Guide on Mexico Data Privacy Law (LFPDPPP) Latest Amendments

Mexico’s Ley Federal de Protección de Datos Personales en Posesión De los Particulares (LFPDPPP), the Federal Law on the Protection of Personal Data Held by Private Parties, was approved in April 2010 and became effective in July of that year. That statute, often called the Mexico data privacy law, applied to all private‑sector organisations that collected or used personal data in Mexico. Over the next fifteen years, digital technologies and international privacy standards evolved, prompting Mexico to overhaul its framework. In March 2025, the government adopted a new data protection law that repeals the 2010 statute and introduces important changes to consent requirements, controller responsibilities and enforcement.

LFPDPPP is the Federal Law on the Protection of Personal Data Held by Private Parties in Mexico. Its purpose is to protect personal data held by private entities and guarantee individuals’ privacy rights.

The 2025 reform designates the Secretariat of Anti-Corruption and Good Governance (The Ministry) as the enforcement and supervisory authority, replacing the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI).

The law grants individuals ARCO rights: Access, Rectification, Cancellation, and Opposition, empowering them to control how their personal information is used.

Entities must issue privacy notices, adopt security measures, ensure confidentiality, manage retention and deletion, and notify breaches.

Compared to the 2010 framework, the LFPDPPP 2025 updates definitions of key terms such as personal data (Personally Identifiable Information), clarifies the scope of processing, and strengthens requirements around privacy notices and consent.

According to Article 4 of the Regulations to the LFPDPPP, the Mexican Data Protection Law (LFPDPPP) applies extraterritorially only in specific cases :

1. Establishment in Mexico: When processing is carried out in an establishment of the controller located in Mexico.
   
2. Processors acting for Mexican controllers: When processing is carried out by a processor, regardless of its location, on behalf of a controller established in Mexico.
   
3. International law or contracts: When the controller is not established in Mexico but is subject to Mexican law as a consequence of international law or through the execution of a contract.
   
4. Use of means in Mexico: When a controller not established in Mexico uses means located in Mexico to process data (except when the means are used solely for transit).

The following are the key principles of Mexico LFPDPPP:

• Lawfulness: Personal data must be collected and processed lawfully, without any deceptive or fraudulent means.
• Consent: All processing of personal data requires the consent of the data subject, except in cases where the law provides specific exemptions, such as anonymised data or public data.
• Purpose limitation: Data may only be used for the purposes stated in the privacy notice and must always be necessary, adequate, and relevant for the stated purpose. For sensitive data, processing should be limited to the minimum period necessary.
• Loyalty: Data must be processed in a way that prioritises the subject’s interests and maintains their trust.
• Quality: Controllers must ensure that data is accurate, complete, correct, and updated. Outdated or unnecessary data must be deleted once it no longer serves the stated purposes.
• Proportionality: Controllers may only collect and process data that is necessary, adequate, and relevant for the stated purposes.
• Accountability: Controllers are directly responsible for ensuring compliance with all principles. They must adopt necessary and sufficient measures to enforce the law and ensure that third parties respect the privacy notice and obligations.
• Transparency: Controllers must provide a privacy notice at the time of collection (printed, digital, or other formats).

Consent remains central to Mexico’s general personal data protection law. It must be free, specific and informed, and privacy notices must clearly indicate which purposes require consent. 

Tacit consent (implied consent) is still recognised if individuals are informed and do not object, while express consent is mandatory for sensitive personal data, financial data, and international transfers (subject to exceptions).

The law also allows processing without consent when authorised by regulations. Such situations include legal requirements, public source data, and vital interests.

Data subjects may withdraw consent at any time, and organisations must keep records of consent and withdrawals.

Websites that use cookies or other tracking technologies must inform users about their use and provide clear guidance on how users can disable these cookies.

Mexico data privacy law prioritises transparency in a way similar to the GDPR. Here is what your policy should at least include:

• Name and address of the business
• What personal data will be collected and used
• Sensitive data involved in processing, if any
• Purposes for processing personal data
• The purposes for which consent is required by the law
• The process to limit the use or disclosure of the data
• How users can exercise their ARCO rights
• Methods by which the business will communicate any updates to the notice
• Details of domestic or international data transfers to third parties
• The procedure to withdraw consent

In addition to the full notice, Mexico LFPDPPP also mentions simplified privacy notices used at the point of collection. It must provide the controller’s identity and address, list the data categories, purposes, methods to limit the use and also direct users to the full notice. 

The privacy notice must be simple, with the necessary information, written in a clear and understandable language, and with a structure and design that facilitates its understanding.

The following are the rights under Mexican data protection law, also referred to as the ARCO rights:

• Right to access: The data subject has the right to access their personal data that are in possession of the controller, as well as to know the information related to the conditions and generalities of their use, through the privacy notice.
• Right to rectification: Individuals can request the rectification or correction of their personal data, when it turns out to be inaccurate, incomplete or not updated.
• Right to cancellation: They can also at all times have the right to request the cancellation of their personal data from the files, records, and systems of the controller, so that they are no longer in possession of the controller.
• Right to oppose: The data subject may oppose or demand cessation of data processing when:
  • There is a legitimate cause, and continued processing would cause harm, even if lawful.
  • Their data is subject to automated processing that produces legal effects or significantly impacts their rights or freedoms.
    

This right does not apply if a legal obligation requires the processing of such data.

