LFPDPPP

Ley Federal de Protección de Datos Personales en Posesión de los Particulares

Flag of MX
MexicoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 21, 2025
Enacted
March 20, 2025
Enforcing Authority
Transparencia para el Pueblo (replacing dissolved INAI)
Consent Model
Opt-in
Applies To
All private parties processing personal data in Mexico or of individuals located in Mexico

Overview

Mexico enacted a completely new data protection law in March 2025, replacing the 2010 version. The former INAI was dissolved and replaced by Transparencia para el Pueblo. The new law introduces criminal penalties, specialized federal courts for data protection, and doubled fines for sensitive data violations.

What This Means for Your Website

  • Express consent is required for sensitive data, financial data, and cross-border transfers
  • Implied consent is available for non-sensitive data when an adequate privacy notice is provided
  • ARCO rights apply: Access, Rectification, Cancellation, and Opposition
  • Penalties are doubled for sensitive data violations
  • Criminal penalties including imprisonment are possible for serious violations
  • Specialized federal data protection courts will be established

Key Requirements

Transparencia para el Pueblo enforces the new LFPDPPP with penalties ranging from 100 to 320,000 UMA (~$1,206-$3.86M USD), doubled for sensitive data violations. The new authority assumed INAI's resources and responsibilities. A comprehensive privacy notice is required for all data processing.

How ConsentStack Handles This

ConsentStack detects Mexican visitors and applies express consent for sensitive data categories while supporting implied consent for non-sensitive data with proper privacy notice disclosure.

Penalties

100-320,000 UMA (~$1,206-$3,857,007 USD). Doubled for sensitive data violations. Criminal penalties including imprisonment.

Key Requirements

  • Express consent for sensitive data, financial data, and cross-border transfers
  • Implied consent for non-sensitive data with adequate privacy notice
  • ARCO rights: Access, Rectification, Cancellation, and Opposition
  • Privacy notice with comprehensive disclosures
  • Enhanced data security obligations
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • Completely new law — 2010 version abrogated
  • INAI dissolved and replaced by Transparencia para el Pueblo
  • Criminal penalties including imprisonment
  • Enhanced penalties for sensitive data (doubled)
  • Specialized federal data protection courts to be established

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Jamaica DPAJamaica
The most comprehensive data protection law in the Caribbean, with GDPR-level penalties (4% of worldwide turnover). Individual violators face both fines and up to 10 years imprisonment. The OIC operates independently with broad enforcement powers including assessment notices, information notices, and criminal prosecution.

Frequently Asked Questions

What changed in Mexico's data protection law?

Mexico enacted a completely new LFPDPPP in March 2025, abrogating the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo.

Does Mexico have criminal privacy penalties?

Yes. The new 2025 law introduces criminal penalties including imprisonment for serious data protection violations.

What are the Mexican data protection fines?

100-320,000 UMA (~$1,206-$3.86M USD), doubled for sensitive data violations.

Does Mexico use implied consent?

For non-sensitive data, implied consent is available when an adequate privacy notice is provided. Sensitive data requires express consent.

Stay compliant with LFPDPPP

ConsentStack helps you implement Opt-in consent for Mexico automatically.

Get started