Mexico Federal Data Protection Law: Privacy Regulation

Entity Type

Private sector entities (individuals, companies, organizations)

Retailers, banks, healthcare providers, tech platforms, employers

Government entities covered by separate law (LFTAIPG)

Data Location

Personal data of individuals in Mexico, regardless of processing location

U.S. company processing Mexican customer data in AWS US-East-1

Physical presence in Mexico NOT required for jurisdiction

Processing Activity

Collection, use, disclosure, storage, transmission of personal data

Website analytics, customer databases, employee records, marketing lists

Publicly available data still subject to law if repurposed

Data Subject

Natural persons (individuals), not legal entities

Individual customers, employees, contractors

Corporate contact information for B2B NOT covered

Exemption

Personal use, journalistic purposes (with limitations), national security

Family contact lists, news reporting, intelligence operations

Exemptions are narrow—commercial blogs NOT exempt

General Personal Data

Any information concerning an identified or identifiable individual

Name, address, phone, email, IP address, device ID, purchase history, browsing behavior

Implicit or explicit (context-dependent)

Standard transfer mechanisms

Sensitive Personal Data

Data that may affect the most intimate sphere of the individual or whose improper use could give rise to discrimination

Racial/ethnic origin, health status, genetic information, religious beliefs, political opinions, union membership, sexual orientation

Express and written consent (mandatory)

Enhanced protections, limited exceptions

Financial Data

Economic and banking information

Credit card numbers, bank accounts, credit history, income level, financial statements

Express consent required

Subject to financial sector regulations (Ley de Instituciones de Crédito)

Patrimonial Data

Information related to individual's assets

Property ownership, vehicle registration, investment portfolios

Implicit consent generally sufficient

Standard mechanisms

Credit card number for payment processing

Financial/Billing

General personal data (financial context)

Express consent

Commercial transaction, expected use

Credit card number stored for future marketing analysis

Financial/Marketing

Sensitive personal data

Express written consent

Secondary purpose, discrimination risk

Medical expenses in insurance claim

Health-Financial

Sensitive personal data

Express written consent

Health information (sensitive) trumps financial aspect

Bank account for salary deposit

Financial/Employment

General personal data

Express consent

Expected employment function

Income level for credit scoring

Financial

General personal data

Express consent

Standard credit evaluation

Income level for housing discrimination

Financial

Sensitive personal data (context)

Express written consent

Discrimination risk makes it sensitive

Responsible Party (Responsable)

Entity that decides purposes and means of personal data processing

Privacy notice provision, consent management, data security, rights facilitation

Primary liability for violations, fines, corrective measures

Employer collecting employee data, retailer collecting customer information

Person in Charge (Encargado)

Entity that processes personal data on behalf of the Responsible Party

Follow Responsible Party instructions, implement security measures, cooperation with rights requests

Joint liability for security failures, cooperation obligations

Cloud service providers, payroll processors, marketing agencies

Data Subject (Titular)

Individual to whom personal data relates

Exercise ARCO rights, file complaints, provide consent

No liability (rights holder)

Customers, employees, website visitors, patients

Processing Scope

Specific, legitimate purposes

Detailed description of processing activities

Activity-level detail, not just general categories

Security Measures

Administrative, physical, technical safeguards

Appropriate to data sensitivity

Reference specific controls (encryption, access controls)

