ES Get a quote
Digital strategy

What your Panamanian website must comply with in 2026: Law 81, digital ITBMS and accessibility

Most Panamanian websites collect data with forms and newsletters without complying with Law 81, sell services without reflecting the digital ITBMS and, if they export to the EU, ignore that accessibility has been mandatory there since June 2025. It is not alarmism: they are obligations with real fines and a body —ANTAI— that enforces them. This guide organizes what your site must comply with in 2026, in clear language and with no legal smoke. It is not legal advice; it is the map to know what to consult with your lawyer.

By Website Panama Team · · 19 min read
B/.1K–10K Law 81 fine ANTAI applies it
2021 Law 81 in force since Mar 29
€5K–500K EAA fine if you export to the EU
ITBMS 7% on digital services threshold B/.36K annual
Notice: this article is informative and does not constitute legal advice. Laws change and each case has nuances. Use it as a map to know what to review, and confirm your specific situation with a lawyer or your accountant.

Most Panamanian websites breach some rule without knowing it. They have a contact form or a newsletter that collects data with no privacy policy or real consent, they sell digital services without contemplating the ITBMS, or they export to Europe ignoring that accessibility is already mandatory there. It is not out of bad faith: it is because almost no Panamanian agency includes legal compliance as part of what it delivers with a site, and the topic lives scattered across legal texts no one reads.

This guide organizes, in clear language, what your website must comply with in Panama in 2026. It does not replace your lawyer —in fact, the goal is for you to know exactly what to bring to them—, but it does give you the complete map to stop operating blind. Let's start with the obligation that affects almost everyone: the data.

Law 81: if you ask for data, it applies to you

The Law 81 on Personal Data Protection has been in force in Panama since March 29, 2021, and its regulation —Executive Decree 285— since May of that year. It governs how the data of identifiable persons is collected, stored, used and deleted, and applies to the public and private sectors equally. The practical question is not whether you are a large company, but whether your site asks for data: a contact form, a subscription, a client registration or a checkout already put you within the scope of the law.

The body that watches and sanctions is ANTAI, the National Authority for Transparency and Access to Information. The fines range from B/.1,000 to B/.10,000 depending on the severity of the infraction, classified into minor, serious and very serious. And the fine is not the only consequence: ANTAI can order a written warning, a summons, the closure of the database registration, or suspend and disqualify the data processing activity. To that is added the obligation to compensate the material or moral damage caused by improper handling. For a small business, a public sanction can hurt more in reputation than in money.

In concrete terms, complying with Law 81 on a website comes down to four pieces. A visible, accessible privacy policy in plain language that says what data you collect, for what and for how long. Real, active consent, not a pre-checked box. A mechanism for people to exercise their ARCOP rights —access, rectification, cancellation, opposition and portability—. And security conditions to store that information. For high-risk or large-scale processing, the law adds the figure of the Data Protection Officer. The exact detail is adjusted by your lawyer; what no website should have is a form that captures data in a legal vacuum.

A nuance worth understanding: not all data weighs the same. The law distinguishes between common personal data —name, email, phone— and sensitive data, which receive reinforced protection for their potential for discrimination or harm: health, ethnic origin, beliefs, biometric data, sexual life. The website of a clinic, a laboratory or a practice that collects health information through a form handles sensitive data and, therefore, takes on stricter obligations than a store that only asks for name and email to send a newsletter. If your business processes sensitive data or does it at a large scale, the law contemplates high-risk processing that demands greater guarantees and, possibly, the formal designation of a Data Protection Officer. Knowing which category you fall into is the first step to dimensioning your real obligation, and it is exactly what is worth clarifying with your lawyer.

ITBMS on digital services: the threshold rule

If you sell digital services from your site —subscriptions, software, courses, professional services online— the ITBMS, the tax on the transfer of goods and services, comes into play. Its general rate is 7%, and it also taxes digital services provided in Panamanian territory. The general rule worth knowing is the threshold one: if the business's annual sales do not exceed B/.36,000, there is no obligation to charge it or declare it; but once that amount is exceeded in any period, the obligation remains permanently. The declaration is filed each month through Form 430 with the DGI.

The consequence for the website is that the checkout and the invoicing must be ready to handle the ITBMS correctly when your operation crosses that threshold —and better to foresee it from the design than to patch it afterward—. How it is reflected in the price, how it is reported and how it is reconciled with electronic invoicing are accounting matters best resolved with your accountant, just like the exact nuance of the threshold applied to digital services, which is reviewed case by case. It is the same logic we saw in the comparison of payment gateways: the nominal commission is not the total cost, because the ITBMS is also applied on top of it. Planning it from the design avoids surprises at the first month's close.

Law 473 on total price: postponed to 2027, but worth preparing for

Law 473, on total price, aims for the consumer to see the final price with taxes included, without extra charges appearing at the moment of payment. Its entry into force was planned for mid-2026, but it was postponed: Bill 558, approved by the National Assembly, moved the date to July 2027 to give businesses more time to adapt, pending presidential sanction. It is worth verifying its current status before making decisions. The DGI has clarified, in passing, that the rule does not modify the format of the fiscal invoice, which keeps the ITBMS itemization.

