Mexico Data Privacy Laws: 2025 LFPDPPP Complete Guide

Mexico governs private-sector data privacy through the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP), published in the Official Gazette of the Federation on March 20, 2025. The law preserves ARCO rights and transfers enforcement from the dissolved INAI to the Secretariat of Anti-Corruption and Good Governance (SABG).

Mexico overhauled its personal data protection framework more significantly in 2024 and 2025 than at any point since the original law passed in 2010. The changes were driven by a sweeping constitutional reform that dissolved seven autonomous constitutional bodies, including the long-standing data protection authority INAI. In their place, enforcement power moved to the executive branch, three new laws entered force on the same day in March 2025, and specialized federal courts took over judicial review from the administrative tribunal system.

For companies operating in Mexico or processing data belonging to Mexican residents, the 2025 framework demands fresh compliance reviews. The new law largely preserves the structure of the 2010 statute, but it introduces important changes on consent, data processors, automated decision-making, and privacy notices. The institutional shift from independent regulator to executive ministry also changes the enforcement dynamic in ways that practitioners are still assessing.

This guide covers the full framework: constitutional foundations, the 2025 private sector law, the public sector parallel law, enforcement under the SABG, ARCO rights, penalties, cross-border transfers, and what the current state of regulatory uncertainty means for businesses.

Quick Answer: What You Need to Know

Mexico's data protection regime for the private sector is governed by the 2025 Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares, or LFPDPPP). This is a completely new statute, not an amendment. It took effect March 21, 2025, and repealed the 2010 law of the same name.

Enforcement sits with the Secretariat of Anti-Corruption and Good Governance (Secretaria de Anticorrupcion y Buen Gobierno, SABG). The formerly independent INAI no longer exists.

The core data subject rights, ARCO (Access, Rectification, Cancellation, and Opposition), remain the backbone of the framework. Privacy notices are still the central compliance mechanism. Consent rules are largely preserved, with a few important clarifications. Penalties are now expressed in UMA (Unidad de Medida y Actualizacion) units, replacing the old minimum-wage-based formula, and they are higher.

Mexico also enacted a new public sector data protection law on the same date, alongside transparency legislation. All three statutes are products of the same constitutional overhaul.

Consult an attorney for advice specific to your situation.

Constitutional Basis: Articles 6 and 16

The right to data protection in Mexico has constitutional status. Two articles of the Political Constitution of the United Mexican States establish the foundation.

Article 6 of the Constitution addresses the right to information and freedom of expression. Its second paragraph declares that information regarding private life and personal data shall be protected in accordance with law.

Article 16 provides the more detailed constitutional guarantee. It states that no person shall be disturbed in their private affairs, family, papers, or possessions except pursuant to a written order from competent authority. Crucially, Article 16 also expressly guarantees every person the right to the protection of their personal data, plus the rights to access, rectify, and cancel that data, and to oppose its disclosure. These rights collectively form the constitutional basis for ARCO rights.

The 2010 LFPDPPP was the first federal statute implementing this constitutional mandate for the private sector. The 2025 replacement law continues that lineage while updating the institutional and substantive framework.

The 2024 Constitutional Reform: Why INAI Was Dissolved

Understanding the current framework requires understanding why it changed so abruptly.

In late 2024, the Mexican Congress approved an "organic simplification" constitutional reform aimed at eliminating seven autonomous constitutional bodies. The reform was published in the Official Gazette on November 28, 2024, with its provisions taking effect on December 20, 2024.

INAI (Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales) was among the dissolved agencies. Created in 2014 as an autonomous constitutional body, INAI had served dual roles: national transparency watchdog and data protection authority for both the private and public sectors. It operated with independent commissioners, its own budget, and decision-making authority insulated from executive branch control.

The government's stated rationale was institutional consolidation and efficiency. Critics, including privacy advocates and civil society organizations, raised concerns about the independence implications. INAI's decisions could previously be challenged through administrative litigation before the Federal Court of Administrative Justice. Under the new framework, challenges proceed through specialized federal courts via the amparo constitutional remedy system, a procedural shift that changes the timing and predictability of outcomes.

Another operational concern: estimates suggest SABG absorbed roughly 80 percent of INAI's functional responsibilities with only about 35 percent of the staffing structure. All pending matters that INAI had not resolved transferred to the SABG, which analysts expected would produce longer resolution times in the transition period.

