On March 21, 2025, the New Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter referred to as "NLFPDPPP") came into effect, which was published in the Official Gazette of the Federation on March 20, 2025.
Among the main modifications introduced by this law, the following stand out:
- New regulatory authority for personal data protection
The new regulatory authority for personal data protection held by private parties is the Secretariat for Anti-Corruption and Good Governance, resulting in the dissolution of the National Institute for Transparency, Access to Information and Personal Data Protection (INAI, by its acronym in Spanish).
- Modifications and additions to definitions
Some definitions established within the law were modified, with the following new provisions standing out:
- The disclosure of privacy notice must be carried out from the moment personal data is collected.
- The definition of a physical or identifiable person is clarified, establishing that it refers to anyone whose identity can be determined directly or indirectly through any type of information.
- Determination of the criteria to be included in the databases.
- The definition of "consent" is expanded, specifying that it refers to the free, specific, and informed will of the data subject.
- Regarding sensitive personal data, the text is modified to expand the concept beyond those that may reveal aspects such as racial or ethnic origin, current and future health status, genetic information, religious, philosophical or moral beliefs, union affiliation, political opinions, or sexual orientation.
- The definition of "processing" is expanded, establishing that it includes "any operation or set of operations carried out through manual or automated procedures applied to personal data, related to obtaining, using, recording, organizing, preserving, elaborating, utilizing, communicating, disseminating, storing, possessing, accessing, managing, exploiting, disclosing, transferring or disposing of personal data".
- The following definitions were also added:
a. Regulated subjects, excluding credit information companies and individuals who collect and store personal data exclusively for personal use, without disclosure or commercial use.
b. ARCO rights, which were already included in the law's regulations.
c. Responsible person, defined as the individual or legal entity that, alone or jointly with others, processes personal data on behalf of the responsible party.
- New considerations regarding data subject consent
New considerations related to the data subject’s tacit consent are added. These include new exceptions regarding the requirement for obtaining consent, and the removal of the exception that allowed the responsible party to process data for a different purpose that was compatible or analogous to the purposes established in the privacy notice, without having to obtain the data subject’s consent again.
- Privacy notice requirements
Additional requirements to be included within the privacy notice are added, including aspects of classification of collected data, clarifications on processing purposes, references to ARCO rights, and issues related to the transfer of personal data.
- ARCO rights
New provisions related to the exercise of ARCO rights are added, specifically applicable to the right of rectification, requests for cancellation rights, and new clarifications regarding the right to object.
- New procedure against resolutions issued by the new regulatory authority
Individuals may file an amparo lawsuit against the resolutions of the Secretariat for Anti-Corruption and Good Governance, specifying that amparo lawsuits will be substantiated by specialized judges and courts under the terms of Article 94 of the Political Constitution of the United Mexican States.