Data Retention

Specified retention periods

Aligned with Responsible Party's privacy notice

Include deletion/return procedures at termination

Subprocessors

Authorization mechanism

Advance notice or approval required

List permitted subprocessors, change notification process

Data Subject Rights

Cooperation obligations

Response timeframes, process description

SLA for rights request handling

Cross-Border Transfers

Transfer basis documentation

Adequate protection demonstration

Self-assessment or binding corporate rules

Audit Rights

Verification of compliance

Periodic assessment capability

Annual audit rights, incident reporting obligations

Breach Notification

Incident communication

Immediate notification to Responsible Party

24-48 hour notification window

1. Lawfulness (Licitud)

Processing must comply with LFPDPPP and other applicable laws

Obtain proper legal basis before processing

Processing without consent, exceeding authorized purposes

High - fundamental violation

2. Consent (Consentimiento)

Data subject consent required for processing

Explicit opt-in for data collection and use

Pre-checked boxes, bundled consent, unclear language

Very High - 42% of INAI sanctions involve consent issues

3. Information (Información)

Transparent privacy notice required

Clear, accessible privacy notice at collection point

Missing privacy notices, incomplete information, technical jargon

Very High - 38% of violations

4. Quality (Calidad)

Data must be accurate, complete, current

Data validation, update mechanisms, correction processes

Outdated records, inaccurate information retained

Medium - usually combined with other violations

5. Purpose (Finalidad)

Specific, legitimate, explicit purposes

Define and document processing purposes, limit use accordingly

Repurposing data without consent, vague purpose statements

High - purpose limitation critical

6. Loyalty (Lealtad)

Good faith processing aligned with data subject expectations

Use data consistently with reasonable expectations

Deceptive practices, unexpected uses, dark patterns

Medium - often subjective determination

7. Proportionality (Proporcionalidad)

Collect only data necessary for stated purposes

Minimize data collection to essential elements

Excessive data collection, unnecessary fields

Medium - data minimization enforcement increasing

8. Responsibility (Responsabilidad)

Demonstrate compliance, implement measures

Documentation, policies, training, accountability

Lack of documentation, no compliance program

High - affects all other principles

Identity and Domicile

Responsible Party name, legal entity type, physical address

"Fintech Solutions, S.A. de C.V., Avenida Reforma 505, Col. Cuauhtémoc, 06500 Ciudad de México, CDMX"

Generic "head office" reference without specific address

Personal Data Collected

Specific data types gathered

"We collect: name, email, phone, RFC (tax ID), CURP, bank account, transaction history, device IP address"

Vague categories like "contact information"

Processing Purposes

Detailed purpose description—both primary and secondary

"Primary: Account opening, identity verification, transaction processing. Secondary: Credit evaluation, marketing, fraud prevention"

Catch-all phrases like "improve services"

Transfer Recipients

Third parties receiving data, transfer purposes

"We transfer your data to: (1) Credit bureaus for credit scoring, (2) Payment processors for transaction execution, (3) Marketing agencies for promotional campaigns"

"Third party service providers" without specifics

ARCO Rights

Mechanisms for Access, Rectification, Cancellation, Opposition

"Exercise your rights by emailing [email protected] or writing to [address]. We respond within 20 business days."

Directing to general customer service without specific process

Consent Mechanism

How consent is obtained and withdrawn

"By clicking 'Accept,' you consent to processing. Withdraw consent anytime by [specific process]."

Silence or continued use as consent

Revocation Process

Procedure for withdrawing consent

"Revoke consent by completing form at [URL] or emailing [email]. Revocation effective within 10 business days."

No clear revocation mechanism

Opt-Out Mechanism

Procedure for opposing secondary purposes

"Opt out of marketing by clicking 'unsubscribe' in emails or selecting preferences at [URL]."

Requiring phone calls or physical mail for digital collection

Data Security

General security measures implemented

"We protect your data through encryption, access controls, firewalls, and employee training."

Vague "industry-standard security"

Third-Party Liability

Statement on unauthorized disclosures

"We are not responsible for data provided directly to third parties through their websites or applications."

Missing entirely or buried in legal disclaimers

Modification Notice

How changes to privacy notice are communicated

"Material changes posted at [URL] with 10-day advance notice before effective date."

"Updated periodically, check website"

Update Date

Last revision date

"Last updated: March 15, 2024"

No date or outdated

Express Written Consent

Sensitive personal data, financial data (certain contexts)

Signed document, electronic signature (e-firma), checkbox with explicit language ("I consent to...")

Pre-checked boxes, continued use, silence

Yes - must be as easy as giving consent

Express Consent

General personal data, secondary purposes

Verbal agreement (documented), affirmative action (click, tap), signature

Implied consent, inaction, bundled consent

Yes - clear mechanism required

Implicit Consent

Publicly available data, employment relationships (narrow scope), legal obligations

Providing data in context suggesting consent (applying for job, purchasing product)

Assumes consent for unrelated uses

Limited - depends on context

No Consent Required

Legal obligations, medical emergencies, court orders, public security

N/A - processing justified by law

Cannot expand beyond legal requirement

N/A - legal basis overrides consent

Bundled Consent

"I agree to Terms of Service, Privacy Policy, and Marketing Communications [single checkbox]"

Mixes service provision with optional marketing

Separate checkboxes for each distinct purpose

Pre-Checked Boxes

Marketing opt-in checkbox arrives pre-checked

No affirmative action by data subject

Unchecked by default, user must actively select

Consent-or-Nothing

"Accept all cookies or leave the website"

Consent not freely given if service denied

Granular cookie categories, functional cookies only for core service

Hidden Withdrawal

Consent withdrawal requires calling customer service during business hours

More burdensome than granting consent

Online form, email, or same mechanism used to grant consent

Vague Purpose

"I consent to data processing for business purposes"