The Three March 2025 Laws

On February 20, 2025, President Claudia Sheinbaum submitted implementing legislation to Congress. The Official Gazette published the resulting decrees on March 20, 2025, and they entered force on March 21, 2025. Three distinct statutes came into effect that day:

1. A new federal transparency and access to public information law
2. A new General Law for the Protection of Personal Data Held by Obligated Subjects (LGPDPPSO), governing the public sector
3. A new Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP), governing the private sector

All three statutes formalized the dissolution of INAI and the transfer of its functions to the SABG. For data protection practitioners, the second and third laws are the central instruments.

LFPDPPP 2025: The Private Sector Framework

The 2025 LFPDPPP is structurally similar to the 2010 law but introduces meaningful changes in several areas. Practitioners have described it as an evolution rather than a revolution, with the institutional restructuring being a more dramatic change than the substantive legal provisions.

Scope and Who It Covers

The LFPDPPP applies to any private individual or legal entity that collects, uses, stores, transfers, or otherwise processes personal data. This includes companies, civil associations, and individuals operating in a professional or commercial capacity.

A significant clarification in the 2025 law: data processors are now expressly subject to the law's obligations, not just data controllers. Under the 2010 framework, processors occupied ambiguous territory. Organizations that act as processors must have clear contractual definitions of their status to avoid being classified as controllers, which carries heavier obligations.

The law applies regardless of where the controller or processor is located, provided the data processing involves individuals in Mexico. Foreign companies serving Mexican residents should assess whether they fall within scope.

The Eight Core Principles

The 2025 LFPDPPP builds on the same foundational principles as its predecessor:

Lawfulness: Processing must comply with Mexican law and may not involve deceptive or fraudulent means.

Consent: Data subjects must provide informed authorization for processing, subject to defined exceptions.

Information: Controllers must inform data subjects about processing through privacy notices delivered at the point of data collection.

Quality: Personal data must be accurate, complete, relevant, and current relative to the stated purposes.

Purpose: Data may only be collected and used for the specific, explicit, and legitimate purposes stated in the privacy notice.

Loyalty: Controllers must process data in ways that respect the data subject's interests and reasonable privacy expectations.

Proportionality: Only data that is necessary, adequate, and relevant for the stated purposes may be processed.

Accountability: Controllers must maintain internal policies, procedures, and documentation to demonstrate ongoing compliance.

The 2025 law gives more explicit emphasis to data minimization and proactive accountability than the 2010 statute, though implementing regulations expected within 90 days of the law's effective date had not been published as of May 2026.

Personal Data Categories

The law distinguishes categories of personal data, each with different protection thresholds:

General personal data covers names, addresses, email addresses, and phone numbers. Tacit consent (implied through inaction after notification) is generally sufficient for processing.

Financial personal data includes bank accounts, credit card numbers, income information, and credit history. Express, affirmative consent is required.

Sensitive personal data receives the highest protection. The 2025 law expressly defines the category to include:

• Health status and medical records
• Genetic and biometric data
• Racial or ethnic origin
• Religious, philosophical, or moral beliefs
• Political opinions and affiliations
• Union membership
• Sexual orientation and preferences
• Any data whose disclosure could expose the individual to discrimination or serious harm

Processing sensitive data requires express written consent. Violations involving sensitive data are subject to doubled fines under the penalty framework.

The 2025 law also expanded the definition of personal data to include individuals who are indirectly identifiable, not just those who can be directly identified.

Privacy Notice Requirements

The privacy notice (aviso de privacidad) remains the cornerstone of the Mexican data protection framework. Under the 2025 law, controllers must deliver the notice at the moment personal data is collected, a stricter timing requirement than the 2010 law imposed.

Three Types of Privacy Notice

Comprehensive privacy notice: The full document that must be made available to data subjects. The 2025 law requires it to specify:

• Identity and contact information of the controller
• The precise personal data that will be collected, with sensitive data clearly identified
• Processing purposes, distinguished between those that require consent and those that do not
• Legal basis for processing that does not require consent
• Whether any data will be used for automated decision-making
• Information about international data transfers
• Mechanisms for exercising ARCO rights
• How consent can be revoked
• Data retention periods
• Procedures for notifying changes to the privacy notice

A meaningful change from the 2010 regime: the 2025 law requires the notice to clearly differentiate between purposes that are necessary for the core service and those that are voluntary. If the controller later wants to process data for new purposes, it must obtain fresh consent. Under the 2010 law, processing for "compatible or analogous" purposes did not require re-consent. That compatibility exception no longer exists.

Simplified privacy notice: A shorter version required at the point of data collection when collection occurs through electronic, optical, audio, visual, or other technological means. It must reference the comprehensive notice and include at minimum the controller's identity, processing purposes, and how to access the full notice.

Short privacy notice: Used in physical spaces where full notice is impractical, such as forms or kiosks. Must include the controller's identity, processing purposes, and a reference to the comprehensive notice.

