Federal Law on the Protection of Personal Data held by Private Parties (LFPDPPP) Mexico

    Overview

    The Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) is Mexico’s primary privacy law for private-sector organizations. Enacted in 2025, this version updates the 2010 framework, strengthening obligations around consent, transparency, and accountability for the processing of personal data. It applies to individuals and businesses that collect, store, or use personal data for commercial or professional purposes. The 2025 law includes expanded rights for individuals, higher security standards, and stricter penalties.

     

    Regulation Summary

    Timeline
    • Enacted: March 20, 2025
    • Effective: March 21, 2025
    • Repeals: 2010 version of the LFPDPPP
    What Businesses Are Affected
    • Private individuals and legal entities engaged in data processing for commercial purposes.
    • Businesses operating in Mexico or offering goods/services to individuals in Mexico.
    • Foreign companies that process data of Mexican residents.
    Exemptions
    • Personal data processed for purely personal or household use.
    • Data governed by other sector-specific regulations (e.g., credit bureaus).
    Responsibilities for Businesses
    • Obtain lawful, informed, and express consent before processing data.
    • Provide clear, accessible, and timely privacy notices.
    • Implement organizational and technical security measures.
    • Maintain data integrity, relevance, and accuracy.
    Specific Responsibilities for Website Owners
    • Display both simplified and full privacy notices.
    • Incorporate consent mechanisms (opt-in/opt-out) for secondary data uses.
    • Provide mechanisms for exercising ARCO and portability rights.
    • Notify users promptly of any data breaches.
    Additional Requirements
    • Appoint a Data Protection Officer (DPO) or internal data privacy team.
    • Keep updated records of processing activities.
    • Establish procedures for international and third-party data transfers.
    Data Subject Rights
    • Access: Individuals can access their personal data.
    • Rectification: Correct inaccurate or outdated data.
    • Cancellation: Request data deletion.
    • Objection: Object to specific uses of their data.
    • Portability: Request transfer of their data in a machine-readable format.
    Enforcement
    • Authority: Ministry of the Interior (Secretaría de Gobernación) through the National Authority for Personal Data Protection.
    • Penalties:
      • Fines from 100 to 320,000 days of the UMA (Unidad de Medida y Actualización – approx. $1,206 to $3,857,007 USD).
      • Temporary or permanent suspension of data processing activities.
      • Criminal sanctions, including imprisonment for severe violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596