Lacks specificity required by purpose principle

"I consent to: ☐ Account management, ☐ Promotional emails, ☐ Product recommendations"

Silence as Consent

"If we don't hear from you in 30 days, we'll assume consent"

Affirmative action required

"Click here to consent" - no action = no consent

Access (Acceso)

Obtain confirmation of data processing and copy of personal data held

20 business days maximum (may request 20-day extension)

Legal impediments, third-party rights, commercial secrets (limited)

"What data do you have about me?", pre-litigation discovery, identity theft investigation

Rectification (Rectificación)

Correct inaccurate, incomplete, or outdated data

15 business days maximum for response + reasonable time for correction

Data accuracy required by law (e.g., legal name), no supporting documentation

Address changes, name corrections, updated contact information

Cancellation (Cancelación)

Delete personal data from databases/systems

15 business days maximum for response + reasonable deletion time

Legal retention obligations, contractual necessity, pending claims

Account closure, service termination, employment end

Opposition (Oposición)

Object to specific processing (often secondary purposes)

Immediate for marketing; 15 business days for other contexts

Legal obligations, contractual necessity

Marketing opt-out, profiling objection, automated decision-making

1. Request Receipt

Day 0

Log request, confirm receipt within 5 days

Submit via designated channel (email, form, physical mail)

2. Identity Verification

Days 1-5

Verify requestor identity through reasonable means

Provide credential documents (INE, passport, representative authorization)

3. Initial Review

Days 6-10

Assess request scope, identify responsive data

Clarify request if too broad/vague

4. Data Compilation

Days 11-15

Gather personal data from systems, verify accuracy

N/A

5. Legal Review

Days 16-18

Identify any exceptions/redactions required

N/A

6. Response Preparation

Days 19-20

Format data for delivery, prepare cover letter

N/A

7. Response Delivery

Day 20 (or extended deadline)

Provide data or justified denial, specify format/delivery method

Receive data in understandable format

8. Extension (if needed)

+20 business days

Notify data subject of extension and justification within initial 20 days

Accept extension or file INAI complaint

PDF Report

Moderate data volumes (10-50 pages)

Human-readable, universally accessible

Not machine-readable, difficult to analyze

Excel/CSV

Structured data, large volumes

Machine-readable, analyzable

Requires technical knowledge to use

JSON/XML

Technical requestors, API consumers

Programmatic access, integration

Incomprehensible to non-technical users

Physical Copy

Data subjects without digital access

No technology barrier

Expensive, slow, environmental impact

Secure Portal Access

Ongoing access needs, large volumes

Self-service, current data

Requires portal development, authentication

Contact Information Update

Minimal (new contact info from data subject)

Direct system update

Immediate to 5 days

Confirmation email to new address

Name Correction (misspelling)

Supporting documentation (official ID)

System update + downstream propagation

5-10 days

Confirmation notice

Legal Name Change

Official documentation (marriage certificate, court order)

System update + audit trail

10-15 days

Confirmation + retention of documentation

Factual Dispute

Investigation + evidence evaluation

Investigation, decision, implementation or rejection

15-30 days

Detailed explanation of decision

Historical Data Correction

Evidence of original error

Archive update, audit trail preservation

15-30 days

Explanation of correction scope

Complete Deletion

No applicable exceptions

Permanent removal from all systems, backups purged per retention schedule

Deletion logs, certificate of destruction

Blocking (Supresión)

Legal retention requirements

Mark as "deleted" in active systems, retain in archive-only system

Access restrictions, clear retention deadline

Partial Deletion

Some data required, other data deletable

Delete non-essential data, retain minimum necessary

Documented necessity assessment

Deletion Denial

Contractual necessity, legal obligation, pending litigation

Explain exception, specify retention period

Legal citation, contract reference, claim documentation

Tax Obligations

Federal Tax Code (Código Fiscal de la Federación)

5 years from last transaction

Invoices, payment records, tax documentation

Labor Law

Federal Labor Law (Ley Federal del Trabajo)

1 year after employment termination (general records), 5 years (payroll)

Employee files, timekeeping, payroll records

Commercial Law

Commerce Code (Código de Comercio)

10 years for accounting records

Financial statements, transaction records, contracts

AML Compliance

Law for the Prevention of Money Laundering (Ley Antilavado)

5 years from transaction/relationship end

Customer due diligence, transaction monitoring

Healthcare

General Health Law (Ley General de Salud)

