Mexico Enacts New Data Protection Law, Expanding Data Subject Rights and AI Oversight
Why Mexico's New Privacy Law Is Important
Mexico’s newly enacted Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), which came into force on March 21, 2025, marks a significant evolution in the country’s data protection framework.
Overview of the New LFPDPPP
The new law introduces broader definitions, stronger transparency obligations, expanded data subject rights, and accountability for AI-driven decision-making. For organizations operating in or interacting with the Mexican market, these changes necessitate immediate updates to privacy governance, consent management, and data lifecycle controls to ensure compliance under a new regulatory regime.
The updated law replaces the 2010 legislation and introduces key reforms across regulatory structure and operational practice:
- New Supervisory Authority: The law transfers oversight responsibilities from INAI to the Secretariat of Anti-Corruption and Good Governance (SABG), requiring organizations to align with a new administrative framework and enforcement body.
- Expanded Scope of Data Controllers: The definition of a data controller now includes any entity that processes personal data, regardless of their decision-making role—broadening compliance obligations across business functions.
- Detailed Privacy Notices: Organizations are required to issue more specific and purpose-driven privacy notices, including the classification of sensitive data and a clear breakdown of consent-based versus non-consent-based processing activities.
- Consent Rule Modifications: While consent remains a pillar of the law, new exceptions allow regulatory guidelines to establish where consent may not be required, increasing the importance of dynamic and auditable consent tracking.
- Stronger Data Subject Rights and AI Accountability: Data subjects now have expanded rights to access detailed information about processing activities and may object to automated decision-making. Where AI is used, companies must demonstrate meaningful human involvement to remain compliant.
These updates significantly raise the compliance bar for private entities. Organizations must assess whether their current privacy infrastructure is equipped to meet the expanded transparency and governance demands. This includes updating consent strategies, restructuring privacy notices, strengthening subject rights workflows, and evaluating how AI is integrated into business processes. Failure to act may expose companies to legal claims, regulatory enforcement, and loss of consumer trust.
Given the realities of modern enterprise data environments, organizations need to and should leverage technology to meet the requirements of the new LFPDPPP. DSR management tools allow organizations to efficiently manage and respond to data subject requests, ensuring that detailed information about data processing activities is readily available and that objections to automated processing are handled appropriately. The new law's requirements for detailed privacy notices and the expanded definition of personal data necessitate robust data retention and consent management policies; technology can help operationalize policies to manage the data lifecycle, ensuring that personal data is retained only as long as necessary and is disposed of securely when no longer needed.
Daniel Villanueva Plasencia, Partner, TMT-Commercial & Privacy Attorney (CIPM), Baker & McKenzie Abogados, S.C.
Data Privacy Tip
Understanding what data you hold, where it is stored, and how it is being used is the foundation of compliance with regulatory requirements of laws like LFPDPPP. Learn how automated data mapping can provide the foundation for your data privacy compliance program in our recent whitepaper.
