AI Law in Costa Rica: What Every Company Needs to Know in 2026
By Lic. Ricardo Castillo Castillo · AEGIS Legal Partners · Published May 2, 2026
Reading time: 8 minutes
Most international companies operating in Costa Rica know they need a lawyer for contracts and real estate. Very few have considered what they need for their AI tools.
That gap is closing — fast. Costa Rica's data protection authority is actively enforcing Ley 8968. The EU's AI Act is creating obligations that follow companies across borders. And in a country positioning itself as a technology hub for Latin America, AI legal compliance is no longer a future concern. It is today's operational reality.
This article explains the current legal landscape for AI in Costa Rica, what it means for your company, and what you can do about it now.
The Legal Framework: Three Laws You Cannot Ignore
1. Ley 8968 — Costa Rica's Data Protection Law
Costa Rica enacted its data protection law — the Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales, known as Ley 8968 — in 2011. For most of its first decade, enforcement was limited. That has changed.
The law establishes rights for individuals over their personal data and obligations for any entity that collects, stores, transfers, or processes it. Crucially, Ley 8968 applies to any company operating in Costa Rica — including international corporations with local subsidiaries, remote teams, or customers in the country.
What does this mean for AI? Any AI system that touches personal data — which is most of them — falls under this law. This includes:
- Customer-facing chatbots that collect names, emails, or behavioral data
- HR tools using AI to screen candidates or evaluate employees
- Analytics platforms that profile user behavior
- CRM systems with AI-powered recommendations
- Any cloud service where Costa Rican personal data is processed
The supervising authority, PRODHAB (Agencia de Protección de Datos de los Habitantes), has the power to investigate, sanction, and order the suspension of data processing activities. Fines are real, and enforcement cases have increased year over year since 2021.
2. GDPR — The European Regulation That Follows You Everywhere
The EU General Data Protection Regulation does not stop at Europe's borders. If your company offers goods or services to EU residents, or monitors the behavior of people in the EU, GDPR applies — regardless of where your company is incorporated or where your servers are located.
For Costa Rica-based companies serving international markets, this is often the most significant exposure. A software company in San José with European clients, a real estate platform with German investors, a SaaS product used by French businesses: all of these are subject to GDPR.
The penalties are not theoretical. GDPR fines can reach €20 million or 4% of global annual turnover — whichever is higher. More practically, a data breach involving European users without a proper response plan can trigger regulatory investigations across multiple jurisdictions simultaneously.
3. The EU AI Act — The New Global Standard
The EU Artificial Intelligence Act entered into force in 2024 and is being implemented in phases through 2026. While it is European legislation, its extraterritorial reach — similar to GDPR — means it applies to AI systems that affect EU users, regardless of where those systems were developed or deployed.
The Act classifies AI systems by risk level:
- Unacceptable risk: Prohibited outright (social scoring systems, real-time biometric surveillance in public spaces)
- High risk: Subject to strict requirements before deployment (AI in hiring, credit decisions, educational assessments, law enforcement)
- Limited risk: Transparency obligations (chatbots must disclose they are AI)
- Minimal risk: No specific obligations (spam filters, AI-powered games)
For most companies in Costa Rica operating internationally, the practical impact is in the high-risk and limited-risk categories. If your company uses AI to make decisions that affect people — and most do — you need to know where your systems fall.
The Five AI Legal Risks Companies Miss Most
Risk 1: Using Third-Party AI Tools Without a Data Processing Agreement
When your company uses an AI tool — say, an AI-powered customer service platform, a recruiting tool, or an analytics service — you are transferring personal data to a third party. Under Ley 8968 and GDPR, this transfer requires a formal Data Processing Agreement (DPA) that specifies what data is shared, how it can be used, and what security measures apply.
Most SaaS agreements do not include a compliant DPA by default. The vendor's standard terms are written to protect the vendor — not to ensure your company's legal compliance in Costa Rica or the EU. Signing a software contract without reviewing its data processing terms is one of the most common sources of silent legal exposure we see.
Risk 2: Automated Decision-Making Without Disclosure
If your company uses AI to make decisions that affect individuals — approving or rejecting applications, personalizing offers, setting prices, or generating recommendations that influence outcomes — you have obligations around transparency and human oversight.
GDPR Article 22 gives individuals the right not to be subject to purely automated decisions that have significant effects on them. The EU AI Act adds further requirements for high-risk AI systems. And while Ley 8968 does not yet have identical provisions, Costa Rica's regulatory trajectory is consistent with international standards.
Many companies have deployed these systems without any disclosure in their privacy policies, without a mechanism for human review, and without a documented rationale for the AI's decision-making criteria. Each of these is a compliance gap.