Permanent (clinical records), variable (administrative)

Medical records, treatment history, prescriptions

Pending Litigation

Civil/Commercial Procedure Codes

Until final non-appealable judgment + 1 year

Documents relevant to legal claims

Contractual Necessity

Civil Code provisions on contracts

Duration of contract + statute of limitations

Active service agreements, warranties, obligations

Total Opposition

All processing activities

Cease all processing (subject to exceptions)

Only legally required processing

Immediate cessation + confirmation

Purpose-Specific Opposition

Particular processing purpose (e.g., marketing)

Cease specified purpose, continue others

Other consented/authorized purposes

Update preferences, suppress from specific activities

Third-Party Transfer Opposition

Data sharing with specific entities

Stop transfers to designated recipients

Internal processing continues

Cessation notice to third parties

Automated Decision Opposition

Profiling, automated decisions

Human review of automated decisions

Automated processing with human override

Implement human review mechanism

Email Marketing

Unsubscribe link in every email

Immediate (within 10 days maximum)

None (honor all unsubscribe requests)

Requiring login to unsubscribe

SMS Marketing

Reply "STOP" or unsubscribe link

Immediate

None

Charging for STOP message

Telemarketing

Request during call or separate opt-out

15 days maximum

Phone number verification

Requiring written request

Direct Mail

Written request or online form

30 days maximum

Address verification

Ignoring requests without notarized signature

Cross-Channel

Single mechanism suppressing all channels

15 days maximum

None

Requiring separate opt-out per channel

Dedicated Email

Simple, documented, accessible

Volume management, response tracking

Automated acknowledgment, ticketing system integration

Web Form

Structured data collection, validation

Development cost, maintenance

Integrate with ARCO workflow system, mobile-responsive

Physical Mail

Accessibility for non-digital users

Slow, manual processing, scanning required

Clear address publicized, reception logging

In-Person

Identity verification easier, immediate assistance

Limited scalability, geographic constraints

Reception training, documentation standards

Phone

Accessibility, real-time guidance

Identity verification challenges, documentation

Call recording, follow-up confirmation, escalation protocol

Intake & Logging

Centralized tracking, no lost requests

Web form → ticketing system → case management

Immediate

Identity Verification

Fraud prevention, privacy protection

Document upload, multi-factor authentication, third-party verification

3-6 months

Data Discovery

Complete responses, reduced manual search

Data mapping, system inventory, API integration

6-12 months

Automated Retrieval

Faster response, lower labor cost

Database queries, API calls, file retrieval scripts

6-12 months

Redaction & Formatting

Third-party protection, consistent delivery

Template generation, automated redaction, format conversion

9-15 months

Response Delivery

Secure transmission, delivery confirmation

Encrypted email, secure portal, certified mail integration

3-6 months

Audit Trail

Compliance documentation, defense against complaints

Complete logging, timestamps, action tracking

Immediate

Metrics & Reporting

Performance monitoring, compliance validation

Dashboard, KPI tracking, SLA monitoring

3-6 months

Domestic Transfer (within Mexico)

Transfer to third party in Mexico

Privacy notice disclosure + consent (if applicable)

