Mexico Data Privacy Laws: LFPDPPP Compliance Guide (2026)
Mexico's data privacy framework underwent its most significant transformation in over a decade when the federal government enacted a completely new Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP) in March 2025. This was not a simple amendment. The government repealed the 2010 law entirely and replaced it with new legislation that restructures enforcement, expands data subject rights, and introduces provisions addressing artificial intelligence and automated decision-making.
For businesses operating in Mexico or handling data belonging to Mexican residents, the changes demand close attention. The dissolution of the formerly independent oversight body, the creation of specialized data protection courts, and increased penalty ranges all signal that Mexico is positioning itself as a more assertive regulator in the Latin American data protection landscape.
Historical Background: From 2010 to 2025
Mexico was among the first Latin American countries to adopt comprehensive data protection legislation. The original LFPDPPP was enacted on July 5, 2010, and its implementing regulations followed in December 2011. Together with the Privacy Notice Guidelines issued in 2013, these formed the core of Mexican data privacy law for nearly 15 years.
The public sector received its own framework in January 2017 with the General Law for the Protection of Personal Data Held by Obligated Subjects (LGPDPPSO). This law governed how federal, state, and municipal government bodies, autonomous agencies, political parties, and public trusts handle personal information.
Both laws were overseen by the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI), an autonomous constitutional body created in 2014. INAI served as both the transparency watchdog and the data protection authority, handling ARCO rights complaints, conducting investigations, and imposing sanctions.
A constitutional reform published on November 28, 2024, set the stage for the current framework. This reform dissolved INAI and transferred its functions to the executive branch. On March 20, 2025, the Official Gazette published decrees enacting entirely new versions of the transparency law, the public sector data protection law, and the private sector LFPDPPP. All three took effect the following day.
The Current Framework: LFPDPPP 2025
The 2025 LFPDPPP preserves many structural elements from its predecessor but introduces meaningful changes across several areas. Understanding these changes is essential for compliance.
Scope and Applicability
The LFPDPPP applies to any private individual or legal entity (company, organization, association) that collects, uses, stores, or otherwise processes personal data. The 2025 version makes one critical expansion: data processors are now expressly subject to the law, not just data controllers. Under the 2010 regime, processors occupied a gray area. That ambiguity is resolved.
The law applies regardless of where the data controller is located, provided the processing involves data of individuals in Mexico. This extraterritorial reach, while not as explicitly stated as the EU's GDPR, has practical implications for foreign companies serving Mexican customers.
Core Principles
The LFPDPPP is built on eight foundational principles that data controllers must observe:
- Lawfulness: Processing must comply with Mexican law and not involve deceptive or fraudulent means
- Consent: The data subject must provide informed authorization for the processing of their data
- Information: Controllers must inform data subjects about the existence and scope of data processing through privacy notices
- Quality: Personal data must be accurate, complete, relevant, and current for the purposes of collection
- Purpose: Data may only be collected and processed for the specific, explicit, and legitimate purposes stated in the privacy notice
- Loyalty: Controllers must process data in a way that prioritizes the protection of the data subject's interests and reasonable expectations of privacy
- Proportionality: Only data that is necessary, adequate, and relevant for the stated purpose may be processed
- Accountability: Controllers must implement policies, procedures, and internal mechanisms to demonstrate compliance
The 2025 reform adds explicit recognition of data minimization and proactive accountability, bringing the framework closer to the standards set by the EU General Data Protection Regulation (GDPR).
Personal Data Categories
The law distinguishes between several categories of personal data, each with different protection requirements:
General personal data includes names, addresses, email addresses, phone numbers, and other basic identifying information. Tacit consent (implied consent through inaction after notification) is sufficient for processing this category.
Financial personal data covers bank account numbers, credit card information, income details, credit history, and similar financial records. Express consent is required.
Sensitive personal data receives the highest level of protection. The 2025 law explicitly defines this category to include:
- Health status and medical records
- Genetic and biometric data
- Racial or ethnic origin
- Religious, philosophical, or moral beliefs
- Political opinions and affiliations
- Union membership
- Sexual orientation and preferences
- Any data that could expose the individual to discrimination or significant harm
Processing sensitive data requires express written consent. Fines for mishandling sensitive data can be doubled under the penalty framework.