Consent Framework

The 2025 LFPDPPP retains Mexico's tiered consent structure and sharpens several requirements:

Tacit Consent

For general personal data, if a data subject receives the privacy notice and does not expressly object within the timeframe specified, consent is considered given. The notice must clearly explain this mechanism. Tacit consent remains the default for routine personal information, a departure from the GDPR model that requires affirmative opt-in.

Express Consent

Required for financial data, international transfers, and other situations the law designates. The data subject must affirmatively indicate agreement, whether verbally, in writing, or through electronic means.

Express Written Consent

Mandatory for sensitive personal data. A signed document (physical or electronic) specifically authorizing the processing of the sensitive information is required.

In all cases, the 2025 law specifies that consent must be free, specific, and informed. Consent obtained through deceptive practices, pre-checked boxes, or bundled authorizations that prevent meaningful choice is invalid. The consent standard language was updated to be more explicit about voluntariness than the 2010 formulation.

ARCO Rights: Access, Rectification, Cancellation, and Opposition

Mexico's ARCO rights framework predates the GDPR and is one of the most established data subject rights systems in Latin America. The 2025 law strengthened these rights in several specific ways.

Right of Access

Data subjects may request confirmation of whether their personal data is being processed, and if so, access to the data itself along with information about the conditions of processing. Controllers must respond within 20 business days of receiving a valid request.

Right of Rectification

Individuals can request correction of inaccurate, incomplete, or outdated personal data. The controller must make corrections within 15 business days of approving the request. The 2025 law extends this right to cover decisions made through automated processes.

Right of Cancellation

The 2025 law expanded the scope of this right. Cancellation now explicitly applies to all files, records, expedientes (case files), databases, and systems where personal data is stored. When a cancellation request is approved, data enters a blocking period during which it cannot be actively processed. After the applicable retention period expires, the data must be permanently deleted.

For credit-related data reflecting non-compliance with financial obligations, the mandatory blocking period is 72 months before permanent deletion.

Right of Opposition

Data subjects may object to the processing of their personal data for specific purposes. The 2025 law adds a significant new dimension: data subjects can now object to automated processing that, without human intervention, produces significant effects on their interests, rights, or freedoms. This covers algorithmic scoring, profiling, and AI-based decision systems.

Exercising ARCO Rights

ARCO requests must be submitted directly to the data controller. The controller has 20 business days to respond and 15 additional business days to implement the approved action. Requests are free of charge in most circumstances.

If the controller denies the request, fails to respond, or provides an unsatisfactory response, the data subject may file a complaint with the SABG. Judicial review is available through the specialized federal courts established under the 2025 framework via the amparo process.

Enforcement: The SABG Takes Over from INAI

The most structurally consequential change in the 2025 framework is who enforces the law.

INAI Was Independent; SABG Is Not

INAI operated as an autonomous constitutional body with its own commissioners, budget appropriations, and decision-making authority free from executive interference. Its independence was a deliberate design choice, modeled on data protection authorities in comparable jurisdictions.

The SABG (Secretaria de Anticorrupcion y Buen Gobierno) is a cabinet-level ministry within the executive branch. It reports to the President. This structural shift places data protection enforcement within the political apparatus of the federal government, a change that privacy advocates have criticized as incompatible with the independence standards set by international frameworks such as Convention 108+ of the Council of Europe.

What SABG Can Do

The SABG assumed all of INAI's former data protection functions:

• Receiving and processing ARCO rights complaints from data subjects
• Conducting verification procedures, both ex-officio and complaint-triggered
• Investigating alleged violations of the LFPDPPP
• Issuing binding resolutions on data protection disputes
• Imposing administrative sanctions including fines
• Authorizing, overseeing, and revoking the status of certified privacy professionals and certifying entities
• Issuing guidelines and regulatory interpretations
• Participating in international data protection cooperation

Sanctioning proceedings can be initiated either by data subject complaint or ex-officio by the SABG itself. The investigation and verification process allows the SABG to request documents and information from controllers and processors before any formal finding is issued.

The 30th Judicial Circuit

Judicial review of SABG decisions no longer goes to the Federal Court of Administrative Justice. Instead, appeals proceed through specialized federal courts via the amparo system.

As of July 1, 2025, all pending and new litigation on data protection and transparency matters has been processed before the newly established 30th Judicial Circuit, headquartered in Aguascalientes. This circuit handles constitutional remedies, not just administrative appeals, which changes the legal theory and procedural framework for challenging enforcement decisions.

