Mexico’s New Personal Data Protection Law: Key Reforms and Implications

The New Federal Law on Personal Data Protection Held by Private Parties

On March 20, 2025, the new Federal Law on Personal Data Protection Held by Private Parties (LFPDPPP 2025) was published in the Official Gazette of the Federation. LFPDPPP 2025 came into effect on March 21, 2025, repealing the previous law enacted in 2010.

As a consequence of the dissolution of the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI), LFPDPPP 2025 establishes that the material and financial resources of INAI will be transferred to the Secretariat for Anti-Corruption and Good Governance, which now assumes the role of the new authority responsible for personal data protection. This Secretariat will be tasked with promoting awareness of data protection rights, encouraging their exercise, and overseeing compliance with applicable regulations. Any procedures initiated before the enactment of LFPDPPP 2025 under INAI’s jurisdiction will continue under the regulatory framework in force at the time of their initiation but will now be handled by the Secretariat for Anti-Corruption and Good Governance.

Key Changes Introduced by LFPDPPP 2025

• Expanded Definition of Data Controller: The law redefines the concept of a data controller, stating that any natural or legal person processing personal data qualifies as such, regardless of whether they make decisions about the processing itself. This significantly broadens the scope of obligated parties, now including processors as well.
• Privacy Notice Modifications: The new law eliminates the obligation to disclose data transfers in the comprehensive privacy notice and introduces new requirements, such as detailing the specific personal data being processed, identifying sensitive data, and distinguishing between purposes that require consent and those that do not.
• Revised Simplified Privacy Notice: The content of the simplified privacy notice has been amended to require the inclusion of the data controller’s identity and address, the personal data processed (explicitly mentioning sensitive data), the purposes of processing (indicating which require consent), and the means available for limiting the use or disclosure of data, as well as a reference to where the full privacy notice can be accessed.
• Publicly Accessible Sources Redefinition: The law establishes that only databases, systems, or records that can be consulted publicly under a legal mandate will be considered publicly accessible sources. It expressly excludes databases containing illegally obtained information.
• Expanded Consent Exceptions: The law broadens the exceptions under which consent is not required, permitting processing without consent if authorized by any regulatory provision, not just legal statutes, including administrative regulations and circulars.
• Data Retention Periods: LFPDPPP 2025 formally introduces the concept of “retention periods,” establishing that personal data must only be deleted after the retention period has expired and after undergoing prior blocking when they are no longer necessary for the original purposes.
• Enhanced Confidentiality Obligations: Data controllers are now required to implement mechanisms ensuring that all individuals involved in data processing—employees, processors, and third parties—maintain confidentiality even after their legal relationship has ended.
• Expanded Right of Access: The right of access now explicitly includes not only the right of data subjects to access their personal data but also to obtain information on the conditions and generalities of the processing, which must be reflected in the privacy notice.
• Expanded Right to Rectification: Data subjects may now request the correction of personal data not only when they are inaccurate or incomplete but also when they are outdated.
• New Grounds for Objecting to Processing: Beyond legitimate reasons, data subjects may now object to processing when their data is subject to automated processing that produces adverse legal effects or significantly affects their rights or freedoms. However, this right does not apply if the processing is necessary to fulfill a legal obligation.
• Revised ARCO Rights Procedures: Requests to exercise ARCO rights must now specify the right being invoked or the specific request being made. Additionally, a clear distinction is drawn between the data subject’s identity and the legal representation of third parties.
• Detailed Guidelines for ARCO Rights Requests: The law establishes more detailed procedures for submitting, processing, and verifying ARCO rights requests, strengthening legal certainty and ensuring effective data subject protection.

Implications and Recommendations

The reforms introduced by LFPDPPP 2025 represent a comprehensive transformation of Mexico’s personal data protection regime. These changes not only reinforce data subjects’ rights but also significantly increase the obligations imposed on data controllers and processors. The law sets higher standards of legality, transparency, security, and proactive accountability.

Companies must take immediate action to align their operations with the new regulatory framework. First, organizations should conduct a comprehensive audit of the data sources they utilize to identify those that no longer comply with the revised legal definition and may pose legal risks. Concurrently, companies must review and update contracts with vendors and business partners to ensure clear delineation of roles between controllers and processors under the updated legal definitions.

Additionally, all privacy notices—both comprehensive and simplified—must be reviewed and updated to incorporate the new mandatory elements and remove obsolete requirements. While disclosing data transfers is no longer obligatory, maintaining this information is recommended to preserve transparency and align with international frameworks such as the EU’s GDPR.

Regarding consent requirements, businesses must clearly identify which processing activities can be conducted without explicit authorization, ensuring they are supported by valid legal provisions. This necessitates active monitoring of new regulations and decisions issued by regulatory authorities.

Another critical aspect will be the implementation of clear policies on data retention and deletion, with defined timeframes and effective blocking procedures. This requirement must be properly documented and supported by adequate technical measures.

The reinforced confidentiality obligations will require the execution of agreements with all individuals involved in data processing, as well as the implementation of access control mechanisms, ongoing training programs, and internal audits to ensure compliance.

Finally, companies must adjust their procedures for handling ARCO rights requests to meet the new formal requirements and provide detailed information on data processing. Organizations should ensure that data subjects have seamless access to their data and to mechanisms for exercising their rights, including specific procedures for addressing requests related to automated decision-making or artificial intelligence.

Stay ahead with the newest legal updates at GLE News