained through an application to the ITC Ministry in accordance with the technical requirements and specifications set forth in Resolution 376 of 2022 of the ITC Ministry.

The regulation does not require specific security standards to be met by PRSTs; it only describes a general mandate to ensure digital security.

In Colombia, net neutrality is governed by Law 1450 of 2011 (National Development Plan 2010–14), which introduced the principle of net neutrality, and Resolution 3502 of 2011 issued by the CRC.

Net neutrality regulations in Colombia require internet service providers (ISPs) to treat all internet traffic equally, without discrimination, restriction or interference, regardless of the sender, receiver, content, application or service. ISPs must provide clear and detailed information to consumers about their internet service plans, including any traffic management practices and their impact on service quality. Additionally, ISPs are mandated to ensure a minimum quality of service for all users, preventing practices that could degrade or impair internet access. Users have the right to access, use, send, receive or offer any content, application or service over the internet, as long as it is legal.

The impact of the application of this mandate is not yet known, as there is no relevant case law related to net neutrality. The studies conducted so far by the CRC have focused on the application of this principle through the apps included in mobile service plans (such as those of social media platforms and streaming platforms, and messaging apps). However, such studies have only been done as part of sectorial studies, not as part of investigations.

The deployment of 5G and IoT technologies requires compliance with new and evolving regulations, including spectrum allocation licences and infrastructure sharing among TMT service providers. The auction for TMT operators for the deployment of 5G technology began at the end of 2023 and involves significant infrastructure investment commitments over the next 10 years.

AI integration further complicates the landscape. In Colombia, External Opinion No 002 of 2024, issued by the SIC, provides orders on the processing of personal data in AI systems, which includes the obligation to perform a personal data impact assessment and an evaluation regarding the mitigation of the risks identified. The Opinion also states that publicly accessible information is not, per se, public data. Thus, personal data administrators may not process private, semiprivate or sensitive data available online without the data subject’s prior, explicit and informed consent.

Organisations entering into technology agreements in Colombia must comply with the general regulation on data protection laws, cybersecurity requirements and sector-specific regulations if they are to be considered PRSTs.

Based on the foregoing, explicit informed consent is required prior to the processing (including collection) of personal data, as well as for data transfers. A privacy policy must be available in Spanish for consent to be informed, and thus valid.

Regarding consumer protection, the general statute includes the obligation to provide full, clear and understandable information to consumers. Furthermore, regulated services such as banking and financial services have specific consumer protection obligations. Price revisions are allowed as long as the consumer is notified prior to the change taking effect and is given an option to opt out of the new service terms.

To secure adequate terms in telecommunications service agreements, companies should first ascertain current market rates for comparable services to guarantee competitive pricing in compliance with competition rules.

Emphasising flexibility is also crucial, as shorter contract durations allow for the adaptation to technological advancements and regulatory changes.

When entering interconnection agreements, TMT companies should ensure compliance with local and international regulations governing interconnection, including those related to data privacy and security. Note that Colombian telecommunications regulations require that all PRSTs register in the ITC registry managed by the ITC Ministry. This registration enables the general provision of telecommunications services in the country.

In Colombia, the legal framework for trust services, electronic signatures and digital identity schemes is well-established. Trust services are regulated by the SFC, which oversees the entities authorised to offer these services.

Colombian law sets out a number of legal duties for trustees, which cannot be delegated to third parties or waived. These duties include the following:

• trustee activities must be carried out in a diligent manner;
• assets must be segregated;
• assets in a trust must be managed in accordance with a trust agreement;
• trustees must act on behalf and for the benefit of the beneficiaries;
• trustees must consult the SFC when in doubt about their duties or when they deem it necessary to act against the instructions set out in the trust agreement;
• trustees must make every effort to maximise a trust’s profitability;
• upon the trust’s termination, trustees must transfer the assets to the final beneficiary set out in the agreement; and
• trustees must report accounts at least every six months.

In turn, electronic signatures are governed by Law 527 of 1999, which provides the basis for their use and enforceability. This law distinguishes between electronic signatures and digital signatures, with the latter requiring a digital certificate issued by an authorised entity.

