Key compliance steps 2022, 2023 and 2024

"We still have until 2024, right?": I still hear that in meetings. No. All three September waves are in force. The question is no longer "when," but "are we staying on track?"

Key point: the Law 25 reform rolled out in stages to give SMBs time to get organized: not to postpone concrete action indefinitely.

September 2022: Foundations

The first wave set the framework. Without it, the rest does not hold.

September 2023: Transparency and consent

Second wave: fewer grey zones for employees and marketing.

September 2024: Stronger rights

The third wave mainly affects what your systems must deliver to individuals.

Where is your organization?

In practice, ten minutes is enough for an honest first diagnosis:

  1. Express checklist: fifteen yes/no questions (run the checklist).
  2. Action plan: compare your gaps to the 7-step plan.
  3. Public website: policy, cookies, privacy officer contact details visible? A technical scan often spots obvious gaps.

In brief

We are no longer in a transition period. If a 2022 or 2023 obligation is still pending, fix it at the same time as 2024 requirements: the CAI does not split your operational reality by phase. Need broader context? Law 25 in plain language for SMBs.

Useful references

This text is informational and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.