Decree No. 1,630, of May 2011, creates a national registry of mobile phones, through the adoption of two databases. The negative database contains the IMEI (International Mobile Equipment Identity) of the devices that have been reported as stolen or lost, both in Colombia and abroad, while the positive database includes the mobile equipment imported or legally manufactured in Colombian territory. The latter connects the IMEI with the identity of the user, who is required to provide the telecommunication operators (or mobile telecommunications networks and services providers) with their full name, type and identity document number, address and telephone number. Although there is no mandatory registration of SIM cards, the IMEIs are associated with a specific user. Art. 5 of Decree No. 1,630 states that telecommunications providers must bear the costs of the system that supports the positive and negative databases, which must be managed by an independent legal entity and should guarantee the quality of the service. More regulation on the databases is contained in Resolution No. 3,128.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Colombia's law and jurisprudence. The liability regime for damages applicable to Internet intermediaries in Colombia is the same as that generally applied to any other activity, that is a regime of subjective civil liability, since the law does not provide for a presumption of fault (or objective) for intermediaries.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Colombia's law and jurisprudence. The liability regime for damages applicable to Internet intermediaries in Colombia is the same as that generally applied to any other activity, that is a regime of subjective civil liability, since the law does not provide for a presumption of fault (or objective) for intermediaries.

According to Art. 23 of Decree 1,377, controllers and processors should appoint a person or function within the company that assumes responsibility for the protection of personal data, tasked with reviewing and solving claims made by data subjects. Furthermore, title VI of Law No. 1,581 establishes the duties of those responsible for data treatment and in charge of data treatment.

The country has two main instruments regulating data protection, Law No. 1,581 and Decree No. 1,377. Law No. 1,581 establishes the guiding principles of data protection (such as finality, transparency, and confidentiality). Decree No. 1,377 complements and modifies Law No. 1,581.
Law No. 1,266 developed the habeas data, particularly regarding financial, credit, commercial, services, and third countries information.

Pursuant to Art. 4 of Decree No. 1,704, telecommunications providers must keep and store for a period of five years subscribers' personal information, such as identity, billing address, connection type. This information must be available to the Attorney General or any competent authority in the context of a criminal investigation.

Art. 5 of Law No. 1,266 establishes a rule on international data transfers as carried out by data bank operators. The transfer is permitted to other data operators when there is authorization from the data subject; or when the destination database has the same purpose as the operator that delivers the data.

If the receiver of the data is a foreign data bank, the delivery without authorization must be done with a written record and due verification by the operator that the laws of the recipient of the information offer guarantees for the protection of the rights of the data subject.

According to Art. 13.11 of the First Amending Protocol (which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance), the four parties (Chile, Colombia, Peru and Mexico) commit to allow cross-border information transfers through electronic means, including also the transfer of personal data for business activities. Moreover, in Art. 13.11.bis the parties commit to ban forced localisation of computer facilities in their national territories.

According to Art. 26 of Law No. 1,581, cross-border transfer of personal data is forbidden unless it is made to a country that offers adequate levels of data protection (as defined by the Colombian data protection authority). The above-mentioned prohibition does not apply in certain cases, including when the data subject authorizes the cross-border transfer, or in the case of medical data being required for health or public hygiene reasons. According to the law, the institution in charge, "Superintendencia de Industria y Comercio" (SIC), establishes the standards regarding international data transfers.

The "Comisión de Regulación de Comunicaciones" is the executive authority in Colombia for the supervision and administration of services in the telecommunications sector. According to Art. 19 of Law No. 1.314 and Art. 1.2.1.1. of Regulatory Decree No. 1,078, this authority is independent of the government in the decision-making process.

It has been reported that in practice companies that require to be registered in the ICT Registry, which include telecommunication companies and those that manage scarce resources (such as the electric spectrum), need to be incorporated into the country because of the documents needed for the mandatory registration in the ICT Registry (pursuant to Law No. 1,341, Decree No. 4,948, Decree No. 377). These documents include the Tax Identification Number for network and services providers and "Rol Único Tributario" for natural persons (according to Art. 5 and 6 of Decree No. 4,948).

Colombia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

The government of Colombia holds 32.5% shares of Colombia Telecomunicaciones SA ESP, which operates under the brand Movistar and focuses mainly on the telephony and mobile connection businesses. In September 2018, the authorities reported that the State was going to sell its stakes in the company but this has not been the case yet. Some public telecommunication companies exist at the local level, for example, ETB (which provides services in Bogotá), EPM (in Medellín), and Metrotel (in Barranquilla).

The country does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation since 2009. According to Arts. 64 and 65 of the Law No. 1,341 Issues principles and concepts on the information society and the organization of Information and Communication Technologies (ICT), creates the National Spectrum Agency [...] (Ley No. 1341 Por la cual se definen principios y conceptos sobre la sociedad de la información y la organización de las Tecnologías de la Información y las Comunicaciones (TIC), se crea la Agencia Nacional de Espectro [...]), the operators must keep separate accounting and would be subject to specific sanctions if they do not comply with the requirement.

Laws No. 256, Decision No. 486, and the Penal Code provide a framework for the adequate protection of trade secrets. Arts. 260-266 of Decision No. 486 regulate trade secrets, Art. 245 of the same allows requesting preventive measures to stop an alleged infringement, avoid its consequences, obtain or retain evidence, or ensure the effectiveness of the action or compensation for damages. In addition, Art. 16 of Law No. 256 punishes the violation of trade secrets and Art. 308 of the Penal Code defines the violation of trade secrets and establishes a sanction.