In Colombia, a digital signature is recognised as having the same legal effects as an autograph or handwritten signature for all types of administrative, civil and judicial procedures.

For a digital signature to be considered valid, it must meet at least the following requirements:

• it must be possible to uniquely identify the person responsible for the signature;
• it must be possible to verify the authenticity of the signature at any time;
• the signature must be under the exclusive control of the person using it; and
• the signature must be linked to the signed document in such a way that any subsequent modification to the document will invalidate the signature.

According to Article 10 of Law 1554 of 2012, all companies whose economic activity is classed as the manufacture or importation of video games must submit a request for qualification before the Committee for the Promotion, Classification and Monitoring of the Use of Video Games in order to obtain a classification. Once obtained, companies must clearly, expressly and legibly indicate the classification on the front of the packaging of the video game.

This law has established two different classifications:

• open-circulation video games – includes i) educational entertainment; ii) sports; iii) competitions involving real or fictitious vehicles; iv) informative games; and v) situations of a “fantastic nature”.
• restricted-circulation video games – such games have an age classification of over 18 years because they “apologise for”, make reference to or depict i) obscene language; ii) nudity, sex or sexuality, iii) alcoholic drinks; iv) illegal drugs; v) tobacco products; vi) discrimination of any kind; vii) violence, bloodshed, weapons, human injury or death; or viii) bets involving money or property.

Although the regulation establishes that it is mandatory to make a request to the Committee for the Promotion, Classification and Monitoring of the Use of Video Games for a video game rating, there is no provision that establishes the procedure for making such a request. In practice, games use the Entertainment Software Rating Board (ESRB) classification system.

Furthermore, as the only requirement to file a request is to commercialise, distribute, sell or lease video games in Colombia, Law 1554 of 2012 does not prevent foreign companies from requesting a video game rating.

The regulation of the gaming industry is in the hands of Congress, although it has only issued Law 1554 of 2012. According to this law, the overseeing authority of the gaming industry is the Committee for the Promotion, Classification and Monitoring of the Use of Video Games, comprising the following representatives:

• the departmental, district or municipal secretary of government;
• the director of the Colombian Institute of Family Welfare, or his or her delegate;
• two representatives of the Colombian National Society of Psychology;
• two representatives of the Parents’ Association;
• two representatives of the Association of Faculties of Education;
• one representative of the Colombian Association of Psychiatry; and
• two representatives of the video game leagues of Colombia.

There are no specific examples of the enforcement of this regulation in Colombia; however, the regulation does set penalties for non-compliance. According to Article 10 of Law 1554 of 2012, companies that fail to comply with the provisions related to the classification process, and to display the classification on the front of the packaging of the video game, will be sanctioned as follows:

• first offence – a fine 50 times the current monthly legal minimum wage;
• second offence – a fine 70 times the current monthly legal minimum wage;
• third offence – a fine 100 times the current monthly legal minimum wage; and
• fourth offence – cancellation of the commercial registry and/or operating licence.

Game developers in Colombia face several common IP challenges. One of the primary issues is copyright infringement, where the unauthorised copying and distribution of games can lead to significant revenue losses. Another challenge is trademark disputes, which arise when a game’s trademark is similar to an existing one, potentially leading to legal battles and brand confusion. Additionally, patent challenges can occur, particularly when unique game mechanics or technologies are involved. Developers must also safeguard trade secrets, such as algorithms and proprietary processes, to prevent misappropriation by competitors.

Creators have several rights to protect their IP in a virtual environment. In Colombia, copyright laws provide protection for original works, including software and digital content, under Law 23 of 1982 and its amendments. This law grants creators exclusive rights to reproduce, distribute and display their works. Additionally, the SIC oversees the registration and enforcement of trademarks and patents, providing legal mechanisms to protect brand identity and technological innovations.

Thus, when dealing with digital and virtual assets, several key considerations for copyright protection arise. First, it is essential to ensure that all digital content, including graphics, music and code, is properly copyrighted to prevent unauthorised use. Licensing agreements should be clearly defined to specify how digital assets can be used by third parties. Additionally, creators must be aware of the implications of international copyright laws, especially if their content is distributed globally.

