Peru limits the use of express delivery channels by individuals who do not hold a taxpayer identification number (RUC). According to the Plataforma Digital Única del Estado Peruano (Gov.Pe), natural persons may carry out occasional imports or exports with a FOB value per transaction not exceeding USD 1,000, provided that they register no more than three imports or exports per year. It is further reported that it remains unclear whether shipments exceeding this threshold would be treated as commercial activity and could trigger additional income tax obligations. This RUC-related constraint reportedly limits individuals’ ability to import goods for personal use and operates as a barrier to cross-border e-commerce via express delivery in Peru.

Paraguay implements a de minimis threshold, that is the minimum value of goods below which customs do not charge duties, equal to USD 200. Under the courier regulation approved by Supreme Decree No. 192-2020-EF, shipments are classified by category, and Category 2 covers goods with a FOB value of up to USD 200 per shipment, which are not subject to import duties. This threshold aligns with the International Chamber of Commerce (ICC) recommended global baseline de minimis level of USD 200 or more.

Pursuant to Art. 7.1 of Supreme Decree No. 016-2024-JUS, which approves the Regulation of Law No. 29733 on Personal Data Protection, the controller of a personal data bank, or the person responsible for it, whether located within or outside Peruvian territory, must (unless the processing is carried out solely for transit purposes) ensure the means necessary to comply effectively with the obligations established in the Law and the Regulation, and appoint a representative in Peru (or for Peruvian territory) as the contact point with the National Personal Data Protection Authority. Art. 2 defines a personal data bank as "a set of data on natural persons, whether computerised or not, structured according to specific criteria, which allows access to personal data without disproportionate effort, whether centralised, decentralised or distributed functionally or geographically".

The Consumer Protection Code Law provides a comprehensive consumer protection framework that applies to online transactions. According to Art. 2 of the law, the purpose of the Code is to enable consumers to access suitable products and services and to enjoy the rights and effective mechanisms for their protection, reducing information asymmetry and correcting, preventing, or eliminating conduct and practices that affect their legitimate interests.

Resolution of the Board of Directors No. 138-2012-CD-OSIPTEL, issued by the regulatory agency Supervisory Agency for Private Investment in Telecommunications (OSIPTEL), establishes identity verification requirements for mobile services. It regulates the verification of the applicant's identity and the contracting of mobile public services.
According to Art. 11 of the Resolution, mobile public service operating companies are obliged to verify the applicant's identity using the fingerprint biometric verification system, by checking the information in the RENIEC (the national identification registry, "Registro Nacional de Identificación y Estado Civil") biometric database. Also, Art. 11A states that before fingerprint verification, the company may request that the applicant (or legal representative) exhibit their hand to verify that it is free of any external objects that could invalidate the identity verification process.
Art. 11B states that the operator must include in the subscriber registry information regarding all mobile terminal equipment through which the service is provided, including equipment that has not yet been commercialised. This registry must also include the IMEI code of the mobile terminal equipment or the electronic serial number; the IMSI code that activates the mobile terminal equipment (unique international identification code for each subscriber of the public mobile service, which is integrated into the SIM Card, Chip or other equivalent); whether the subscriber is a natural or legal person and other information established by OSIPTEL.

Peru does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there has been an obligation to separate the accounts since 2019. The Instructions on Accounting Separation in the Telecommunications Sector and the Procedure for Accounting Separation (Resolution No. 161-2019-CD/OSIPTEL) regulate the process for accounting separation in the telecommunications sector.

Peru has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Supervisory Body for Private Investment in Telecommunications (OSIPTEL), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Art. 15 of the Law on the Protection of Personal Data and Art. 18 of its corresponding Regulation stipulate that, in cases where the recipient country does not ensure an adequate level of data protection, the data controller must guarantee that the processing of personal data will be carried out in accordance with the Peruvian legal framework. This requirement, however, does not apply in the following circumstances:
- where the transmission of personal data occurs within the context of international judicial cooperation or the implementation of international trade agreements;
- in the context of international cooperation between intelligence agencies;
- when the transfer of personal data is necessary for the performance of a contractual relationship to which the data subject is a party;
- for transfers involving banking and securities operations;
- for the prevention, diagnosis, or medical or surgical treatment of the data subject; and
- where the data subject has given their informed consent to the transfer under these conditions.

Peru has joined several agreements with binding commitments to open transfers of data across borders. These include: the First Amending Protocol [which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance (Arts. 13.11 and. 13.12(c)], the Australia - Peru Free Trade Agreement (Art. 13.11.2), and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11.2).

The Law on the Protection of Personal Data and its Regulation establish a comprehensive data protection regime in Peru.

The Second Final Supplementary of Decree No. 1182, on the preservation of data derived from telecommunications, states that the concessionaires of public telecommunications services and the public entities related to these services must keep the data derived from telecommunications during the first 12 months in computer systems that allow their consultation and delivery online and in real-time. At the end of the aforementioned period, they must keep said data for an additional 24 months in an electronic storage system. The delivery of data stored for a period not exceeding twelve months is done online and in real-time after receiving judicial authorisation. In the case of data stored for a period greater than 12 months, it will be delivered within 7 days following the judicial authorisation under responsibility.
A similar obligation is prescribed in Art. 16.e of Law No. 27336, which stipulates that all natural or legal persons providing public telecommunications services must retain, for a minimum period of three years from the moment the relevant information is generated, the source records underlying call‑detail data and the billing of the services they operate.

Art. 37 of the Regulation of Law No. 29733 provides that the personal data bank holder or data controller, as well as the data processor, must appoint a personal data protection officer in certain circumstances. These include: (i) where a public entity carries out the processing; (ii) where the controller, data bank holder, or processor engages in the processing of large volumes of personal data, whether in terms of quantity or type, or where such processing may affect a large number of individuals, involves sensitive data, or may result in an apparent detriment to the rights or freedoms of the data subject; and (iii) where the core activities or primary business operations of the controller, data bank holder, or processor consist of the processing of sensitive personal data.

A basic legal framework on intermediary liability for copyright infringement is absent in Peru's law and jurisprudence. In addition, complaints are reported regarding long-standing enforcement problems with the intellectual property (IP) provisions of the Peru-US Free Trade Agreement (Chapter 16, Art. 16.11.29), in particular with respect to the establishment of statutory damages for copyright infringement and trademark counterfeiting, and the notice and takedown and safe harbour system for Internet Service Providers (ISPs). Moreover, this is reiterated with respect to the rules relating to ISP liability in the EU-Peru-Colombia-Ecuador Agreement (Section 29). Finally, the Comprehensive Trans-Pacific Partnership Agreement, Chapter 18, Art. 18.82, includes relevant provisions limiting ISP liability and promoting a safe harbour for ISPs. However, the national implementation of intermediate liability rules for service providers is still pending, and there is no clear timetable.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Peru's law and jurisprudence.