Cannabis Compliance Across Latin America
Latin America is home to the world's largest licensed cannabis export market (Colombia), the first country to legalise adult use (Uruguay), and North America's most populous adult-use framework (Mexico). Each market brings distinct cybersecurity, privacy, and supply chain compliance obligations—often with limited regulatory infrastructure to navigate them.
Latin America: The World's Cannabis Export Engine
Colombia produces more licensed cannabis than any other country in the world. Uruguay pioneered adult-use legalisation in 2013. Mexico created the largest adult-use framework in Latin America. Brazil, Argentina, and Peru are building medical programmes that will reshape the regional market through 2027. The compliance complexity across these markets is substantial—and largely uncharted.
Markets We Cover
Colombia
Colombia holds more cannabis cultivation licences than any other country in the world, positioning it as the dominant global export market. The Colombian Cannabis Regulatory Framework (Decree 811 of 2021 and subsequent INVIMA regulations) governs cultivation, processing, and export with pharmaceutical-grade quality standards.
- INVIMA licensing and GMP export certification
- Ministry of Justice cultivation licence security requirements
- Colombia's Habeas Data law (Law 1581/2012) for patient and employee records
- Export chain-of-custody cybersecurity obligations
- Supply chain data flows to EU and North American importers
Mexico
Mexico's Supreme Court decriminalised personal cannabis use in 2021, and adult-use legislation continues to develop through COFEPRIS (the Federal Commission for Protection against Sanitary Risk). Mexico represents the largest potential adult-use market in Latin America by population, and its regulatory framework is still maturing—creating both opportunity and compliance uncertainty.
- COFEPRIS cannabis licensing framework and cybersecurity requirements
- Mexico's Federal Law on Protection of Personal Data (LFPDPPP)
- INAI (privacy regulator) enforcement for cannabis data
- Supply chain security from cultivation to retail
- Cross-border data flows: Mexico-USA cannabis business considerations
Uruguay
Uruguay was the first country in the world to fully legalise and regulate cannabis for adult use in 2013. The Institute for Regulation and Control of Cannabis (IRCCA) administers three legal access pathways: pharmacy sales, cannabis clubs, and home cultivation. Despite its small market size, Uruguay's decade of regulatory experience makes it a compliance reference point for the region.
- IRCCA registration and data obligations for all three access pathways
- Uruguay's Personal Data Protection Law (Law 18.331)
- Pharmacy sales data security and patient identification
- Cannabis club membership data governance
Brazil
Brazil's ANVISA (National Health Surveillance Agency) regulates cannabis-derived medical products with an import-based framework currently transitioning to domestic production. Brazil's Lei Geral de Proteção de Dados (LGPD)—Latin America's GDPR equivalent—applies fully to medical cannabis patient data, with enforcement by the ANPD (National Data Protection Authority).
- ANVISA cannabis product authorisation and import security
- LGPD compliance for medical cannabis clinics and patient data
- ANPD enforcement and breach notification (72-hour equivalent)
- Domestic cultivation framework development (anticipated 2026-2027)
Argentina
Argentina's medical cannabis programme (Law 27.350, expanded by Decree 883/2020) permits domestic cultivation, import, and dispensing of cannabis for medical and research purposes. ANMAT (National Administration of Medicines, Food and Medical Technology) regulates the sector. Argentina's Personal Data Protection Law (Law 25.326) governs patient records.
- ANMAT regulatory requirements for cannabis products
- Argentina's Personal Data Protection Law (Law 25.326)
- Patient registry security and data minimisation
- Export compliance for Argentine producers
Peru
Peru legalised medical cannabis in 2017 (Law 30681) and established a licensing framework through DIGEMID (General Directorate of Medicines, Supplies and Drugs). The programme has expanded steadily, with domestic production now permitted alongside imports. Peru's Personal Data Protection Law (Law 29733) governs patient information handling.
- DIGEMID licensing requirements and security obligations
- Peru Personal Data Protection Law compliance
- Patient registry and prescription data security
- Cross-border supply chain documentation
Latin America Compliance Themes for 2026
Export Supply Chain Security
Colombian and Uruguayan exporters shipping to EU and North American markets must meet the cybersecurity and documentation requirements of importing jurisdictions—not just their home market. EU-GMP, chain-of-custody records, and GDPR-compliant data flows are all required for EU market access.
LGPD: Latin America's GDPR
Brazil's LGPD, effective since 2020, established a regional standard for data protection that influences frameworks across Latin America. Medical cannabis operators in Brazil face GDPR-equivalent obligations for patient data, including breach notification, data subject rights, and data processor agreements.
Regulatory Infrastructure Gaps
Most Latin American cannabis markets are building regulatory infrastructure in real time. Operators often face situations where the regulations exist but enforcement mechanisms, digital compliance systems, and guidance from regulators are still developing—creating compliance ambiguity that must be managed proactively.
Cash and Cybersecurity Risks
Banking access limitations for cannabis businesses in Latin America create cash-heavy operations with significant physical and digital security challenges. Point-of-sale security, employee theft risks, and the absence of digital payment audit trails compound compliance documentation challenges.
Latin America Cannabis Compliance Articles
Navigating Fragmented Privacy Laws Across Jurisdictions
International cannabis operators face a compliance matrix of overlapping and conflicting privacy frameworks—including Latin American laws like LGPD and LFPDPPP.
Global Regulatory and Data Security Trends for 2026
A comprehensive briefing on the regulatory and cybersecurity trends shaping the global cannabis industry, including Latin American market developments.
Cannabis Export Boom and Supply Chain Cybersecurity Risks
The supply chain security lessons from Canada's export framework apply directly to Colombian and Uruguayan exporters navigating the same compliance challenges.
How Global Markets Are Reshaping Compliance Expectations
Compliance expectations in importing markets—especially Germany and the EU—directly shape what Latin American exporters must demonstrate to access those markets.
More Latin America-specific articles coming soon. Subscribe to our newsletter to get notified.
Navigate Latin American Cannabis Compliance
From Colombian export licences to Brazil's LGPD obligations, Latin American cannabis compliance requires specialised expertise. Get the intelligence you need to operate confidently across the region.