If you run a clinic in Colombia and you’re thinking about putting an AI agent on WhatsApp, the legal question is real — especially if you’re coming from the US or Europe and don’t know the local rules. Good news: it’s legal. Here’s the regime you need to know, framed for someone who’s never read Colombian data law.
Is WhatsApp automation legal in Colombia?
Yes. No rule bans using an automated agent to answer messages. What the law regulates is not the tool but the processing of personal data — the moment you store someone’s name, phone number or any personal detail. Get consent and protect that data, and automating is entirely legal. In fact a well-built agent makes you more compliant, because it captures consent in an orderly, timestamped way.
How is Ley 1581 different from GDPR or US privacy rules?
Colombia’s data-protection framework is Ley 1581 de 2012 (“habeas data”). If you know GDPR, it’ll feel familiar — but don’t assume they’re interchangeable.
| GDPR (EU) | Ley 1581 (Colombia) | US (patchwork) | |
|---|---|---|---|
| Consent before processing | Yes | Yes — prior, express, informed | Varies by state |
| Privacy notice required | Yes | Yes | Often, varies |
| Data-subject rights | Access, rectify, erase, etc. | Conocer, actualizar, rectificar, suprimir | Varies |
| Authority | DPAs | The SIC | FTC / state AGs |
| Sensitive data (health) | Special category | ”Datos sensibles” — stricter | HIPAA (if covered) |
The practical takeaway: a translated US or EU policy is not Colombian compliance. The notice and the consent flow must reflect Ley 1581 and name the SIC as the authority.
What counts as ‘sensitive’ health data here?
Ley 1581 classes health data as sensitive (article 5), with reinforced protection — as a rule it can’t be processed except with explicit authorization for specific purposes. The practical rule for a clinic: minimize. The agent books, confirms and reminds; it should never ask for diagnoses or medical history over chat. Keep the conversation to scheduling and you stay well clear of the sensitive-data line.
How do I collect valid consent over chat?
Ley 1581 requires consent to be prior, express and informed, but it doesn’t mandate a format — and chat is ideal because it leaves a written record. The pattern that works:
“To book your appointment I need to store your details. Do you authorize their processing under our privacy policy? Reply YES.”
When the person affirms, you have express, informed consent logged with a timestamp — exactly what the law treats as valid proof. A properly configured agent does this automatically, every time.
What’s the SIC, and when does it get involved?
The SIC (Superintendencia de Industria y Comercio) is Colombia’s data-protection regulator. It enforces Ley 1581 and can sanction a business for processing data without authorization, without a privacy notice, or for purposes the person never agreed to. The risk was never the bot — it’s processing data without consent.
At Brevia we set this up for you: our published pricing already includes the consent flow and a privacy notice aligned with Ley 1581. You don’t hire a Colombian data lawyer to get started — we leave it compliant.
This article is informational, not legal advice. For your specific case, consult a qualified professional.