Mexico's Data Protection Framework: the LFPDPPP
Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares, or LFPDPPP) governs how private-sector organisations collect, use, store, and share personal data. The original law dates to 2010, but a major overhaul took effect on 21 March 2025, broadening definitions, strengthening consent requirements, and transferring enforcement powers to a new government body.
The updated law applies to any organisation - regardless of where it is based - that processes the personal data of individuals in Mexico. That includes data collected through cookies and other tracking technologies on websites.
If your site attracts visitors from Mexico and sets cookies that capture IP addresses, browsing behaviour, location data, or user preferences, the LFPDPPP applies to you.
What Changed in 2025: INAI Abolished, New Authority Created
Until early 2025, the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI) served as Mexico's data protection authority. INAI was formally dissolved in May 2025.
Enforcement responsibilities now sit with the Secretaria de Anticorrupcion y Buen Gobierno (Ministry of Anti-Corruption and Good Governance), a body that reports directly to the executive branch. This shift has raised questions about regulatory independence, but the legal obligations for data controllers remain unchanged - and fines have not decreased.
The new authority inherited all pending investigations and enforcement powers from INAI, including the ability to conduct audits, order corrective measures, and impose administrative fines.
How the LFPDPPP Treats Cookies
The LFPDPPP does not contain a standalone "cookie law" equivalent to the EU's ePrivacy Directive. Instead, cookies fall under the law's general rules on personal data collection whenever they gather information that can identify an individual, directly or indirectly.
Cookies that collect personal data - such as _ga, _fbp, or any cookie storing a unique user identifier, IP address, or geolocation - trigger the full set of LFPDPPP obligations. Strictly necessary cookies like PHPSESSID that do not collect personal data are not caught by the law, though disclosing them in a privacy notice is still good practice.
Privacy Notice Requirements for Cookie Use
Every organisation that collects personal data through a website must present a privacy notice (aviso de privacidad) at or before the point of collection. The 2025 update introduced a requirement for a "simplified privacy notice" alongside the comprehensive version. For websites, the simplified notice must include:
The identity and contact details of the data controller
The categories of personal data being processed, with express mention of any sensitive data
The purposes of processing, distinguishing between those that require consent and those that do not
How individuals can limit the use or disclosure of their data
A link to the full comprehensive privacy notice
A cookie banner that links to your privacy notice and explains which cookies your site uses satisfies part of this requirement.
Consent Under the LFPDPPP: What Counts as Valid
The 2025 update tightened the definition of consent. It must now be freely given, specific, informed, and unambiguous. This brings Mexico closer to the GDPR standard for valid consent, though differences remain.
| Consent Element | LFPDPPP (Mexico) | GDPR (EU) |
|---|---|---|
| Freely given | Required | Required |
| Specific | Required | Required |
| Informed | Required (via privacy notice) | Required |
| Unambiguous | Required under 2025 update | Required |
| Explicit for sensitive data | Written consent required | Explicit consent required |
| Right to withdraw | Yes, at any time | Yes, must be as easy as giving consent |
| Pre-ticked boxes | Not addressed explicitly | Prohibited |
| Tacit consent allowed | Yes, for non-sensitive data | No |
One notable difference: the LFPDPPP still permits tacit consent for non-sensitive personal data. Tacit consent means that if you present a privacy notice and the data subject does not expressly object, consent is presumed. For sensitive data - which includes biometric, health, financial, and genetic information - explicit written consent is mandatory.
From a practical standpoint, if your cookies only collect non-sensitive personal data (analytics identifiers, for example), an opt-out model may technically be permissible under Mexican law. For sensitive data, you need affirmative opt-in consent before setting those cookies.
Fines and Enforcement
The LFPDPPP calculates fines using Mexico's Unidad de Medida y Actualizacion (UMA), a daily economic reference unit. In 2025, one UMA equals approximately MXN 113. The penalty tiers are significant:
Standard violations (e.g. failing to provide a privacy notice): 100 to 160,000 UMAs - roughly MXN 11,300 to MXN 18 million (approximately USD 650 to USD 1 million)
Aggravated violations (e.g. processing sensitive data without consent, unlawful data transfers): 200 to 320,000 UMAs - roughly MXN 22,600 to MXN 36 million (approximately USD 1,300 to USD 2 million)
Double fines apply when the violation involves sensitive personal data
Criminal penalties also exist. Processing personal data through deception or causing significant harm can result in three months to five years of imprisonment.
