Mexico just rolled out a big update to its privacy game. On March 20, 2025, the new Federal Law on the Protection of Personal Data Held by Private Parties that is abbreviated as the FLPPD for short—was published. It kicked into action the very next day, March 21, and it’s shaking things up. I’ve been digging into what this means, and here’s the scoop: it’s a fresh take on how private companies handle your personal info, with some hefty changes to watch out for. Let’s break it down.
What’s the FLPPD All About?
This new law is Mexico’s latest stab at keeping your personal data safe when it’s in the hands of private outfits—think businesses, not government agencies. It replaces the old 2010 version of the same law, and the headline news is that it’s waving goodbye to the National Institute of Transparency, Access to Information and Protection of Personal Data. That’s a mouthful, so most folks knew it as INAI. Now, the Anti-Corruption and Good Government Ministry is stepping up to take over those duties. It’s a big shift, and it’s got people talking about more than just tariffs but now how privacy laws will also affect those operating in Mexico.
Why the Change?
So, why ditch INAI? It’s part of a broader push from Mexico’s government to streamline things. Late last year, on December 20, 2024, they tweaked the constitution to cut back on standalone agencies like INAI, handing their powers to ministries instead. The FLPPD is the result published in the Official Gazette of the Federation, it’s now the rulebook for how companies manage your data. The idea? Centralize control under the executive branch and, maybe, keep a tighter grip on privacy enforcement.
What’s New in the FLPPD?
The FLPPD isn’t a total rewrite, but it’s got some fresh twists. Here’s what stands out:
- New Sheriff in Town: The Anti-Corruption and Good Government Ministry is now the boss of data protection. They’re taking over INAI’s old gig—everything from spreading the word about privacy rights to cracking down on violators.
- Wider Net: The definition of who’s on the hook has stretched. Now, anyone processing personal data deciding what to do with it or just handling it counts as a “data controller.” That could rope in more players, even subcontractors.
- Privacy Notices Get a Tune-Up: Companies need to spell out exactly what data they’re collecting and why, especially if it’s sensitive stuff like health or beliefs. They don’t have to mention data transfers anymore, but they’ve got to be crystal clear on consent.
- Your Rights, Upgraded: You’ve still got ARCO rights access, rectification, cancellation, opposition but they’re sharper now. You can demand updates to outdated info and even push back against automated decisions that mess with your life.
What Stays the Same?
Not everything’s flipped upside down. Fines for screwing up are still steep 100 to 320,000 times Mexico City’s daily minimum wage, which could hit millions of pesos. Mess with sensitive data, and those penalties can double. The core idea—protecting your privacy hasn’t budged either. Now if you compare this to the recent fine that Honda Motors paid ($632,500) for a CPPA violation while using OneTrust the amount seems small but is still something to take very seriously if you’re a business operating in Mexico.
How to Get Compliant With Mexicos Privacy Laws: A Quick Guide
If you’re a business dealing with personal data in Mexico, May 5, 2025, isn’t your deadline here, but you’ll want to jump on this anyway. Here’s how to stay on the right side of the FLPPD:
- Audit Your Data: Figure out what you’ve got, who’s touching it, and where it’s going. If it doesn’t fit the new rules, fix it.
- Update Your Notices: Rewrite those privacy notices. Be specific about what you’re collecting and why, and ditch any old INAI references.
- Lock It Down: Set up controls to keep data confidential—even after you part ways with employees or third parties.
- Check Your Contracts: If you’re outsourcing data work, make sure those agreements nail down who’s the controller and who’s just processing.
- Test and Train: Run drills to spot weak points, and get your team up to speed on the new law.
What Happens If You Don’t?
Ignore this, and you’re rolling the dice. The Ministry’s got teeth fines, investigations, the works. Plus, if you’re sloppy with data, you could lose customer trust or tank your rep. And if you’ve got cases pending with INAI? They’re still alive, but the Ministry’s handling them now under the old rules.
What’s Next?
This law’s just getting its legs. The government’s got 90 days from March 21 until mid-June 2025 to tweak the fine print in the regulations. Plus, within 120 days, they’re setting up special courts for data disputes. Keep an eye out; things could shift. Posts on X are already buzzing—some folks cheer the shake-up, others worry it’s a power grab. Either way, it’s a new era for privacy in Mexico.
My Take
Honestly, this feels like a mixed bag. Centralizing under the Ministry might cut red tape, but it’s hard not to wonder if it’ll stay as independent as INAI tried to be. For businesses, it’s more work upfront new notices, tighter rules—but it could mean better trust from folks whose data you hold. I’d start small: check your notices, talk to your team, and don’t sleep on this one. Privacy whether in Mexico, Brazil, Europe, or the USA is something that you need to respect and use software like the tools offered by Captain Compliance to stay out of trouble.