Privacy Notice Requirements
The privacy notice remains the central compliance mechanism under Mexican law. The 2025 LFPDPPP recognizes three types:
Comprehensive Privacy Notice
This is the full-length document that must be made available to data subjects. It must include:
- Identity and contact information of the data controller
- Specific personal data to be collected, with sensitive data clearly identified
- Processing purposes, distinguishing between those that require consent and those that do not
- Legal basis for processing that does not require consent
- Mechanisms for exercising ARCO rights
- How consent can be revoked
- Options for limiting use or disclosure of data
- Information about data transfers to third parties
- Whether data will be used for automated decision-making
- Data retention periods
- Procedures for notifying changes to the privacy notice
Simplified Privacy Notice
A new requirement under the 2025 law. This shorter version must be provided at the point of data collection, particularly when collection occurs through electronic, optical, audio, visual, or other technological means. It must reference the comprehensive notice and include at minimum the controller's identity, processing purposes, and how to access the full notice.
Short Privacy Notice
Used in physical spaces with limited room for text (such as forms or kiosks). It must contain the controller's identity, processing purposes, and a link or reference to the comprehensive notice.
ARCO Rights: Access, Rectification, Cancellation, and Opposition
Mexico's ARCO rights framework predates the GDPR and remains one of the most established data subject rights systems in Latin America. The 2025 law strengthens these rights in several ways.
Right of Access
Data subjects may request confirmation of whether their personal data is being processed, along with access to the data itself and information about the conditions of processing. Controllers must respond within 20 business days of receiving the request.
Right of Rectification
Individuals can request correction of inaccurate, incomplete, or outdated personal data. The controller must make corrections within 15 business days of approving the request.
Right of Cancellation
The 2025 law expands this right. Cancellation now explicitly applies to all files, records, databases, and systems where personal data is stored. When cancellation is approved, the data enters a blocking period during which it cannot be processed. After the retention period expires, the data must be permanently deleted.
For data related to contractual non-compliance, the law establishes a specific 72-month blocking period before deletion.
Right of Opposition
Data subjects may object to the processing of their data for specific purposes. The 2025 law introduces a significant new dimension: the right to object to automated processing that significantly affects a data subject's rights, freedoms, or interests without human intervention. This includes algorithmic decision-making and AI-based profiling.
Exercising ARCO Rights
ARCO requests must be submitted to the data controller, which has 20 business days to respond and 15 additional business days to execute the request. If the controller denies or fails to respond to a request, the data subject may file a complaint with the SABG. Judicial review is available through the specialized federal courts established under the 2025 framework.
Consent Framework
The 2025 LFPDPPP maintains Mexico's tiered consent system but adds important clarifications:
Tacit Consent
Applies to general personal data. If the data subject receives the privacy notice and does not expressly object to the processing, consent is considered given. The notice must clearly explain this mechanism.
Express Consent
Required for financial data, international transfers, and other situations defined by the law. The data subject must affirmatively indicate agreement, whether verbally, in writing, or through electronic means.
Express Written Consent
Mandatory for sensitive personal data. The data subject must provide a signed document (physical or electronic) specifically authorizing the processing of sensitive information.
Consent must always be freely given, specific, informed, and unambiguous. The 2025 law clarifies that consent obtained through deceptive practices, pre-checked boxes, or bundled authorizations that prevent meaningful choice is invalid.
Enforcement: The Shift from INAI to SABG
The most structurally significant change in the 2025 framework is the dissolution of INAI and the transfer of enforcement authority to the Secretariat of Anti-Corruption and Good Governance (Secretaria de Anticorrupcion y Buen Gobierno, or SABG).
What Changed
INAI was an autonomous constitutional body with its own budget, commissioners, and independent decision-making authority. The SABG is a cabinet-level ministry within the executive branch, reporting to the President. This shift from independent oversight to executive branch control has drawn criticism from privacy advocates, who argue it reduces the independence of data protection enforcement.
