Data & Privacy - Mexico

A brand-new LFPDPPP was published in the DOF on 20 March 2025 and entered into force on 21 March 2025, repealing the 2010 statute of the same name. It regulates the legitimate, controlled and informed processing of personal data held by private parties.

A constitutional reform published 28 November 2024 dissolved the autonomous regulator INAI. Data-protection enforcement and oversight now sit with the executive's Secretariat of Anti-Corruption and Good Governance, with judicial review available via amparo before specialized district courts.

Individuals retain ARCO rights — Access, Rectification, Cancellation and Opposition — over their personal data; the right of Cancellation is now explicitly extended to the systems and records where data is stored.

Controllers must provide a clear privacy notice (aviso de privacidad) at collection, obtain consent (generally free, specific and informed, with tacit consent valid as a rule), adopt security measures, ensure confidentiality, manage retention/deletion, and notify data breaches.

Transfers abroad are permitted where the destination ensures adequate protection or the data subject consents; the transferor must ensure recipients uphold the same confidentiality and security standards as set out in the privacy notice.

The General Law on Protection of Personal Data Held by Obligated Subjects (LGPDPPSO) covers public authorities across the executive, legislative and judicial branches, autonomous bodies, political parties and the states/municipalities; it was likewise reformed via the 20 March 2025 decree (with further reform published 14 November 2025).