After some controversy surrounding the dismantling of several autonomous watchdogs in Mexico, including Mexico’s Institute for Information Access and Transparency (INAI), the updated data protection program, the General Law on Transparency and Access to Public Information (LGTAIP) took effect in Mexico on March 21, 2025. At the same time, the General Law on the Protection of Personal Data Held by Public Sector Entities («LGPDPPSO»), the Federal Law on the Protection of Personal Data Held by Private Parties («LFPDPPP»), and an amendment to Article 37, Section XV, of the Organic Law of the Federal Public Administration («LOAPF») also came into force.
In the name of “organic simplification” as part of a broader regime of constitutional reform, Mexico introduced the changes that assigned responsibility for access to information, transparency and personal data protection to a different government entity, the Ministry of Anticorruption and Good Governance.
What changes as a result of the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP)?
The LFPDPPP does not significantly differ from the 2010 law on which it is based, and the underlying fundamentals of the law remain. Some specific definitions within the law have changed, including, for example, changing the definition of data controller, removing the obligation to inform about personal data transfers while adding other obligations, such as the requirement to detail the personal data that will be collected and processed and creating a distinction between consent-based and non-consent-based purposes. This is not an exhaustive list of changes to the law but begins to detail the kinds of changes the law introduces.
How to prepare for Mexico’s changed data protection laws
The LFPFPPP strengthens the rights of data subjects while also creating a higher threshold of responsibility for data controllers and processors. As a result, the takeaway for businesses that collect and process personal data is that they should use this opportunity to review their privacy policies and notices against the modifications in the LFPDPPP in order to comply with Mexico’s new laws. The higher standard of responsibility and legality to which businesses will be held means that a comprehensive audit is recommended. Such an audit should look at data sources, contracts with suppliers and third parties, cookie and consent policies, and policies on data retention and deletion.
It’s easy to be compliant with CookieHub
Sign up today and create a custom cookie banner for your website
- 30 day free trial
- No credit card required