Nevertheless, the SABG has assumed all of INAI's functions:
- Receiving and investigating data protection complaints
- Conducting compliance audits and verification procedures
- Issuing binding resolutions on ARCO rights disputes
- Imposing administrative sanctions including fines
- Authorizing, overseeing, and revoking certifying entities
- Publishing guidelines and regulatory interpretations
Early Enforcement Activity
The transition has not meant a pause in enforcement. In early 2026, following several high-profile cyber incidents affecting both governmental and private organizations in Mexico, the SABG initiated formal proceedings and made them public from the outset. This signals that the new authority intends to be an active enforcer despite the institutional transition.
Specialized Federal Courts
The 2025 reform mandated the creation of specialized federal courts for data protection and transparency matters within 120 calendar days of the law's effective date. As of July 1, 2025, these courts began operating within the newly established 30th Judicial Circuit, headquartered in Aguascalientes.
Judicial review of SABG decisions proceeds through the amparo system, Mexico's constitutional remedy procedure. Cases initiated before the law's entry into force are resolved under the prior legal framework, and ongoing amparo proceedings were suspended for 180 days during the transition.
Penalties and Sanctions
The 2025 LFPDPPP establishes a graduated penalty framework denominated in UMA (Unidad de Medida y Actualizacion), an economic reference unit that is adjusted annually for inflation.
At the 2026 UMA daily rate of MXN 117.31 (approximately USD $5.87), the penalty ranges are:
| Violation Type | UMA Range | Approximate MXN | Approximate USD |
|---|---|---|---|
| Standard violations | 100 - 320,000 UMA | $11,731 - $37,539,200 | $587 - $1,877,000 |
| Repeat offenders | Additional 320,000 UMA | Up to $37,539,200 | Up to $1,877,000 |
| Sensitive data violations | Doubled standard fines | Up to $75,078,400 | Up to $3,754,000 |
Criminal Sanctions
Severe violations can trigger criminal prosecution. Penalties include:
- 3 months to 5 years imprisonment for security breaches involving sensitive data
- Enhanced penalties for deceitful data processing activities causing significant harm
- Additional fines at the criminal court's discretion
Non-Monetary Sanctions
The SABG may also order temporary or permanent suspension of data processing activities, which for many businesses represents a more severe consequence than financial penalties.
Cross-Border Data Transfers
International data transfers remain one of the more challenging aspects of Mexican data protection law. The 2025 LFPDPPP addresses transfers but leaves some gaps.
General Rule
Cross-border transfers require the prior informed consent of the data subject. The privacy notice must disclose that international transfers will occur, identify the destination countries and recipient organizations, and describe the protection standards in place.
Exceptions to Consent
Consent is not required when the transfer:
- Is necessary to fulfill a legal obligation
- Is required under an international treaty to which Mexico is a party
- Is necessary for medical diagnosis, treatment, or prevention in an emergency
- Is needed to maintain or fulfill a legal relationship between the controller and the data subject
- Is authorized by specific legislation
- Serves a recognized public interest
Remaining Gaps
Unlike the GDPR, the LFPDPPP does not establish adequacy determinations, standard contractual clauses, or binding corporate rules as formal mechanisms for international transfers. This leaves organizations without clear guidance on demonstrating adequate protection in the receiving country. Implementing regulations, which have not yet been published as of early 2026, may address this gap.
Automated Decision-Making and AI Provisions
The 2025 LFPDPPP introduces provisions addressing automated decision-making and artificial intelligence, positioning Mexico as one of the first Latin American countries to address these issues directly in data protection legislation.
Key Requirements
Organizations using algorithms, AI systems, or other automated processes to make decisions that affect individuals must:
- Provide clear notice to data subjects about the use of automated decision-making
- Disclose information about the algorithmic logic involved
- Explain the significance of automated processing and its potential consequences
- Allow data subjects to exercise their right of opposition to automated decisions that significantly affect their rights
Impact Assessments
High-risk automated decision-making systems require impact assessments evaluating potential effects on individual rights, with identification of appropriate safeguards and mitigation measures.
While these provisions are less detailed than the EU AI Act, they establish a foundation that implementing regulations and future legislation are expected to build upon.
Public Sector Data Protection: LGPDPPSO
The public sector operates under a separate but parallel framework. The General Law for the Protection of Personal Data Held by Obligated Subjects (LGPDPPSO), originally enacted in January 2017, was also replaced with a new version in March 2025.
