12 November 2025

Latin America & the Caribbean’s Approach to AI Regulation (2025): The Rule Stack, 2025 Updates, and a Compliance Playbook for Businesses

By Yoel Molina, Esq., Owner and Operator of the Law Office of Yoel Molina, P.A.

 

Latin America and the Caribbean (LAC) don’t have a single, EU-style AI Act. Instead, most countries anchor AI governance in data protection laws, supplement them with sector rules (consumer protection, elections, financial services), and are now layering AI-specific bills or policies. If you sell into the region, operate there, or process resident data, here’s a clear, source-backed explainer—plus a practical checklist to keep you compliant.
 

The regional rule stack (what generally applies)

 

1) Data protection laws are the baseline. Many LAC countries already enforce GDPR-inspired privacy laws (Argentina, Brazil, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, Jamaica, Mexico, Uruguay, etc.). Others are updating or phasing theirs in, and a few still lack fully effective regimes. Jamaica began data controller registration under its Data Protection Act in 2024, and Barbados’ Data Protection Act is in force (with some provisions pending proclamation). Several Caribbean states (e.g., Trinidad & Tobago, St. Lucia) still have partially in-force frameworks, creating a patchwork. ( hewardmills.com)
 
2) AI-specific proposals are accelerating.
  • Brazil: The Senate approved Bill 2,338/2023 (risk-based AI law) in Dec 2024; it now sits with the Chamber of Deputies. In the interim, Brazil’s privacy regulator ANPD is shaping the landscape via guidance, a generative-AI study, and enforcement. ( Artificial Intelligence Act)
  • Chile: Updated its National AI Policy and introduced an AI bill aligned with risk-based principles and content safeguards. ( UNESCO)
  • Colombia: Adopted a National AI Policy (CONPES 4144) in 2025—less prescriptive than a law, but influential for procurement and governance. ( OECD AI)
  • Mexico: Congress has seen dozens of AI bills; work continues toward a comprehensive framework alongside sector rules. ( globalpolicywatch.com)
  • Argentina: Proposals include creating a national registry for AI systems (broad, entity-wide registration). ( Future of Privacy Forum)
  • Caribbean: Beyond privacy, several governments are consulting on modernized data laws (e.g., Bahamas 2025 draft), with AI guidance expected to ride on privacy and consumer-protection updates. ( dataprotection.gov.bs)
 
3) Enforcement and policy signals matter now. Brazil’s ANPD has assertively policed generative AI training on personal data, suspending Meta’s policy in 2024 and forcing changes to disclosures/opt-outs. Expect more supervisory guidance and case-by-case orders while AI bills advance. ( Reuters)
 
4) Regional collaboration is growing. A multi-country initiative announced Latam-GPT, a public-interest LLM tailored to regional languages (including Indigenous). While not a law, it signals governmental focus on localization, public services, and education—and will influence procurement baselines (safety, data provenance, accessibility). ( Reuters)
 

Country snapshots (what to expect)

 

Brazil
 
  • Where policy stands: Risk-based AI bill awaiting action; strong privacy enforcement under LGPD; AI sandboxes and guidance emerging. ( Artificial Intelligence Act)
  • Why it matters: Largest market in LAC; active regulator (ANPD) can halt or condition AI features (e.g., training on user data). Plan for consent choices, training opt-outs, and model explainability logs. ( Reuters)
 
Mexico
 
  • Where policy stands: Numerous AI bills; practical compliance still anchored in privacy, consumer, and sector rules. Major tech investments (e.g., Salesforce, Microsoft) are expanding AI capacity and will raise expectations on governance. ( globalpolicywatch.com)
 
Chile
 
  • Where policy stands: Updated AI policy plus a draft law—risk-based obligations, transparency, and oversight. Expect early adoption by public entities and critical-sector vendors. ( UNESCO)
 
Colombia
 
  • Where policy stands: CONPES 4144 sets a governance roadmap—data quality, ethics, public-sector adoption, and skills. Public procurement and regulator guidance will flow from it. ( OECD AI)
 
Argentina
 
  • Where policy stands: Drafts include mandatory AI system registration across public and private sectors—significant operational overhead if enacted. ( Future of Privacy Forum)
 
Caribbean (selected)
 
  • Jamaica: DPA enforcement ramping; data controller registration active—expect this to be a prerequisite for AI deployments handling resident data. ( hewardmills.com)
  • Barbados: DPA in force; registration and DPO duties apply in cases defined by the Act/regulator. ( dlapiperdataprotection.com)
  • Trinidad & Tobago / broader region: Several laws are partially in force or awaiting regulators; watch for 2025–26 moves to operationalize authorities and issue AI-adjacent guidance. ( inplp.com)
 

What this means for businesses (and how to stay compliant)

 

1) Start with privacy-first AI

 

  • Lawful basis & minimization: Treat prompts, training data, and outputs as personal data if they can identify a person. Limit training on customer data; prefer business plans that do not train on your inputs by default.
  • Consent/opt-out for training: Brazil’s ANPD set a clear precedent— be transparent and offer control. Update notices and in-product dialogs accordingly. ( Reuters)
  • Data transfers: If models or vendors sit outside the country, evaluate transfer mechanisms and local rules (e.g., controller registration, DPO, or impact assessments).
 

