Colombia: Use of Artificial Intelligence in identity theft classified as an aggravating criminal factor

Law 2502 of 2025 issued by the Congress of Colombia
26 Aug 2025    3 minute read
AI (Artificial Intelligence) Artificial Intelligence AI Cyber Security Data Privacy Cybersecurity & Data Privacy

In brief

The Congress of the Republic of Colombia recently enacted Law 2502 of 2025, which amends Article 296 of the Colombian Criminal Code regarding the crime of identity falsification. The amendment introduces an aggravating factor when identity theft is committed using Artificial Intelligence (AI).

This reform raises key issues in the field of personal data protection, responds to the growing number of crimes committed through emerging technologies, and establishes guidelines for a public policy framework aimed at preventing, detecting, and sanctioning such conduct.

Contents

Key aspects from the criminal law perspective

This new legislation introduces significant changes to the criminal treatment of identity theft, addressing emerging risks associated with advanced technologies. The most relevant points include:

  1. New aggravating factor: The law modifies Article 296 of the Criminal Code, establishing that when identity theft is committed using AI, the applicable fine may be increased by up to one-third, provided the conduct does not constitute another crime.
  2. Legal recognition of deepfakes: For the first time, the Colombian criminal framework includes a legal definition of "deepfake" as AI-generated audiovisual content that falsely appears authentic, aiming to combat new forms of identity fraud.
  3. Traceability and criminal analysis: The Office of the Attorney General must implement a traceability system for cases involving the use of AI in identity falsification. This registry should allow the identification of criminal patterns, impacts, emerging risks associated with digital technologies, and the judicial measures applied.

Additionally, the law mandates the development of a joint public policy by the National Government, the Attorney General's Office, the National Police, and the Ministry of Information Technologies and Communications (MinTIC), with a focus on digital ethics, cybersecurity, international cooperation, transparency, and rapid response to identity theft incidents.

Current situation

The aggravating factor will come into effect one year after the law's enactment, with implementation expected by July 2026. This transition period is intended to give authorities time to strengthen their investigative and technological capabilities, align with public policies on the use and risks of emerging technologies, and establish protocols for responding to identity theft incidents involving AI.

This reform aligns with a global context of increasing concern over the malicious use of AI and represents a significant step toward protecting digital identity and building trust in virtual environments.

Biometric data

Due to their nature as sensitive data, the collection and processing of biometric data is subject to special regulation under the law and requires enhanced diligence from the data controller. Currently, biometric data is the subject of a regulatory project by the Superintendence of Industry and Commerce. In the draft Circular on the processing of personal data in the provision of financial services through digital technologies (fintech), the following obligations are included:

At the time of collection, the data controller must: (i) Inform the data subject, specifically, of the precise purposes for which their biometric data will be processed and why the collection of such data is necessary;  and (ii) obtain additional and explicit consent for the processing of biometric data, in accordance with the stated purposes and necessity.

Throughout the entire processing cycle, both the controller and the processor must: (i) Refrain from using biometric data for purposes not explicitly consented to; (ii) implement additional security measures to ensure the protection of biometric data; (iii) take reasonable steps to ensure that the processing of biometric data is proportional to the risk level of the activity involved; (iv) refrain from sharing collected biometric data with third parties and from feeding centralized or integrated biometric databases; and (v) proceed with the deletion of biometric data within a reasonable period once the contractual relationship with the data subject has ended and the specific purposes for which the data was authorized no longer exist.

Additional information

For further details, you may consult Law 2502 of 2025 at the following link: Ley 2502 de 2025 Congreso de la República de Colombia.

Click here to read Spanish version.

Contact Information
María Carolina Pardo Cuéllar
Partner
Bogota
Read my Bio
carolina.pardo@bakermckenzie.com
Bibiana Cala
Partner
Bogota
Read my Bio
bibiana.cala@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.