The following are the business obligations under the Mexico data protection law:

Purpose limitation and data minimisation

Restrict data collection to what is necessary for the specific purpose. Also, ensure that the use of such data is limited to those purposes. If you want to use the data for a different purpose than the original one, you may need to obtain consent from the data subject.

Consent

All processing of personal data requires the data subject’s consent, unless a legal exception applies. Consent may be:

• Express consent: given verbally, in writing, electronically, or through clear affirmative action. Required for financial, patrimonial, and sensitive personal data. Sensitive data further requires written consent, such as a signature or equivalent authentication.
  
• Tacit: valid when a privacy notice has been provided and the individual does not object, unless the law demands express consent.
  

Consent can be revoked at any time, without retroactive effect. Controllers must include mechanisms for withdrawal in the privacy notice.

No consent is required when:

• Processing is mandated by law.
  
• Data comes from public sources or has been dissociated.
  
• It is needed to fulfil a legal relationship or obligation.
  
• Emergencies threaten life or property.
  
• Medical treatment is required, and the subject cannot consent, provided a professional secrecy duty applies.
  
• Ordered by a competent authority.

Data quality

Personal data in databases must be accurate, complete, correct, and up-to-date.

Once you no longer need data for the stated purposes, block it and delete it after the retention period ends. Delete any data related to contractual non-compliance after 72 months.

Privacy notices

Provide clear notices with required elements (identity of controller, categories of data, purposes, rights mechanisms, transfers, and updates). Notices must be accessible in print, digital, or other formats.

Implement security measures

Maintain administrative, technical, and physical safeguards proportionate to risks and data sensitivity.

Report breaches

Notify data subjects immediately if a security vulnerability that could significantly affect their rights arises.

Guaranteed compliance and contractual relationships

Adopt sufficient measures to enforce data protection principles and ensure third parties respect the privacy notice. Enter into a contractual relationship with third-party processors.

Maintain confidentiality

Ensure all personnel or third parties involved in processing uphold confidentiality, even after their relationship with the controller ends.

Mechanisms for ARCO rights

Implement measures for users to exercise their data subject rights. The controller has a maximum of 20 business days from receipt to inform the data subject of the decision taken.

If the request is granted, the controller must implement it within 15 business days following the communication of the decision.

Appoint a person or department for data protection 

Controllers must promote personal data protection within the organisation and designate a responsible person or department to handle data subjects’ requests for exercising their rights under the law.

With the INAI dissolved, the Ministry of Anti‑Corruption and Good Governance now oversees privacy enforcement. 

Pending cases and proceedings initiated before the new law’s entry into force are transferred to the Ministry.

Administrative fines range from 100 to 320,000 times the Unidad de Medida y Actualización (UMA), with higher penalties for sensitive data breaches and repeat offenders. 

Criminal sanctions still apply for severe violations involving sensitive data or deceitful processing. Data subjects may challenge Ministry decisions through amparo proceedings, and the Ministry is expected to issue technical standards to clarify compliance requirements.

To comply with Mexico’s data protection regime, organisations should take the following actions:

• Conduct a data inventory: Identify all personal data processed, classify it by category and determine whether the organisation acts as a controller or processor.
• Review and update privacy notices: Ensure comprehensive notices contain all mandatory elements and simplified notices direct data subjects to the full notice.
• Redesign consent mechanisms: Collect consent separately for each processing purpose, particularly for sensitive data processing, and implement tools for documenting and managing consent and withdrawals.
• Contracts with service providers: Maintain a contractual relationship with data processors and third parties.
• Establish retention schedules and deletion procedures: Define how long data will be retained, block data when it is no longer needed, and securely delete it after the retention period.
• Implement technical and organisational safeguards: Adopt encryption, access controls, training programmes and incident‑response plans to meet confidentiality and security obligations.
• Set up mechanisms to handle ARCO requests: Create processes to receive and respond to access, rectification, cancellation and opposition requests within the timeframes specified by law.
• Monitor regulatory developments: The Ministry will issue implementing regulations and technical standards. Businesses should monitor these developments and update compliance programmes accordingly.
  

The General Data Protection Regulation (GDPR) and Mexico LFPDPPP set out strong rules for safeguarding personal data. While they share common goals like accountability, transparency, and giving people more control over their data, there are important differences businesses need to keep in mind.

Scope and reach

• GDPR applies not only to organisations in the EU but also to those outside the EU if they offer goods or services to, or monitor the behaviour of, EU residents. Its extraterritorial scope is one of the broadest in the world.
• LFPDPPP, by contrast, is focused on the Mexican private sector. It applies to entities that process personal data in Mexico, with exceptions for purely personal use and certain regulated industries like credit bureaus.

Consent and legal bases

• Under the GDPR, consent is just one of six legal bases for processing data, and organisations often rely on others, like “legitimate interests” or “performance of a contract.”
• The LFPDPPP leans heavily on consent as the primary ground for processing. It allows tacit consent in some cases, but requires express consent for sensitive or financial data.

Rights of individuals

Both laws empower individuals to access and control their data. In the EU, individuals have the right to access, rectify, erase, restrict, object, request portability, and avoid decisions made solely by automated systems.

In Mexico, people exercise their ARCO rights: Access, Rectification, Cancellation, and Opposition. Controllers must make a decision and inform it within 20 business days and implement approved actions within 15 more, while the GDPR allows a one-month response time.

Enforcement and penalties

• GDPR violations can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher.
• LFPDPPP uses administrative fines tied to Mexico’s Unit of Measurement and Update (UMA), and uniquely, it can impose criminal penalties for certain offences, including imprisonment.