Peru's Law 29733: Data Protection for Your Website

If your website serves people in Peru, you almost certainly collect personal data: an email from your contact form, a phone number to coordinate a delivery, a name and an address when you close a sale. That everyday act makes you a controller of personal data under Law 29733, Peru's Personal Data Protection Law.

It doesn't matter whether you run an online store, a landing page, a blog with subscribers, or a local business with a booking form. The good news: you don't need to be a lawyer to cover the essentials, because most of the obligations come down to concrete decisions about your site. In this guide we explain what Law 29733 requires of you, the role the authority plays, what rights your users have, and above all, what you can review today.

Note: this is a practical guide, not legal advice. Penalty amounts, thresholds, and deadlines change; whenever something is uncertain, we'll tell you to check the current text or consult a specialist.

What Law 29733 Is

Law 29733, the Personal Data Protection Law, is the general rule that governs how personal data may be processed in Peru. Together with its implementing regulation, it develops a right the Constitution recognizes: that every person controls the information that exists about them.

In plain terms: if you collect, store, use, share, or delete data about an identified or identifiable person, you are carrying out "personal data processing," and the law assigns you duties. It's worth pinning down three roles, because the law splits the obligations depending on which one you are:

• Data subject: the person the data refers to. Your customer, your subscriber, your visitor.
• Controller: the party who decides why and how the data is processed. If that's your site or your business, it's usually you.
• Processor: the party who processes data on the controller's behalf. Your vendors: the hosting provider, the store platform (Shopify, Wix), the bulk email service, the payment gateway, the analytics tool.

This matters because your relationship with each vendor should be documented, and because responsibility toward the data subject remains yours even when you delegate the processing to an outside tool.

The Principles That Govern Processing

Law 29733 sets out principles that must always be met. Don't memorize them; understand the intent, because they guide how you configure your site:

• Legality: processing complies with the law; you can't collect data through unfair or deceptive means.
• Consent: as a general rule, you need the data subject's permission to process their data.
• Purpose: data is collected for a specific, explicit purpose. Don't ask for the national ID "just in case."
• Proportionality: you ask only for the data necessary for that purpose.
• Quality: the information must be accurate and kept up to date. That's why "edit my data" flows exist.
• Security: you must adopt technical and organizational measures to protect the data.

Pay attention to the security principle: the law doesn't ask you for good intentions, it asks you for measures. Later you'll see how that becomes observable on your website.

The Role of the National Authority for Personal Data Protection

Peru has a National Authority for Personal Data Protection, within the Ministry of Justice and Human Rights, charged with ensuring compliance with Law 29733. What does it do, and why should you care?

• It oversees compliance with the law and its regulation.
• It handles complaints from data subjects when a controller fails to resolve their requests.
• It can open sanction proceedings and impose fines and other measures.
• It administers the National Registry for Personal Data Protection (see the next section).

Penalties are classified by severity (minor, serious, and very serious) and can be significant. We don't cite an exact figure here because the caps are updated and are often expressed in units whose value changes every year; if you need the current number, check it with the authority or your legal advisor. The practical point is clear: the authority can impose penalties, and non-compliance has a cost.

The Personal Data Bank (Handle With Care)

Law 29733 uses the concept of a personal data bank: any organized set of personal data, whether it lives in a spreadsheet, a CRM, your online store's database, or your newsletter list. Almost every site that collects emails ends up creating one.

The law provides for the registration of data banks in the National Registry administered by the authority. Here it pays to be careful: the conditions, exemptions, and procedures can change over time and depend on the type of bank and its purpose.

If you handle personal data banks in Peru, verify the current applicability and procedure directly with the National Authority for Personal Data Protection before concluding that you are (or are not) required to register. It's an administrative step, separate from the technical measures, and it's best resolved with up-to-date information.

Registration is an administrative obligation that's worth checking against the official source: it's not something your site resolves, but it is something your compliance checklist should account for.

The Data Subject's Consent

Under Law 29733, as a general rule you need the data subject's prior, informed, express, and unambiguous consent. "Informed" means the person understands what data you collect and what for; "express and unambiguous" means it isn't assumed from silence or pre-checked boxes. A few practical guidelines:

• Consent can be gathered through various means, as long as you can keep proof of it. On the web, this is usually an explicit checkbox (not pre-checked) next to a link to your privacy policy.
• Avoid "bundled consent," where accepting the terms implies accepting any use. Separate what's necessary from what's optional (for example, receiving promotions).
• Sensitive data (health, racial or ethnic origin, biometric data, sex life, religious or political beliefs, among others) is subject to a stricter regime. If your site touches it, review it carefully.
• Data of children and adolescents has special protection.