In Colombia, there is no particular legal framework governing social media; however, several general key laws and regulations apply.

Criminal Liability

Social media administrators are often asked to take part in criminal investigations in relation to the following types of user-generated content:

• false claims or accusations that another individual has committed a crime, where the poster of such content could potentially be held liable for slander and defamation;
• images or content that may lead to a crime being committed – this is considered a criminal offence by the Colombian Criminal Code;
• content that motivates, supports or promotes the publishing or exchange of child pornography; and
• any type of work protected by IP law published without proper authorisation – publication of such work on public sites may be considered an infringement of copyright and related rights.

In these cases, the social media administrator is not held liable as long as they apply sound due diligence to prevent any future occurrences. Most cases only involve a request being made for information related to the posts of the users concerned.

Constitutional Liability

Fundamental rights are guaranteed and constitutionally protected, including non-discrimination and non-defamation. User-generated content may include discriminatory material (eg, in relation to gender, race, political or religious beliefs or sexual orientation). In such scenarios, affected individuals usually file constitutional actions to defend their fundamental rights, and website operators are usually the third parties in such proceedings. In most of these constitutional actions, there is no liability for website operators as orders to take down content are usually imposed on the individuals who published the inappropriate content; however, it is possible that constitutional judges will directly order the social media owners to remove the relevant content. These decisions do not involve financial penalties, but rather only court orders to remove the offending content.

Data Privacy Liability

Under Colombian data privacy regulations, the processing of personal information (eg, identifying data, images, etc) can only be carried out if the data subject concerned grants prior, express and informed consent.

User-generated posts often include the personal data of other users, so it is important to ensure that due consent has been obtained from data subjects for the processing of their personal data – or more specifically, for the publishing of their information. Given that social media administrators, as website operators, process personal information posted by users, the consent requested by social media platforms should ideally include authorisation to process personal data, and data subjects should be informed about the applicable privacy policy, including its limitations. In this regard, the Constitutional Court has emphasised the importance of providing effective reclamation channels for users.

The Colombian Data Privacy Regulation applies to any form of personal data processing that takes place in the Colombian territory. However, the definition of “processing” in this context has been expanded by the SIC to encompass processing through the use of cookies, apps and other similar means on devices in Colombia. Consequently, the Colombian Data Privacy Regulation applies regardless of whether the data controller or processor is domiciled abroad.

In Colombia, the primary regulatory body overseeing the use of social media is the SIC. The SIC is responsible for enforcing data protection laws, including those that apply to social media platforms. Additionally, the ITC Ministry plays a role in regulating the digital environment, including social media, by setting policies and guidelines for the use of ICT. Finally, constitutional judges resolve claims pertaining to the infringement of fundamental rights filed by users against other users and/or social media administrators. The highest constitutional body is the Colombian Constitutional Court.

The SIC in particular has extensive enforcement powers to ensure compliance with data protection and consumer protection laws. These powers include:

• investigations and inspections – the SIC can conduct investigations and on-site inspections to ensure that social media platforms comply with data protection regulations, as well as send requests for information to better understand the operation of the platforms;
• sanctions and penalties – the SIC can impose fines and other penalties on social media platforms that violate data protection laws; and
• orders to cease activities – the SIC can issue orders to cease activities that are found to be in violation of the law, including the suspension of data processing activities.

A significant enforcement action was taken by the SIC against WhatsApp LLC. In May 2021, the SIC issued a mandatory compliance order to WhatsApp, requiring the company to align its data processing practices with Colombian data protection standards. This order included creating a compliant data privacy policy, implementing clear consent mechanisms (written in Spanish) and registering their databases with the national database registry.

Additionally, the Constitutional Court of Colombia issued a ruling in case T-229-20, which pertained to the blocking of a journalist on Twitter (now X) by a government account. The Court ruled that such actions interfered with the journalist’s right to access information and express themselves, emphasising the importance of freedom of expression on social media platforms.