Data privacy regulation in Costa Rica is contained in two laws, the "Laws": Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.

The Costa Rican Congress is currently discussing a bill, which would fully amend the Laws currently in effect.  Such bill was presented to local Congress in January 2021 and is still under discussion.

The proposed bill aims to update the Laws and align its provisions to the principles contained in the EU General Data Protection Regulation (GDPR). It is still unclear when and if the proposed bill will be enacted.