Although the mandatory nature has moved, showing the price with the ITBMS already included —visible from the product page— is good practice with or without a law in between. The costs that appear only at the end of the checkout are one of the most common causes of cart abandonment: the customer who believed they would pay one amount and sees a higher one at the end often leaves. Preparing for Law 473 is, at the same time, complying for the future and selling better today. Few legal obligations coincide so cleanly with the commercial interest.

Accessibility: mandatory if you export to Europe

This is the point almost no one in Panama connects with their website. In the country there is no local law today that requires web accessibility in the private sector. But if you sell to the European Union, the story changes: the European Accessibility Act (EAA) has been in force since June 28, 2025 and applies to any company that sells products or services to the EU, even from outside the bloc. The fines range from €5,000 to €500,000 depending on the country, and the obligation is real, not theoretical.

The affected Panamanian sectors are identifiable: offshore fintech with European clients, medical tourism that serves EU patients, agro-exporters with European B2B buyers, export service consultancies and international ecommerce. The reference standard is WCAG at its AA level, which gathers 87 success criteria organized into four principles: that the content be perceivable, operable, understandable and robust. There is also a market fact that is often forgotten: toward 2026 around 20% of the EU population is over 65, so accessibility goes beyond complying with a rule: it is not leaving out a growing portion of real clients.

The good news is that a well-built site from the start complies with a good part of WCAG AA with no extra effort: correct semantic structure, sufficient contrast, keyboard navigation, alternative texts on images and labeled forms. Tools like WAVE, axe DevTools, Lighthouse's accessibility audit or Pa11y allow measuring where you stand. Converting an inaccessible site to a compliant one is costly; starting from a well-made one gives it almost for free, just as happens with performance.

Cookies, analytics and pixels: the corner almost everyone forgets

There is a gray area that most Panamanian websites completely ignore: cookies and third-party tracking. When your site loads Google Analytics, the Meta pixel or a widget that follows the visitor's behavior, you are collecting and sharing that person's data, often without them knowing. Under the logic of Law 81 and the transparent information it demands, that should be declared: what is tracked, with which tools and for what.

In practice, the reasonable thing is a cookie notice that clearly informs which tracking technologies the site uses, along with the privacy policy that details them. It is not about copying the European banner word for word —the Panamanian framework is not the GDPR—, but about applying the same principle of transparency: the visitor has the right to know what happens with their information. And if your business also sells to the EU, there the cookie consent standard is stricter and it is worth reviewing in detail, because the GDPR and the EAA coexist with the rest of your obligations.

Where your data lives: hosting and transfer

A technical aspect with a legal implication: where the data your website collects is stored. Law 81 applies to databases in Panamanian territory, but many sites store the information from their forms on servers abroad, in email marketing services or in cloud spreadsheets. That transfer and storage outside the country is not forbidden, but it must be handled with the guarantees the law contemplates, and it is advisable for the data controller to know exactly where their clients' data ends up.

The practical recommendation is to map the data's journey before launching: which form it comes out of, which services it passes through, where it is stored and who has access. That map is the first thing a lawyer would ask for when reviewing your compliance, and having it clear turns a legal audit of weeks into a conversation of hours. A site that knows where its data lives is a site that can demonstrate compliance; one that does not know is exposed without measuring how much.

The Cybercrime Prosecutor's Office: compliance stopped being theoretical

For years, Panama's digital rules existed more on paper than in practice. That changed with the creation, in 2026, of the Specialized Cybercrime Prosecutor's Office, a body dedicated to pursuing digital violations with a focus on intellectual property, fintech, telecommunications and digital platforms. Its existence has two sides for an online business. On one hand, it raises the consequences of operating on the margins: improper data handling, impersonation or fraud now have someone to process them in a specialized way. On the other, it gives a real channel to report if your own business is a victim of a digital crime.

The underlying message is that the Panamanian regulatory ecosystem is maturing fast: Law 81 with a body that sanctions, digital ITBMS, a total price law on the way and now a specialized prosecutor's office. The window of "no one is watching" is closing, and the business that puts its house in order now avoids the shock of having to do it in a rush when a review comes its way.

Practical checklist for your website in 2026

To bring all of the above down to earth, this is what is worth reviewing —and then confirming with your lawyer and your accountant—:

If your website collects data: a clear and visible privacy policy, active consent on each form, a mechanism to exercise ARCOP rights, and secure storage of the data.

If you sell online: contemplate the ITBMS (7%, with the threshold rule of B/.36,000 annual) in your invoicing, show the price with taxes included, and a checkout ready for the corresponding invoicing.

If you export to the EU: audit your site against WCAG AA and fix the gaps, because the EAA is already in force and the fine is real.

Always: terms and conditions of use, real and verifiable contact data, and a site built on a solid technical base that makes complying easy instead of fighting against the code.