2) Prepare for risk-based AI duties

 

  • Inventory your AI systems and classify by risk (e.g., HR screening, credit/eligibility, safety-relevant).
  • Human-in-the-loop for high-impact decisions; keep review logs explaining the final decision and the model version used.
  • Testing & monitoring: Set bias/quality testing schedules; document prompts, datasets (or summaries), evaluation metrics, and guardrails—this aligns you with Brazil’s bill, Chile’s draft, and Colombia’s policy signals. ( Artificial Intelligence Act)
 

3) Content & synthetic media controls

 

  • Label synthetic media (captions/watermarks + metadata) where content could mislead or be republished; align with platform expectations and public-sector tenders across the region.
  • Likeness/voice: Use written consent for any cloned voices or faces; maintain provenance logs. (Courts and regulators in LAC routinely lean on privacy, consumer deception, and publicity rights to police misuse.)
 

4) Vendor management & contracts

 

  • No-training-on-customer-data without express agreement; disclose sub-processors; commit to security attestations (SOC 2/ISO 27001).
  • Local law addenda: Jamaica/Barbados require registration/DPO in certain scenarios; Brazil expects LGPD-level data rights support. Bake these into DPAs and SOWs. ( hewardmills.com)
  • Audit & portability: Require export of prompts/outputs and logs on contract exit. Add incident-notice SLAs and rollback plans for problematic content.
 

5) Public sector & grants (opportunity signal)

 

  • Programs like Latam-GPT and national AI plans will push procurement checklists (logging, fairness testing, accessibility, labeling). If you sell to governments or regulated industries, build to these expectations now. ( Reuters)
 

A 10-step LAC AI compliance checklist (Q4 2025)

 

  • Name an AI Lead + Privacy Lead and publish approval gates for HR, finance, legal, and public content.
  • Map data flows for each AI use (sources, storage, vendors, cross-border transfers).
  • Adopt a risk register: flag HR/credit/safety uses as high-risk with human review and enhanced testing.
  • Update privacy notices and training/opt-out controls for model training on user data (Brazil precedence). ( Reuters)
  • Stand up logging (prompts, files, model/version, approver) for material decisions and public content.
  • Bias/quality testing cadence (quarterly for HR/eligibility; monthly for public-facing text).
  • Label synthetic media; keep provenance metadata; watermark where feasible.
  • Vendor due diligence: security certifications, data-use statements, sub-processor lists, no-training commitments.
  • Local obligations: confirm controller registration/DPO where required (e.g., Jamaica/Barbados) and any notifications to authorities. ( hewardmills.com)
  • Monitor bills and regulator guidance in Brazil, Chile, Mexico, Colombia, Argentina, and Caribbean DPAs—adjust templates as rules mature. ( Artificial Intelligence Act)
  •  

FAQs we hear from clients

 

Q: We don’t operate in Brazil—why should we care about ANPD’s moves? Because training on customer data and opt-out expectations can become regional norms. Multinationals often standardize to Brazil’s bar to simplify compliance. ( Reuters)
Q: Is there a single “Latin America AI law” to follow? No. Expect national privacy + consumer protection today, and country-by-country AI bills tomorrow. Build a common core (privacy-first + risk-based controls), then add local addenda.
Q: Do we need to label AI content everywhere? Not universally by statute yet, but it’s fast becoming a best practice for platforms, tenders, and election-related content. It reduces deception risk and supports takedowns.
 

Contact Us

For legal help deploying AI in Latin America & the Caribbean—contracts and vendor terms, privacy/compliance, employment-law guardrails, IP/content risk, and policy design—contact Attorney Yoel Molina at admin@molawoffice.com, call (305) 548-5020 (Option 1), or message via WhatsApp at (305) 349-3637.
 

 

For inquiries, please contact our Front Desk at fd@molawoffice.com or Admin at admin@molawoffice.com. You can also reach us by phone at +1 305-548-5020, option 1.

 

For traffic ticket assistance, visit molinatrafficticket.com.