Data processing agreement

Not required

International Transfer

Transfer to recipient outside Mexico

Article 37 exception OR data subject consent

Self-assessment, transfer agreement, privacy notice disclosure

Required if systematic/high-volume

Intra-Corporate Transfer

Transfer within corporate group

Binding corporate rules OR other Article 37 basis

BCR documentation or alternative basis

Required if to non-adequate jurisdiction

Service Provider Transfer

Transfer to data processor

Processing agreement, adequate protection demonstration

Data processing agreement with transfer provisions

Required if processor outside Mexico

1. Express Consent

Data subject explicitly authorizes transfer

Specific consent for transfer, destination country identified

Consent withdrawal right applies

One-off transfers, customer-initiated sharing

2. Necessary for Contract

Transfer required to execute/maintain contract with data subject

Demonstrate necessity, contractual relationship

Must be genuinely necessary, not merely convenient

Cloud service for customer, international shipping

3. Legal/Judicial Requirement

Compliance with Mexican or foreign law/court order

Legal obligation documentation

Limited to legally required scope

Regulatory reporting, court orders, international investigations

4. Medical Emergency

Protect vital interests of data subject

Emergency documentation, medical professional involvement

Limited to health protection

International medical treatment, emergency care

5. Public Registry Transfer

Data from publicly accessible sources

Source must be genuinely public

Cannot expand beyond public data

Business registries, academic publications

6. Necessary for Public Interest

Public health, security, justice administration

Government authorization/involvement

Narrow interpretation

Pandemic response, security cooperation

7. Contractual Transfer (commercial)

Execute contract where data subject is third-party beneficiary

Contract demonstrating data subject benefit

Data subject must derive direct benefit

International purchases, beneficiary services

8. Binding Corporate Rules

Intra-group transfers under comprehensive privacy framework

BCR document, adequate protection demonstration, INAI recognition

Only for corporate group transfers

Multinational internal data flows

9. Standard Contractual Clauses / Model Contracts

Contractual adequacy guarantees

INAI-approved clauses or equivalent protection demonstration

Must ensure equivalent LFPDPPP protection

Vendor relationships, service providers

10. Self-Assessment

Responsible Party evaluates destination adequacy

Comprehensive written assessment, documentation retention

Subjective standard, potential INAI challenge

Where no other basis applies

Legal Framework

Existence and scope of data protection laws

Country privacy laws, constitution, legal databases

Summary of applicable laws, protections provided

Enforcement Mechanism

Data protection authority, enforcement powers

DPA websites, enforcement reports, case law

Authority identification, enforcement statistics

Onward Transfer Restrictions

Recipient country's rules on further transfers

Legal research, recipient country frameworks

Analysis of onward transfer limitations

Data Subject Rights

Comparable rights to LFPDPPP ARCO framework

Legal comparison, rights analysis

Rights mapping table (ARCO vs. destination)

Proportionality & Purpose Limitation

Legal requirements for data minimization, purpose specification

Privacy law principles, regulatory guidance

Comparative principle analysis

Security Requirements

Mandatory security standards, breach notification

Security regulations, breach notification laws

Security standard comparison

Transparency Obligations

Privacy notice, consent requirements

Notice and consent legal requirements

Transparency requirement comparison

Government Access

Surveillance laws, law enforcement access

Government access laws, intelligence oversight

Assessment of government access risks

Redress Mechanisms

Available remedies for data subjects

Judicial/administrative complaint procedures

Remedies comparison (Mexico vs. destination)

Scope Definition

Entities covered, data categories, processing activities

Complete group mapping, detailed processing inventory

High - comprehensive documentation

Privacy Principles

Commitment to LFPDPPP-equivalent principles

Explicit mapping to eight LFPDPPP principles

Medium - principle alignment

Data Subject Rights

ARCO rights exercise mechanisms across jurisdictions

Consistent rights globally, accessible procedures

High - global process harmonization

Security Standards

Minimum security controls across group

Technical, administrative, physical safeguards

Medium - security baseline establishment

Transfer Rules

Intra-group and external transfer protocols

Onward transfer restrictions, third-party agreements

Medium - transfer governance

Accountability

Compliance monitoring, audit, enforcement

Internal oversight, complaint mechanisms

High - governance structure

Training & Awareness

Employee education programs

Regular training, role-specific content

Medium - training program development

Third-Party Beneficiary Rights

Data subjects can enforce BCR directly

Legal mechanism for enforcement

High - legal structure complexity

Cooperation with INAI

Audit rights, investigation support

Commit to INAI access, information provision

Low - policy commitment

Local Law Conflicts

Handling contradictory legal requirements

Escalation procedures, INAI notification

Medium - conflict resolution framework

Cloud Storage (AWS/Azure/GCP)

Service contract necessity + DPA with security provisions

Data processing agreement, security assessment, privacy notice disclosure

Medium

SaaS Platform (Salesforce, Workday)

Service contract necessity + standard contractual clauses

Vendor DPA, transfer provisions, security review

Medium

Intra-Corporate HR Data

BCR (if available) OR self-assessment + intra-group agreement

BCR or comprehensive transfer agreement

Low to Medium

Marketing Agency (U.S./Europe)

Express consent + processing agreement

Specific transfer consent, DPA, performance monitoring

Medium to High

Payment Processing

Contract necessity + PCI DSS compliance

Payment processor agreement, PCI validation

Low to Medium

Customer-Initiated Transfer

Express consent

Clear consent mechanism, privacy notice

Low

Third-Party Analytics (Google Analytics)

Privacy notice + anonymization OR consent

Data anonymization, consent for identifiable data, Google DPA

Medium to High

Email Service (Gmail, Outlook 365)

Service contract + DPA + adequate security

Enterprise agreement, BAA (if healthcare), DPA review

Medium

Access Control

User authentication, role-based access, access logging

Multi-factor authentication, privileged access management, just-in-time access

Strong authentication, biometrics, hardware tokens

Access control policy, user access reviews, MFA logs

Data Encryption

Encryption in transit (TLS 1.2+)