Legal compliance should not be an expensive add-on resolved late: when the site is built well from the start, most of it comes from the factory. That is how we integrate it in our web design service, and if your site already exists and you want to know where you stand against these obligations, a web audit gives you the diagnosis. The first step, however, is free: check today whether your contact form has a privacy policy behind it. If it does not, you already know where to start.

And it is worth closing with the argument that usually convinces more than the fear of the fine: complying builds trust, and trust sells. A Panamanian visitor who sees a clear privacy policy, a price with no surprises and a site that works for everyone perceives a serious business, and the perceived seriousness is what separates the brand that receives the form from the one that loses it. Legal compliance, well understood, is not a defensive cost: it is a sign of professionalism that the client reads even without knowing how to name Law 81. Doing it well protects from the sanction and, at the same time, builds the reputation that grows the business.

Frequently asked questions about web legal compliance in Panama

Is my website required to comply with Law 81 on data protection?
If your site collects personal data in any way —a contact form, a newsletter subscription, a client registration, a checkout— then yes, Law 81 applies to you. The law has been in force in Panama since March 29, 2021 and is regulated by Executive Decree 285 of May 28, 2021. It governs how the data of identifiable persons is collected, stored, used and deleted, and applies to both the public and private sectors. The size of the business does not matter: an SME with a contact form has obligations just like a corporation. This is not legal advice; for your specific case it is worth reviewing with a lawyer, but the general rule is clear: if you ask for data, the law covers you.
What fines are there for breaching Law 81 and who applies them?
ANTAI (the National Authority for Transparency and Access to Information) is the body that investigates and sanctions. The fines range from B/.1,000 to B/.10,000 depending on the severity, classified into minor, serious and very serious infractions. But the fine is not the only thing: ANTAI can also order a written warning, a summons, the closure of the database registration, and even suspend or disqualify the data processing activity. In addition, the data controller must compensate for the material or moral damage caused by improper handling. In practice, the reputational risk of a public sanction usually weighs more than the amount itself.
What must my website have to comply with Law 81 in the basics?
Four basic elements, without going into the detail your lawyer must adjust to your case. First, a visible, accessible privacy policy in clear language that explains what data you collect, for what and for how long. Second, real consent: the person must actively accept before you process their data, not through a pre-checked box. Third, a mechanism for the data subjects to exercise their ARCOP rights —access, rectification, cancellation, opposition and portability of their data—. Fourth, security conditions to store that information. For high-risk or large-scale processing, the law also contemplates the figure of the Data Protection Officer.
Do I have to charge ITBMS if I sell digital services from my website?
ITBMS, Panama's tax on the transfer of goods and services, has a general rate of 7% and also taxes digital services provided in Panamanian territory. As a general rule there is a threshold: if the business's annual sales do not exceed B/.36,000, you are not required to charge it or declare it; but once that amount is exceeded in any period, the obligation remains permanently. The declaration is filed monthly (Form 430) with the DGI. How it is reflected in the price and how it is reconciled is an accounting matter best resolved with your accountant —the nuances of the threshold applied to digital services are reviewed case by case—, but the website and the checkout must be ready to handle the tax correctly from the moment your operation requires it.
What is Law 473 on total price and how does it affect my online store?
Law 473, known as the total price law, seeks for the consumer to see the final price with taxes included, with no surprises at the moment of payment. Its entry into force, initially planned for mid-2026, was postponed: Bill 558, approved by the National Assembly, moves the date to July 2027 to give businesses more time to adapt. It is worth verifying the current status, because it depends on presidential sanction. The DGI has also clarified that the rule does not change the format of the fiscal invoice, which still itemizes the ITBMS. Beyond the date, the prudent thing for an online store is to prepare from now: show the price with the ITBMS included visibly instead of adding it only at checkout. It is good conversion practice, because hidden costs at the end of the purchase process are one of the most common causes of cart abandonment. The customer who believes they are going to pay one amount and discovers a higher one at the end often abandons, and rarely returns. Getting ahead aligns, for once, compliance with the commercial interest.
Is web accessibility mandatory in Panama?
In Panama there is no local regulation today that requires web accessibility for the private sector. But there is one case where it is mandatory: if you sell products or services to the European Union. The European Accessibility Act (EAA) has been in force since June 28, 2025 and applies to any company that sells to the EU, even from outside the bloc, with fines ranging from €5,000 to €500,000 depending on the country. This directly affects Panamanian export sectors: offshore fintech with European clients, medical tourism that serves EU patients, agro-exporters with European B2B buyers, consultancies and international ecommerce. If your business is in any of those groups, accessibility stopped being optional.
Why should I care about the Cybercrime Prosecutor's Office?
Because its creation in 2026 marks a change of approach: Panama went from having digital laws on paper to having a specialized body that pursues them. The Specialized Cybercrime Prosecutor's Office processes digital violations more rigorously, with a focus on intellectual property, fintech, telecommunications and digital platforms. For a business with an online presence, this raises the consequences of operating on the margins —from improper data handling to impersonation or fraud— and, at the same time, gives a real channel to report if your business is a victim. The underlying message is that digital compliance in Panama stopped being theoretical.