Mexicos New Data Privacy Regulations What You Need to Know

Introduction and Summary of Settlement

On March 21, 2025, Mexico gave effect to its new Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP). This legislation replaces the 2010 federal data protection law previously in effect, and introduces significant changes to Mexico’s data protection framework. The reform aims to align with global data protection standards and reflects Mexico’s commitment to strengthening personal data rights. The following constitute the key changes of which businesses should be aware in ensuring they are compliant with Mexico’s changing data privacy regulations:

‍

‍

1. New Regulatory Authority

The National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI) has been dissolved under the new LFPDPPP. Its responsibilities are now managed under the Secretariat of Anti-Corruption and Good Governance (SABG), a body within the Executive Branch. This shift centralizes data protection oversight, and it remains to be seen how this change will influence the enforcement landscape in Mexico regarding data protection.

‍

‍

2. Expanded Definitions and Scope

The LFPDPPP has expanded key definitions under the regulation, significantly expanding the reach of Mexican regulatory authority. These include (but are not limited to):

• “Personal Data”: The definition of “Personal Data” now includes any information related to an identifiable person, and clarifies that a person can be considered “identifiable” if their identity can be determined directly or indirectly through any such information.  Critically, this means that information need not belong to the identifiable person in order to fall under this definition, and can include corporate or other entity data.
  
  
• “Data Controller”: The definition of “Data Controller” has been redefined to encompass any individual or legal entity that processes Personal Data, regardless of decision-making authority, thereby broadening the range of covered parties.
  
  
• “Processing”: The definition of “Processing” now explicitly includes a wide array of operations, both manual and automated, applied to Personal Data, broadening the definition beyond the previous “collection, use, disclosure or storage” of Personal Data.

‍

3. Consent Requirements

Consent must be obtained freely, specifically, and in an informed manner (as opposed to the previous definition which simply defined “Consent” as a manifestation of the data subject’s desire to enable processing). This change eliminates the possibility of processing personal data for purposes similar or analogous to those stated in the privacy notice without obtaining new consent, as failure to do so will fail to indicate specific and informed manifestation of a data subject’s permission regarding data processing.

‍

‍

4. Privacy Notices

The new LFPDPPP has changed requirements regarding Privacy Notices to be provided by covered entities. Data processors must now provide a “simplified Privacy Notice”, a more concise version of a business’s comprehensive Privacy Notice, that is to be used in certain required contexts (where space and time so require) and at the point of collection of Personal Data via electronic, optical, sound, visual or other technological means. Meanwhile, a covered entity’s more comprehensive Privacy Notice must now detail the specific Personal Data to be processed, identify sensitive data to be processed (as this term is defined under the new LFPDPPP), and distinguish between processing purposes that require consent and purposes that do not. Meanwhile, the obligation to inform about data transfers to third-parties in a covered entity’s Privacy Notice has been removed.

‍

‍

5. Data Subject Rights (“ARCO Rights”)

The new LFPDPPP reinforces the rights of Access, Rectification, Cancellation, and Opposition (ARCO), with the right to Cancellation now explicitly applicable to systems and records where Personal Data is stored. Notably, the new LFPDPPP introduces the right to object to automated processing that significantly affects a data subject’s rights or freedoms.

‍

‍

6. Data Retention and Confidentiality

Data controllers are now required to establish retention periods for Personal Data and ensure its deletion after this period, following a blocking process of such Personal Data. Additionally, there is a reinforced obligation to maintain confidentiality of Personal Data, providing that all parties involved in the processing of Personal Data (including contractors and employees) maintain confidentiality of such data even after termination of any legal relationship giving rise to such processing activity.

‍

‍

Next Steps

Businesses operating in Mexico or processing the data of Mexican data subjects should ensure that all privacy notices comply with the new requirements of the LFPDPPP, including detailing specific data processing activities and obtaining explicit consent where necessary. Businesses should also evaluate current data processing operations to ensure they align with the expanded definitions and consent requirements, and establish clear data retention schedules and procedures for data deletion following applicable retention periods. Employee education regarding new obligations, particularly regarding confidentiality and the handling of data subject rights requests, is also critical to help avoid potential regulatory liability. Finally, working with data privacy and cybersecurity counsel to monitor and analyze changing regulations and to implement responsive modifications to business policies and practices can help ensure that regulatory issues don’t become disruptive to business operations.

For further assistance or to discuss how these changes may impact your organization, PAG Law’s Data Privacy and Cybersecurity practice group is available for consultation.