Mexico's data protection regulator, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI. Mexico's National Institute for Transparency. Access to Information and Personal Data Protection), has intensified its enforcement posture in the current regulatory cycle. Sanctions issued against both domestic entities and international companies operating in Mexico have increased markedly. For any business that processes personal data belonging to Mexican residents – regardless of where that business is incorporated – the risk of inaction has become concrete and immediate.
Mexico's data protection legislation, which governs personal data processing by private-sector entities. Requires every responsable (data controller) and encargado (data processor) to maintain a compliant privacy notice, a valid consent mechanism. Additionally, documented procedures for data subject rights. INAI's recent enforcement actions have targeted failures in all three areas, with formal investigations now concluding in administrative fines and public corrective orders. International companies with any Mexican user base or employee population should treat the first quarter of 2026 as a compliance review deadline.
This alert sets out what has changed, which businesses are affected, and the immediate steps required to reduce regulatory exposure in Mexico.
What has changed in Mexico's data protection enforcement environment
Mexico's private-sector data protection rules have been in force for over a decade. However, INAI's enforcement activity has shifted in character. The regulator is no longer limiting investigations to complaints filed by individual data subjects. It has begun initiating proceedings on its own authority – known as verificaciones de oficio (ex officio inspections) – targeting sectors it considers high-risk.
Priority sectors under current enforcement include financial services, health and wellness platforms, e-commerce operators, and companies that conduct cross-border data transfers to entities in third countries. INAI has signalled particular concern about inadequate consent mechanisms and the absence of documented data transfer agreements with third-party processors.
The regulator has also updated its interpretive guidance on what constitutes a legally sufficient aviso de privacidad (privacy notice). Generic or template-style notices – a common shortcut used by international companies entering the Mexican market – are now being cited as a standalone ground for corrective action. This affects any business that published a privacy notice before 2023 without subsequent review.
Companies that have invested in GDPR compliance programmes in Europe should not assume those programmes satisfy Mexico's requirements. The two regimes share conceptual similarities but diverge on structure, consent thresholds, and data subject rights procedures. A GDPR-compliant framework does not automatically constitute compliance under Mexican data protection legislation.
For cross-border transactions and data transfers, INAI has emphasised that transferring personal data outside Mexico without a valid contractual basis – or without notifying data subjects in the privacy notice – constitutes a material breach. This is directly relevant to companies that route Mexican user data through servers or service providers located abroad, including parent companies in Europe or the United States.
To understand how these enforcement trends interact with emerging technology regulation, see the firm's analysis of AI and technology law in Mexico, where data processing obligations intersect with automated decision-making rules.
To receive an expert assessment of your data protection exposure in Mexico, contact us at info@ferrazwhitmore.com.
Which businesses are affected and what the threshold criteria require
Mexico's data protection legislation applies to any private-sector entity – Mexican or foreign – that processes personal data of individuals located in Mexico. There is no minimum revenue threshold, no employee count requirement, and no sector carve-out for small businesses.
The following categories face the highest immediate enforcement risk based on INAI's published inspection priorities:
- E-commerce and marketplace platforms collecting payment and behavioural data from Mexican consumers
- Financial services providers, including fintech companies and payment processors operating under Mexican financial regulation
- Health and telemedicine platforms handling sensitive personal data – a category subject to heightened consent requirements under Mexican law
- Companies conducting cross-border data transfers, particularly those routing data to non-Mexican processors without documented transfer agreements
- Employers processing Mexican employee data, including payroll providers and HR platforms
Foreign companies that operate exclusively through a website or app accessible in Mexico – without a physical presence – are also within INAI's jurisdictional reach. The regulator has confirmed this position in recent proceedings. A company incorporated in Europe or the United States is not exempt simply because it has no Mexican subsidiary.
Compliance failures that trigger the highest sanctions are: absence of a privacy notice, failure to respond to data subject rights requests within the statutory period, and processing sensitive personal data without explicit consent. These are not technical oversights – they represent the core of what Mexican data protection legislation requires of every data controller and data processor operating in the country.
For a tailored review of your company's data protection obligations in Mexico, reach out to info@ferrazwhitmore.com.
Immediate actions for international companies
International businesses should treat the following steps as urgent compliance priorities. Each addresses a specific enforcement risk identified in INAI's recent actions.
Review and update your privacy notice. Verify that the notice accurately describes every category of personal data collected. The purpose of each processing activity. Additionally, the legal basis for any data transfer to third parties or foreign entities. A notice drafted under GDPR standards will typically be insufficient. It must be restructured to meet the specific format and content requirements under Mexican data protection legislation.
Audit your consent mechanism. Confirm that consent is obtained before – not after – data collection begins. For sensitive personal data, explicit written consent is required. Pre-ticked boxes and blanket consent clauses do not satisfy Mexican standards and have been cited in recent enforcement decisions.
Document all data transfers. Every transfer of personal data to a third-party data processor. whether domestic or foreign. must be covered by a written agreement that binds the processor to the same data protection obligations as the data controller. If your company transfers data to a parent entity, a cloud service provider, or an analytics platform outside Mexico, that transfer must be disclosed in the privacy notice and governed by a compliant transfer agreement.
Establish a data subject rights procedure. Mexican data subjects have the right to access, rectify, cancel, and oppose the processing of their personal data – collectively referred to as derechos ARCO (ARCO rights). Your organisation must have a documented and functional process for receiving, verifying, and responding to these requests within the deadlines set by Mexican data protection legislation. Failure to respond on time is independently sanctionable.
Designate a responsible contact point. INAI expects organisations to have an identifiable internal function or person responsible for data protection compliance. This does not need to be a formal data protection officer in the GDPR sense, but the function must exist and be accessible to data subjects and the regulator alike.
Companies that have already implemented compliance programmes under other regimes – including those developed for US state privacy laws – should conduct a gap analysis specific to Mexico. The enforcement environment for a lawyer in Mexico advising on data protection matters confirms that regulators are now scrutinising programme substance, not just formal documentation. For comprehensive legal support on data protection compliance in Mexico, visit our data protection practice in Mexico.
For context on how Mexico's enforcement developments compare to those in neighbouring markets, the firm's alert on data protection enforcement in the United States provides a useful parallel analysis.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. As a law firm with deep experience in Mexico and across Latin American markets, our team supports data controllers and data processors in building compliant personal data processing programmes that satisfy local regulatory requirements. We advise international entrepreneurs, institutional investors, and in-house legal teams navigating data protection obligations across civil law systems in the Americas and beyond. The firm's data protection practice covers both transactional compliance work and regulatory response. This includes engagement with the Instituto Nacional de Transparencia. Acceso a la Información y Protección de Datos Personales on behalf of clients subject to investigation. To discuss your organisation's data protection position in Mexico, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.