Keep a record of when and how consent was given. The day a data subject or the authority asks, you'll want to be able to prove it.

The Data Subject's Rights

Law 29733 grants people a set of rights over their data, summed up as the "ARCO" rights: Access, Rectification, Cancellation, and Objection. In practice, the data subject can:

• Access: know what data you hold about them and how you use it.
• Rectify: correct inaccurate or incomplete data.
• Cancel (delete): ask you to erase their data when it's no longer necessary or when they withdraw consent.
• Object: refuse a specific processing activity, such as receiving advertising.

The law sets deadlines for responding, and they can be updated, so check the current terms and design your operation to meet them. On your site this translates into real things: a visible channel for exercising rights, the ability to edit or export a person's data, and the ability to genuinely delete it when asked (not just "hide it").

The Privacy Policy

Law 29733 expects the controller to clearly explain how it processes data. In practice, this is your "Privacy Policy" page, linked from the footer and your forms, and it should describe:

• Who the controller is (your business or you) and a contact detail.
• What data you collect and for what purposes.
• Whether you share data with third parties, and with whom.
• The data subject's rights and the channel for exercising them.

Don't copy a generic policy off the internet without reviewing it: if it says you collect data you don't, or stays silent on data you do collect, it stops being accurate, and accuracy is one of the law's principles.

Security Measures: Where Compliance Gets Technical

Here's the part many legal guides skip. The security principle in Law 29733 doesn't stay on paper: it shows up in things anyone can observe from outside your site. If an attacker can intercept the form where your customer types their email and address, you're not applying "reasonable technical measures," no matter what your policy says. Examples of observable security that back up compliance:

• HTTPS across the whole site, not just the checkout page. Personal data travels through many forms.
• Security headers (such as HSTS and a solid Content-Security-Policy) that reduce interception and injection attacks.
• Cookies marked as Secure and HttpOnly where appropriate, to protect the session.
• No obvious leaks: exposed admin pages, errors that reveal the internal structure, accessible configuration files or backups.

These signals are auditable: they're exactly the kind of findings a scanner catches in minutes. Passing a scan doesn't make you "compliant" with Law 29733 (compliance is broader), but a weak technical configuration directly contradicts the security principle and is the first thing worth closing.

With Pursecure you paste your site's URL and get a score from 0 to 100 with findings sorted by severity. Each one comes with a clear explanation and a ready-to-use prompt so you, your team, or your AI tool can fix it. You can run a free scan at pursecure.app.

What to Review on Your Site Today

An actionable list, half legal and half technical, for any site that serves people in Peru.

The legal and administrative side

• Privacy policy published, accurate, and linked from the footer and your forms.
• Explicit consent (a checkbox that isn't pre-checked) and proof of when it was given.
• You collect only the data needed for a stated purpose (purpose and proportionality).
• A clear channel to exercise the rights of access, rectification, cancellation, and objection.
• Processors identified (hosting, store, email, payments, analytics) and the relationship documented.
• You've checked whether data bank registration applies to you with the authority.
• If you process sensitive data or data of minors, you've reviewed the stricter regime.

The technical side (observable)

• The entire site is served over HTTPS and redirects HTTP traffic.
• HSTS is active and security headers are configured (CSP, X-Content-Type-Options).
• Session cookies carry the Secure and HttpOnly flags.
• No exposed admin pages, backups, or configuration files.
• Forms don't leak information in error messages.
• You can genuinely delete a person's data when they request it.

If you checked the technical boxes by eye, confirm it with a measurement. Many fail silently: HTTPS is there, but the redirect is missing; the cookie exists, but without Secure.

Conclusion

Data protection in Peru isn't a one-time formality. Law 29733 asks you to treat your users' data with purpose, consent, transparency, and, very concretely, security. The National Authority is watching, data bank registration may apply to you (verify with the source), and your users have rights your site needs to be able to handle.

You work through the legal part carefully and, if needed, with a specialist. The technical security part you can start closing today, because it's measurable. Paste your site's URL into pursecure.app/scan, review the findings by severity, and use the prompts to fix what the security principle requires of you. It's the most concrete step you can take this week toward real compliance.