Early Enforcement Activity

Enforcement did not pause during the institutional transition. In early 2026, following several high-profile cyber incidents affecting both governmental and private organizations, the SABG initiated formal proceedings and made them public immediately. This represented a departure from INAI's prior practice of allowing preliminary review stages before public disclosure.

No formally published sanctions under the new LFPDPPP were publicly available as of May 2026. Practitioners note that the transition period created practical uncertainty about how the SABG would interpret provisions that differ from the 2010 law, and that early enforcement patterns will shape compliance strategy significantly.

Penalties and Sanctions

The 2025 LFPDPPP establishes a graduated penalty framework denominated in UMA (Unidad de Medida y Actualizacion), Mexico's inflation-adjusted economic reference unit. The shift from minimum-wage-based penalties to UMA-based penalties is now formalized in the new statute.

At the 2026 daily UMA rate of MXN 117.31 (approximately USD 5.87 at prevailing exchange rates), penalty ranges are:

Criminal Sanctions

Severe violations can trigger criminal prosecution:

• 3 months to 3 years imprisonment for intentionally causing security breaches affecting personal data databases
• 6 months to 5 years imprisonment for fraudulent processing of personal data with intent to obtain financial gain
• Enhanced penalties when the offense involves sensitive personal data

Criminal sanctions operate independently of administrative fines. The SABG can impose fines while a criminal case proceeds in a separate federal criminal court.

Non-Monetary Sanctions

The SABG may order temporary or permanent suspension of data processing activities. For businesses whose core operations involve processing personal data, a processing suspension can be more consequential than any financial penalty.

Cross-Border Data Transfers

International data transfers under the 2025 LFPDPPP follow a consent-first model, with several exceptions.

The General Rule

Cross-border transfers require the prior informed consent of the data subject. The privacy notice must disclose that international transfers will occur, identify the destination countries and recipient organizations, and describe the protection standards in place.

The 2025 law requires the data recipient to undertake to comply with obligations equivalent to those applicable to the transferring controller, reflecting an accountability approach to transfer protection. Contractual arrangements are the principal mechanism for implementing these safeguards.

Exceptions to Consent

Consent is not required when the transfer:

• Is expressly permitted by law
• Is required under a treaty to which Mexico is a party
• Is necessary for medical diagnosis, treatment, or emergency care where the data subject cannot give consent
• Is required to fulfill a legal relationship between the controller and the data subject
• Is authorized by specific legislation in the public interest
• Involves data from publicly accessible sources
• Involves dissociated (anonymized) data

Significant Gap: No Adequacy Framework

Unlike the GDPR, the LFPDPPP does not establish an adequacy determination mechanism, standard contractual clauses as a formal legal instrument, or binding corporate rules. This leaves multinational organizations without a structured path for demonstrating adequate protection in the receiving country.

Implementing regulations were expected to address this gap. The 90-day deadline expired around June 20, 2025, without publication. As of May 2026, no implementing regulations or technical guidelines for cross-border transfers had appeared in the Official Gazette.

Automated Decision-Making and AI Governance

The 2025 LFPDPPP introduces provisions addressing automated decision-making and artificial intelligence, positioning Mexico as one of the first countries in Latin America to address AI-related privacy obligations directly in data protection statute.

Transparency Requirements

Organizations using algorithms, AI systems, or other automated processes to make decisions affecting individuals must:

• Provide clear notice that automated decision-making is being used
• Disclose information about the algorithmic logic involved
• Explain the significance of automated processing and its potential consequences for the data subject
• Maintain documentation and explainability frameworks demonstrating how AI systems influence outcomes

Right to Object to Automated Decisions

Data subjects can exercise their opposition right specifically against automated processing that, without human intervention, causes significant effects on their interests, rights, or freedoms. This covers AI-based scoring, profiling, and consequential decision systems.

Where automated decision-making affects the data subject significantly, the framework supports human review, explanation of the decision logic, and the ability to contest the outcome.

Impact Assessments for High-Risk Processing

The law references impact assessments for high-risk automated processing systems. Organizations deploying AI systems that process sensitive personal data or make consequential decisions must evaluate potential effects on individual rights and identify safeguards.

These provisions are less detailed than the EU AI Act, and implementing regulations are expected to fill in operational requirements. The SABG's January 2026 stakeholder dialogue specifically flagged data protection impact assessments (DPIAs) as a priority area for forthcoming regulatory guidance.

Public Sector Framework: The New LGPDPPSO

The public sector operates under a separate but parallel framework. The General Law for the Protection of Personal Data Held by Obligated Subjects (Ley General de Proteccion de Datos Personales en Posesion de Sujetos Obligados, LGPDPPSO) was also replaced with a new version on March 20, 2025, effective March 21, 2025.