Before its dissolution, INAI reported imposing approximately MXN 46.8 million in fines across multiple cases. The new authority is expected to continue this enforcement trajectory.
Practical Compliance Checklist for Websites
Meeting the LFPDPPP's requirements for cookies and tracking technologies comes down to a handful of concrete steps. Treat this as your baseline:
Audit your cookies - run a cookie scan to identify every cookie and tracker on your site, and classify each by purpose and whether it collects personal data
Create or update your privacy notice - include a simplified version on-site and link to the comprehensive version; list the cookies you use, their purposes, and how visitors can disable them
Implement a cookie banner - present the simplified privacy notice to visitors before or at the point of data collection; for non-sensitive data, an opt-out mechanism may suffice, but opt-in is safer if you also serve visitors from Colombia, Argentina, or the EU
Obtain explicit consent for sensitive data - if any cookies or trackers collect biometric, health, or financial data, block them until the visitor gives affirmative consent
Honour withdrawal requests - provide a clear mechanism for visitors to revoke consent and stop processing once they do
Document everything - keep records of consent, your privacy notice versions, and your data processing activities
Review cross-border transfers - if you transfer personal data outside Mexico, ensure the recipient provides equivalent protection or obtain express consent
How Mexico Compares to Other Latin American Privacy Laws
Mexico's LFPDPPP sits in a middle ground among Latin American data protection frameworks. Privacy laws vary considerably across the region.
Chile is modernising its data protection regime with a new bill that closely mirrors the GDPR. Peru's Law 29733 already requires prior and informed consent for personal data processing. Brazil's LGPD stands as the most comprehensive framework in the region, with a fully independent supervisory authority (ANPD) and GDPR-aligned consent standards.
Mexico's allowance of tacit consent for non-sensitive data makes it less strict than the GDPR or Brazil's LGPD, but the 2025 reforms have narrowed that gap. The transfer of enforcement to a ministry within the executive branch, rather than an independent authority, is the most significant structural difference from European models.
Frequently Asked Questions
Does Mexico require cookie consent on websites?
Yes. Under the LFPDPPP, any cookie that collects personal data (such as analytics identifiers or IP addresses) requires a privacy notice and valid consent. For non-sensitive data, tacit consent through an opt-out mechanism may be sufficient. Sensitive data always requires explicit opt-in consent.
What is the LFPDPPP in Mexico?
The LFPDPPP (Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares) is Mexico's federal data protection law for the private sector. It governs how organisations collect, use, store, and transfer personal data. A major update took effect on 21 March 2025.
Who enforces data protection law in Mexico after INAI was abolished?
The Secretaria de Anticorrupcion y Buen Gobierno (Ministry of Anti-Corruption and Good Governance) assumed INAI's data protection enforcement duties in May 2025. It has the power to investigate complaints, conduct audits, and impose fines.
What are the fines for LFPDPPP non-compliance?
Fines range from 100 to 320,000 UMAs. At 2025 UMA values, that translates to roughly MXN 11,300 up to MXN 36 million (approximately USD 650 to USD 2 million). Fines double when sensitive personal data is involved. Criminal penalties of up to five years in prison also apply for serious violations.
Is the LFPDPPP the same as the GDPR?
No. While the 2025 update brought Mexico's consent standards closer to the GDPR, key differences remain. The LFPDPPP still allows tacit consent for non-sensitive data, whereas the GDPR requires unambiguous affirmative action. The GDPR also has the ePrivacy Directive specifically covering cookies, which Mexico lacks.
Do I need a cookie banner for Mexican visitors?
If your website sets cookies that collect personal data from visitors in Mexico, you need to present a privacy notice - typically delivered through a cookie banner - before or at the point of data collection. The banner should explain what data you collect and how visitors can opt out or manage their preferences.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether they collect personal data from Mexican visitors, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