Encryption at rest, field-level encryption for sensitive data

End-to-end encryption, key management, HSM

Encryption policy, key management documentation, penetration test results

Network Security

Firewall, network segmentation

Intrusion detection/prevention, zero-trust architecture

DMZ, air-gapped sensitive systems, DDoS protection

Network diagrams, firewall rules, IDS/IPS logs

Endpoint Security

Antivirus, patch management, device encryption

EDR/XDR, application whitelisting, mobile device management

HIPS, removable media controls, privileged access workstations

Security tool deployment reports, patch compliance metrics

Backup & Recovery

Regular backups, offsite storage

Encrypted backups, tested restoration, immutable backups

Redundant backups, geographically distributed, recovery time <4 hours

Backup logs, restoration testing results, RTO/RPO documentation

Physical Security

Locked server rooms, visitor logs

Biometric access, 24/7 monitoring, environmental controls

Mantrap entry, armed security, CCTV with retention

Physical security policy, access logs, facility certifications

Personnel Security

Background checks, confidentiality agreements, training

Security awareness training (annual), role-based training, insider threat monitoring

Enhanced background checks, separation of duties, dual control

Training records, background check verification, security incidents

Vendor Management

Written agreements, basic security requirements

Security assessments, ongoing monitoring, audit rights

Due diligence, continuous monitoring, insurance requirements

Vendor contracts, security assessments, audit reports

Incident Response

Incident response plan, designated responders

Tabletop exercises (annual), forensic capabilities, retention of IR firm

24/7 SOC, dedicated IR team, breach coach on retainer

IR plan, exercise documentation, incident logs

Logging & Monitoring

Security event logging, 90-day retention

SIEM, real-time alerting, 1-year retention

Comprehensive logging, 7-year retention, tamper-proof logs

SIEM deployment, log retention policy, sample logs

High Severity

Sensitive data breach affecting >1,000 individuals OR significant harm potential

Strongly recommended (expect INAI inquiry if not reported)

Required - individual notice via email/letter

72 hours to INAI (informal), immediate to affected individuals

Medium Severity

General personal data breach affecting >1,000 OR financial data affecting >100

Recommended (demonstrates good faith)

Required if identity theft/fraud risk

5 business days to INAI, 10 days to individuals

Low Severity

Limited data, minimal harm potential, <100 individuals

Optional

Optional (may use general notice on website)

Internal documentation sufficient

Technical Incident

Security event without confirmed data access/exfiltration

Not required

Not required

Internal documentation, investigation

Complaint Investigation

Investigate data subject complaints

Complaint receipt → investigation → resolution/sanction

6-18 months average

Ex Officio Investigation

Initiate investigations without complaint

INAI discretion → investigation → findings

12-24 months average

Verification Audits

Audit compliance proactively

Notice → audit → findings → corrective action

3-9 months

Sanctions

Impose fines, corrective measures, activity suspension

Violation finding → penalty determination → enforcement

Variable

Guidance & Interpretation

Issue recommendations, criteria, binding guidance

Request or INAI initiative → analysis → publication

Variable

Procedural Violations (failure to respond to ARCO requests, lack of designated representative)

100 days minimum wage

320 days minimum wage

Repeat violations, large organization, intentional non-compliance

First offense, good-faith effort, prompt remediation

Substantive Violations (processing without consent, inadequate security, privacy notice deficiencies)

200 days minimum wage

160,000 days minimum wage

Sensitive data, large affected population, economic benefit from violation

Self-reporting, cooperation, compliance program

Serious Violations (unauthorized transfers, processing for incompatible purposes, failure to implement security)

320 days minimum wage

320,000 days minimum wage

Intentional violation, significant harm, obstruction of investigation

Extraordinary cooperation, victim compensation

Complaints Filed

1,847

2,103

2,456

2,892

3,240

2,610 (annualized: ~3,480)

Increasing

Sanctions Imposed

142

168

203

247

289

234 (annualized: ~312)

Increasing

Total Fines (MXN)

12.4M

18.7M

24.3M

31.2M

42.8M

38.1M (annualized: ~50.8M)

Increasing

Average Fine (MXN)

87,324

111,310

119,704

126,316

148,097

162,821

Increasing

Largest Single Fine (MXN)

2.1M

3.4M

4.8M

6.2M

8.7M

9.3M

Increasing

Consent Violations (%)

38%

41%

39%

42%

44%

46%

Stable/Increasing

Privacy Notice Violations (%)