The LGPDPPSO applies to all branches and levels of government, including:
- Federal, state, and municipal executive agencies
- Legislative and judicial bodies
- Autonomous constitutional bodies
- Political parties
- Public trusts and funds
The public sector law mirrors many provisions of the private sector LFPDPPP but includes additional obligations related to government transparency and access to information. The SABG oversees compliance for both frameworks.
Compliance Requirements for Businesses
Organizations subject to the LFPDPPP must implement several compliance measures:
Data Protection Function
While the law does not mandate a Data Protection Officer (DPO) by that specific title, it requires organizations to establish a data protection function. Depending on the organization's size and complexity, this may involve:
- Designating an individual (such as a Chief Privacy Officer)
- Creating a dedicated department
- Assigning the function to an existing business unit
Documentation Requirements
Controllers must maintain:
- Updated privacy notices (comprehensive, simplified, and short as applicable)
- Records of processing activities
- Documentation of consent mechanisms
- Data retention and deletion policies with defined timeframes
- Security incident response procedures
- Records of international data transfers
Security Measures
The law requires administrative, technical, and physical security measures appropriate to the risk level of the data being processed. While specific technical standards are left to implementing regulations, organizations must at minimum:
- Conduct risk assessments
- Implement access controls
- Maintain audit trails
- Establish breach detection and response capabilities
- Train personnel who handle personal data
Breach Notification
When a security breach occurs, controllers must notify affected data subjects. The notification must include:
- Nature of the breach
- Personal data involved
- Possible consequences for data subjects
- Corrective and mitigation measures taken
The law also requires notification to the SABG, with specific protocols to be established in implementing regulations.
Data Retention and Deletion
The 2025 LFPDPPP formalizes data lifecycle management requirements that were less defined under the previous law.
Controllers must establish clear retention periods for all categories of personal data they process. Once data is no longer necessary for the stated purposes, it must go through a two-stage process:
- Blocking: The data is removed from active processing systems but retained in restricted storage where it cannot be accessed for routine operations
- Deletion: After the blocking period expires, the data must be permanently destroyed
For data related to contractual non-compliance, the mandatory blocking period is 72 months before deletion can occur. Organizations must implement automated deletion capabilities and document their data lifecycle management practices.
Current Status and Outlook (2026)
As of early 2026, the new framework is operational but incomplete. Several key developments are pending:
Implementing regulations have not been published. The 2010 LFPDPPP had detailed regulations that provided practical guidance on privacy notices, security measures, and ARCO request procedures. The 2025 law references forthcoming regulations in multiple provisions, but none have appeared in the Official Gazette.
Stakeholder consultations began in January 2026, with the SABG initiating dialogues with industry groups, privacy professionals, and civil society organizations about the regulatory framework.
Enforcement precedents from the SABG remain limited. While the authority initiated proceedings in early 2026 following cyber incidents, no published decisions have established how the new law will be interpreted in practice.
Specialized courts in the 30th Judicial Circuit are operational but have not produced publicly reported precedents on the new law.
The practical effect is a period of regulatory uncertainty. Organizations should comply with the law as written while monitoring developments closely, as implementing regulations may impose additional requirements or provide relief on ambiguous provisions.
Sources and References
Sources and References
- Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP 2025) - Official Gazette(dof.gob.mx).gov
- Mexico: New Transparency and Data Protection Laws Enacted - Library of Congress(loc.gov).gov
- Mexico Enacts New Data Protection Regime - White and Case LLP(whitecase.com)
- Data Protection Laws and Regulations 2025-2026: Mexico - ICLG(iclg.com)
- Data Protection and Privacy 2026: Mexico - Chambers and Partners(chambers.com)
- New Authority for Personal Data Protection in Mexico - IAPP(iapp.org)
- Mexico New Personal Data Protection Law - Greenberg Traurig(gtlaw.com)
- Mexico Has a New Law on Personal Data Protection - Littler(littler.com)
- Mexico UMA Value 2026 - Littler(littler.com)
- Mexico Overhauls Federal Data Protection Law - Hunton Andrews Kurth(hunton.com)