Risk 3: International Data Transfers Without Legal Basis
Every time your company sends personal data outside Costa Rica — to a cloud server, an API endpoint, an analytics dashboard, or a partner system — it is making an international data transfer subject to Ley 8968's requirements. These transfers must have a legal basis: either the destination country has been deemed to have adequate protections, or specific contractual safeguards are in place.
In practice, most companies using US-based cloud AI services (OpenAI, Google Cloud AI, AWS AI services, Azure) are making international transfers every day without any formal legal basis. PRODHAB has the authority to order these transfers stopped.
Risk 4: Privacy Policies That Don't Cover AI
The average privacy policy was written before a company deployed its current AI tools. It describes data collection practices from three or four years ago. The AI tools added since then — the chatbot, the analytics layer, the AI-powered email personalization — appear nowhere in it.
This is a compliance problem under both Ley 8968 and GDPR, which require accurate, current disclosure of how personal data is processed. It also creates a trust problem: when a regulator or a sophisticated client reviews your privacy policy and finds it doesn't match your actual practices, the consequences extend beyond a fine.
Risk 5: No Data Breach Response Plan
Under Ley 8968, companies must notify PRODHAB of data breaches that could affect the rights of individuals. Under GDPR, the obligation is 72 hours from discovery of the breach. Neither law allows for "we'll figure it out when it happens."
Most companies in Costa Rica — including large international operations — have no documented data breach response plan. No designated point of contact. No clear escalation path. No pre-established communication templates. When a breach occurs, the absence of a plan becomes a second compliance violation on top of the first.
What AI Compliance Actually Looks Like in Practice
AI compliance is not a single audit or a one-time document. It is an ongoing practice — a legal infrastructure that keeps pace with how your company actually operates.
For most companies, a baseline compliance program includes:
A privacy policy that reflects reality. Updated to describe every significant data collection practice, including AI-powered systems, with clear language about what data is collected, how it is used, and what rights individuals have.
Data processing agreements with all AI vendors. Every SaaS tool, AI API, and cloud service that handles personal data should have a signed DPA in place. This protects you when things go wrong — and things do go wrong.
An AI inventory. A documented list of every AI system your company uses, what data it processes, what decisions it influences, and which regulatory framework applies to it. This is the foundation of any compliance program and the first thing a regulator will ask for.
Consent mechanisms that actually work. Cookie banners, opt-in flows, and consent records that can be demonstrated to a regulator if challenged. "We had a checkbox" is not sufficient. Documented, specific, informed consent is.
A Data Protection Officer. Under GDPR, a DPO is legally mandatory for companies that process sensitive data at scale. Under Ley 8968, a designated data custodian is required. An external DPO — a lawyer or specialist retained on a monthly basis — covers both obligations without the cost of a full-time hire.
Why Costa Rica Is a Particularly Important Jurisdiction Right Now
Costa Rica occupies a unique position in the AI legal landscape. The country has an educated, bilingual technology workforce, established free-trade zones attracting international tech investment, and a legal system with growing alignment to international data protection standards.
At the same time, regulatory enforcement is accelerating. PRODHAB is not a dormant agency. And as Costa Rica positions itself for free trade agreements and deeper integration with the EU and US technology markets, data protection compliance will increasingly be a market access requirement — not just a legal obligation.
Companies that establish proper AI legal infrastructure now will have a material competitive advantage as regulatory requirements tighten. Companies that wait will face forced compliance under time pressure, which is always more expensive and more disruptive.
The First Step: Know Your Exposure
Before you can fix a compliance gap, you need to know it exists. The most practical starting point for most companies is a structured AI Legal Risk Assessment — a review of your current AI tools, data flows, vendor agreements, and privacy practices against the requirements of Ley 8968, GDPR, and applicable AI regulation.
This is not a months-long engagement. An experienced AI law practitioner can produce a clear written summary of your exposure, prioritized by risk level, in a matter of days. From there, you address the highest-risk items first and build a compliance roadmap that fits your company's size and operating model.
About AEGIS Legal Partners
AEGIS Legal Partners is Costa Rica's first law firm specializing in AI Law, Data Privacy, and International Real Estate. Founded by Lic. Ricardo Castillo Castillo (Carné #36,687, Colegio de Abogados de Costa Rica), AEGIS serves international companies, technology startups, and foreign investors operating across Latin America.
All services are delivered in English and Spanish. Consultations are available via video call worldwide.
Book a free 20-minute consultation: aegispartners.law
© 2026 AEGIS Legal Partners S.R.L. · This article is for informational purposes only and does not constitute legal advice. For advice specific to your company's situation, contact a licensed attorney.