35%

33%

36%

34%

31%

29%

Stable/Decreasing

ARCO Rights Violations (%)

18%

19%

17%

16%

17%

18%

Stable

Security Violations (%)

6%

5%

6%

6%

7%

6%

Stable

Transfer Violations (%)

3%

2%

2%

2%

1%

1%

Decreasing

Violation

Bundled service consent with marketing consent, pre-checked boxes, no granular opt-out

Affected Population

2.4 million customers

INAI Finding

Systematic violation of consent principle (Article 8), inadequate privacy notice (Article 16)

Penalty

8.7 million MXN (~$507,000 USD)

Corrective Measures

Redesign consent mechanism, re-obtain compliant consent from all customers, quarterly compliance audits for 2 years

Compliance Cost

Estimated $2.3 million (system changes, re-consenting campaign, audits)

Key Precedent

Pre-checked boxes constitute invalid consent, even with disclosure in privacy notice

Violation

Ransomware breach affecting 8,200 patient records, inadequate security measures, delayed notification

Data Involved

Sensitive personal data (medical records, diagnoses, treatment history)

INAI Finding

Failure to implement adequate security (Article 19), violation of quality principle (Article 11)

Penalty

4.2 million MXN (~$245,000 USD)

Corrective Measures

Implement comprehensive security program, breach notification to all affected individuals, independent security audit

Compliance Cost

Estimated $890,000 (security improvements, notification, forensics, audit)

Key Precedent

Lack of basic security controls (MFA, encryption, backups) constitutes negligence for sensitive data

Violation

Transferred customer financial data to U.S. parent company without legal basis or privacy notice disclosure

Affected Population

340,000 customers

INAI Finding

Unauthorized international transfer (Article 37), inadequate privacy notice (Article 16)

Penalty

6.4 million MXN (~$373,000 USD)

Corrective Measures

Implement valid transfer mechanism (self-assessment + DPA), update privacy notice, re-obtain consent where required

Compliance Cost

Estimated $620,000 (legal analysis, system changes, notification)

Key Precedent

Intra-corporate transfers require same compliance rigor as third-party transfers

Assessment

80 hours (Privacy Officer, Legal, IT)

Legal review: $15,000

Data mapping tool: $5,000

$20,000

Privacy Notices

40 hours

Legal drafting: $12,000

N/A

$12,000

Consent Redesign

120 hours

UX consultant: $18,000

Development: $35,000

$53,000

ARCO Process

60 hours

Process design: $8,000

Workflow system: $15,000

$23,000

Transfer Documentation

80 hours

Legal research: $25,000

N/A

$25,000

Security Improvements

100 hours

Security assessment: $22,000

Tools/licenses: $40,000

$62,000

Training

200 hours

Training development: $10,000

LMS platform: $8,000

$18,000

Project Management

160 hours

N/A

N/A

$0

Total

840 hours (~21 weeks FTE)

$110,000

$103,000

$213,000

Privacy Technology (consent management, ARCO workflow, data mapping)

$75,000-$180,000

External Counsel (program design, legal research, contract review)

$120,000-$280,000

Training & Awareness (development, delivery, LMS)

$35,000-$85,000

Security Improvements (encryption, access controls, monitoring)

$90,000-$240,000

Process Design & Documentation (policies, procedures, templates)

$40,000-$95,000

Total

$360,000-$880,000

Program Management

Policy development, compliance monitoring, risk assessment

30-50%

Legal background, privacy certification (CIPP/E, CIPM) preferred

ARCO Rights

Oversee rights request process, ensure timely responses

15-25%

Understanding of data systems, process management

Training & Awareness

Develop content, deliver training, maintain culture

10-15%

Communication skills, training experience

Vendor Management

Review DPAs, conduct due diligence, monitor compliance

10-20%

Contract negotiation, risk assessment

Incident Response

Lead breach response, INAI liaison, remediation

5-10% (variable)

Crisis management, forensics coordination

Advisory

Business consultation, privacy by design, impact assessments

10-20%

Business acumen, stakeholder management

Processing Activity Name

Descriptive identifier (e.g., "Customer Account Management," "Employee Payroll Processing")

Quick reference, stakeholder communication

Responsible Party

Legal entity responsible for processing

Accountability, multi-entity organizations

Person in Charge

Third parties processing on behalf

Vendor management, transfer documentation

Processing Purposes

Primary and secondary purposes

Purpose limitation compliance, consent alignment

Data Subject Categories

Types of individuals (customers, employees, suppliers)

Scope understanding, impact assessment

Personal Data Categories

Data types collected (general vs. sensitive)

Data minimization, security requirements

Recipients

Internal departments, third parties receiving data

Transfer documentation, privacy notice accuracy

Cross-Border Transfers

Destination countries, transfer mechanisms

Transfer compliance, legal basis validation

Retention Period

How long data retained, deletion triggers

Data minimization, cancellation requests

Security Measures

Administrative, technical, physical controls

Security compliance, risk management

Legal Basis

Consent, contract, legal obligation, etc.

