Skip to main content

Federal Law on Protection of Personal Data Held by Private Parties (Mexico)

Mexico's LFPDPPP governs private-sector processing of personal data through the privacy notice and the ARCO rights of access, rectification, cancellation, and opposition. It requires consent and security measures, with fines and possible criminal penalties for violations.

Jurisdiction
Mexico

Federal Law on Protection of Personal Data Held by Private Parties (Mexico)

Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) is the country's primary privacy law for the private sector. It took effect on July 6, 2010, with its regulations following in 2011. The law is built around two pillars: the privacy notice (aviso de privacidad) and the ARCO rights, which give individuals control over their data.

Who It Applies To

The LFPDPPP applies to private individuals and legal entities that process personal data in Mexico, with limited exceptions for purely personal use and for credit reporting governed by separate law. Public-sector data is governed by a separate general law. Oversight historically rested with the INAI; following constitutional reforms, enforcement responsibilities have been transitioning to a successor authority, but the core obligations on private parties remain in force.

Key Requirements

Controllers must provide a clear privacy notice describing what data is collected, the purposes, and how individuals can exercise their rights. Processing generally requires consent, which may be tacit for ordinary data but must be express for financial or sensitive data and in writing for sensitive data. Individuals hold ARCO rights: Access, Rectification, Cancellation, and Opposition to processing. Controllers must observe principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and accountability, and must implement security measures appropriate to the data. A data protection officer or function should be designated to handle requests.

Penalties for Non-Compliance

The supervisory authority can impose substantial fines, calculated in multiples of the daily minimum wage or its successor unit, that can reach into the millions of pesos and double for violations involving sensitive data. Serious or repeated violations involving sensitive data can also carry criminal penalties, including imprisonment.

How to Comply

Draft and publish a compliant privacy notice for every collection point. Obtain the appropriate level of consent, with express written consent for sensitive data. Establish a process to handle ARCO requests within statutory deadlines, designate a person or department responsible for personal data, and implement administrative, technical, and physical security measures.

Regulatory Transition

Following constitutional reforms that restructured Mexico's transparency and data protection institutions, enforcement responsibilities have been transitioning from the INAI to successor arrangements. The substantive obligations on private parties, including the privacy notice and ARCO rights, remain in force throughout. Organizations should continue to meet existing duties while monitoring how the successor authority defines registration, audit, and enforcement practice.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.