Costa Rica passes digital services and e-commerce law

Arias | On April 16, 2026, the Costa Rican Legislative Assembly approved the Digital Services and E-Commerce Governance Law in its second debate. This legislation establishes the first comprehensive regulatory framework for digital activities in the country. The law will enter into force 12 months after its publication in the Official Gazette (La Gaceta), providing a transition period for compliance.

Scope and Key Provisions
The regulation applies to any natural or legal person offering digital services within the Costa Rican market, including international providers. The framework focuses on four primary pillars:

• E-Commerce and Transparency: Companies must provide full merchant identification, detailed product information, and total price breakdowns. The law expressly prohibits "dark patterns" and requires prior transaction confirmation.
• Intermediary Liability: Hosting providers, search engines, and online platforms must implement illegal content reporting mechanisms and internal grievance systems. A "safe harbor" regime is established, conditioning liability limitations on compliance with specific legal requirements.
• Data Protection and Privacy: The law prohibits the use of data from minors under 13 for advertising and reinforces security and confidentiality obligations. Notably, it provides express protection for end-to-end encryption.
• Digital Advertising: Mandatory identification of advertisements, disclosure of financing sources, and transparency regarding targeting criteria are required. Unsolicited communications are prohibited.

FinTech and Financial Impact
Entities in the FinTech sector must implement secure electronic payment systems and provide immediate transaction notifications. These requirements complement existing financial regulations, raising the overall compliance threshold for digital operations.

Enforcement and Corporate Implications
Non-compliance carries administrative sanctions, with fines for serious infractions reaching approximately USD 42,500. From a transactional perspective, the law expands due diligence requirements and increases regulatory exposure for companies operating in the digital space.

ariaslaw.com