The Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) has been in force for over 10 years, yet most Mexican businesses still do not fully comply with it. Fines can exceed 20 million pesos.
Who Does the Law Apply To?
The LFPDPPP applies to any private individual or legal entity that processes personal data. This includes: physical and online stores, professional firms, clinics and medical offices, businesses with employees, and any business that uses databases of customers, prospects, or vendors.
Key Obligations
The most important obligations imposed by the law are:
- Privacy notice: must be provided at the time data is collected, before or simultaneously
- Consent: for sensitive data (health, biometric, financial) explicit written consent is required
- Data controller: an internal person must be designated as responsible for data processing
- Security measures: technical, administrative, and physical measures proportional to the risk
- ARCO rights: data subjects may access, rectify, cancel, or object to the processing of their data
The Privacy Notice: What It Must Say
The privacy notice is not a generic text copied from the internet. It must specify: who is responsible for data processing, what data is collected, for what purposes (primary and secondary), whether data is transferred to third parties, how to exercise ARCO rights, and how the notice may be updated. A generic notice can be as serious a violation as having none at all.
Penalties in 2025
The INAI (National Institute for Transparency) can impose fines ranging from 100 to 320,000 times the daily minimum wage, depending on the severity of the violation. In 2024, record sanctions exceeding $20 million pesos were issued to companies in the healthcare and telecommunications sectors. No sector is exempt.