The LGPDPPSO applies to all branches and levels of government, including:

• Federal executive agencies and ministries
• Legislative and judicial bodies at all levels
• Autonomous constitutional bodies that survived the reform
• Political parties
• Public trusts and government-created funds

The SABG oversees compliance for both the private sector LFPDPPP and the public sector LGPDPPSO. Individuals whose data is held by government entities can exercise ARCO rights against public bodies through the same basic framework, with procedural variations reflecting the transparency context.

Data Retention and the Data Lifecycle

The 2025 LFPDPPP formalizes data lifecycle management requirements. Controllers must establish clear retention periods for all categories of personal data they process, documented in the privacy notice.

Once data is no longer necessary for the stated purposes, controllers must initiate a two-stage process:

Stage 1: Blocking. The data is removed from active processing systems but retained in restricted storage where it cannot be accessed for routine operations. During the blocking period, data exists only for legal compliance or legal proceedings.

Stage 2: Deletion. After the blocking period expires, the data must be permanently destroyed in a way that prevents reconstruction.

For credit-related data reflecting contractual non-compliance, the mandatory minimum blocking period before deletion is 72 months. Organizations must implement documented data lifecycle practices.

Compliance Requirements for Businesses

Organizations subject to the LFPDPPP must implement several structural compliance measures.

Data Protection Function

The law requires organizations to establish a data protection function. The 2026 Chambers practice guide confirms a responsible individual or unit must be identified in the privacy notice with contact information. The SABG's January 2026 stakeholder consultations discussed adopting a formal DPO requirement as a potential enhancement in forthcoming secondary legislation or a possible 2026 legislative revision.

Documentation Requirements

Controllers must maintain:

• Current privacy notices in all three formats as applicable
• Records of processing activities by purpose and data category
• Documentation of consent mechanisms and revocation procedures
• Data retention schedules with defined blocking and deletion timeframes
• Security incident response procedures
• Records of international data transfers and contractual safeguards
• Evidence of personnel training on LFPDPPP obligations

Security Measures

The law requires administrative, technical, and physical security measures appropriate to the risk level of data being processed. Specific technical standards await implementing regulations. Minimum obligations include risk assessments for major processing activities, access controls, audit logs, breach detection and response capabilities, and personnel training.

Breach Response

When a security incident compromises personal data in a way that significantly affects patrimonial or moral rights, controllers must notify affected data subjects without undue delay. The notice must include the nature of the breach, the personal data involved, recommended protective steps for data subjects, and corrective measures the controller has implemented.

There is no mandatory notification to the SABG under the 2025 law. Reporting to the SABG is currently voluntary. The SABG's January 2026 stakeholder dialogue identified mandatory authority reporting as a priority for the next regulatory cycle.

Special Category Rules

Employee monitoring: Monitoring of telework activities requires a written agreement with a consent clause. There is no blanket employment-relationship exemption.

Children's data: Processing personal data of individuals under 18 requires guardian consent.

Marketing: The Federal Consumer Protection Law applies a separate framework for direct marketing activities, with a 30-day compliance window for consumer opt-out registry obligations.

Current Status and Outlook (May 2026)

As of May 2026, the new framework is operational but several significant pieces remain unresolved.

Implementing regulations: The 90-day deadline expired around June 20, 2025. No new regulations have been published. Organizations continue relying on the 2011 regulations originally issued under the repealed 2010 law for procedural guidance, pending updated rules.

Potential 2026 law revision: The SABG's January 2026 stakeholder dialogue signaled that Mexico may be moving toward further legislation. Announced priorities include privacy by design and by default obligations, a formal DPO requirement, mandatory breach notification to the SABG, and DPIAs. A possible further revision to the LFPDPPP or a new comprehensive regulation is anticipated in 2026, though no official timeline has been confirmed.

Enforcement precedents: No formally published sanctions decisions under the 2025 law are publicly available as of May 2026. Early SABG proceedings following the January 2026 cyber incidents established that the authority will move quickly and publicly, departing from INAI's prior practice.

Judicial interpretation: The 30th Judicial Circuit has been operational since July 1, 2025, but has not produced publicly reported precedents on the new law as of May 2026. Amparo jurisprudence on data protection will develop gradually.

For businesses operating in Mexico, the practical path is to comply with the 2025 law as written, monitor the Official Gazette for implementing regulations and any further legislative developments, participate in SABG consultation processes where relevant, and maintain documentation demonstrating proactive compliance. For recording laws in Mexico, separate consent and wiretapping rules apply under the Federal Penal Code. Consult an attorney for advice specific to your situation.