Lawfulness demonstration

Processing Description

Detailed processing activity description, data flows, system architecture

Complete understanding of processing

Necessity & Proportionality

Why processing is necessary, whether less intrusive alternatives exist

Justification for processing scope

Risks to Data Subjects

Privacy risks, security risks, discrimination risks, other harms

Risk identification

Risk Mitigation

Controls to reduce identified risks to acceptable levels

Risk treatment plan

Compliance Validation

How processing complies with LFPDPPP principles and requirements

Compliance confirmation

Stakeholder Consultation

Data subject input (where feasible), privacy team review, legal review

Comprehensive perspective

Approval & Monitoring

Sign-off by appropriate authority, ongoing risk monitoring

Accountability, continuous improvement

Territorial Scope

Personal data of individuals in Mexico

Personal data of individuals in EU/EEA

LFPDPPP narrower scope but no "establishment" requirement

Sensitive Data Definition

Includes financial data in certain contexts

Financial data generally not "special category"

LFPDPPP more protective of financial information

Consent Standard

Express written consent for sensitive data

Explicit consent for special category data

Similar but LFPDPPP emphasizes written form

Privacy Notice Format

Integral (complete) and simplified formats

Layered notices common but not mandated

LFPDPPP formal requirement for two formats

Data Subject Rights

ARCO (Access, Rectification, Cancellation, Opposition)

Broader rights (portability, restriction, automated decision objection)

GDPR more comprehensive rights framework

Transfer Mechanisms

Article 37 exceptions, self-assessment, BCRs

Adequacy, appropriate safeguards (SCCs), BCRs

LFPDPPP places more burden on data exporter for assessment

Breach Notification

No explicit requirement (INAI guidance developing)

Mandatory 72-hour notification to DPA

GDPR clearer obligation

DPO Requirement

Not required (recommended)

Required for public authorities, large-scale processing

GDPR more prescriptive

Record Keeping

Not explicitly required

Article 30 processing records mandatory

GDPR more documentation-heavy

Privacy by Design

Implicit in responsibility principle

Explicit Article 25 requirement

GDPR more prescriptive

Penalties

Up to 320,000 days minimum wage (~$4.6M USD)

Up to €20M or 4% global revenue (whichever higher)

GDPR significantly higher maximum penalties

Privacy Notice

Create GDPR-compliant notice, ensure LFPDPPP elements included, add simplified format for Mexico

Single global notice with Mexico-specific annex

Consent

Use GDPR standard (explicit consent, granular, documented)

GDPR standard meets or exceeds LFPDPPP

Data Subject Rights

Implement broader GDPR rights framework

LFPDPPP ARCO rights subset of GDPR rights

Transfers

Implement both GDPR SCCs and LFPDPPP transfer mechanisms

Dual compliance documentation

Security

Apply GDPR Article 32 "appropriate technical and organizational measures"

Satisfies both frameworks

Records

Maintain GDPR Article 30 records

Exceeds LFPDPPP expectations

Breach Response

Follow GDPR 72-hour notification timeline

Exceeds LFPDPPP developing practice

Sensitive Data

Broad categories, includes financial data

Specific categories, includes precise geolocation, racial origin

CPRA more granular

Opt-In vs. Opt-Out

Opt-in (consent) for most processing

Opt-out for sale/sharing, opt-in for minors

LFPDPPP consent-first, CPRA opt-out model

Data Minimization

Proportionality principle

Explicit minimization requirement

Similar outcomes

Risk Assessments

Recommended, not mandatory

Required for high-risk processing

CPRA more prescriptive

Enforcement

INAI (dedicated DPA)

California Privacy Protection Agency

Similar models

Financial Services

Enhanced security requirements, faster breach notification (24 hours)

CNBV draft regulations circulated 2024

Healthcare

Electronic health record privacy standards, genetic data protections

Under development

Telecommunications

Network neutrality privacy provisions, location data restrictions

Legislative committee stage

Children's Privacy

Age verification, parental consent, restricted profiling

Early drafting stage