LFPDPPP
Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares
The LFPDPPP governs the processing of personal data by private parties in Mexico. A new version was published in the official gazette on 20 March 2025 and took effect 21 March 2025, replacing the original 2010 law. It preserves the ARCO rights framework (Access, Rectification, Cancellation, and Opposition) and adds provisions addressing automated decision-making.
Who it applies to
Private individuals and legal entities (private parties) that process personal data in Mexico, excluding credit reporting companies and persons processing data solely for personal use.
Identity requirements
- Obtain consent that is free, specific, and informed, with express consent required for financial, sensitive, and similar categories of data
- Provide a privacy notice (aviso de privacidad) describing the data collected and the purposes of processing
- Honor ARCO rights, allowing individuals to access, rectify, cancel, and oppose the processing of their data
- Implement administrative, technical, and physical security measures appropriate to the data and risks involved
- Designate a person or department responsible for handling personal-data requests and oversight
- Address automated processing and decisions that significantly affect individuals' rights
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Privacy notices and consent (including express consent for sensitive data) must be captured and managed in customer-facing identity processes. |
| Authentication & MFA | Mandated security measures push organizations to protect personal-data systems with appropriate access and authentication controls. |
| Audit, logging & accountability | Controllers must be able to demonstrate compliance and respond to oversight from the Secretariat of Anti-Corruption and Good Governance. |
| Identity verification (KYC/proofing) | Organizations must verify the identity of individuals exercising ARCO rights before disclosing or acting on their personal data. |
| Data residency & cross-border transfer | The law sets conditions for domestic and international transfers of personal data to third parties. |
Penalties
Administrative fines range from roughly 100 to 320,000 times the Unidad de Medida y Actualizacion (UMA), with higher amounts and potential doubling for repeated or sensitive-data violations.
LFPDPPP: frequently asked questions
- What changed in the 2025 LFPDPPP reform?
- A new LFPDPPP was published on 20 March 2025, replacing the 2010 law; it transferred enforcement to the Secretariat of Anti-Corruption and Good Governance and added rules on automated decision-making.
- Does INAI still regulate data protection in Mexico?
- No. INAI was dissolved as part of a constitutional reform, and data protection enforcement for private parties now sits with the Secretaria de Anticorrupcion y Buen Gobierno.
- What rights does the LFPDPPP give individuals?
- It preserves the ARCO rights, letting individuals access, rectify, cancel, and oppose the processing of their personal data, supported by a required privacy notice.