Mexico – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Mexico. Sectoral rules (financial, telecom, employment) are touched only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

LFPDPPP

Ley Federal de Protección de Datos Personales en Posesión de los Particulares

Private-sector data protection law. Governs collection, use, transfer, and storage of personal data by private entities (controllers and processors) in Mexico. Applies regardless of whether processing occurs in Mexico, when the controller is established in Mexican territory or uses means located in Mexico.

Art 3 Definitions — datos personales, datos sensibles, responsable, encargado, transferencia, ARCO rights
Art 8 Consent — express, written for sensitive data; tacit acceptable for non-sensitive after Aviso de Privacidad delivery
Art 15-18 Aviso de Privacidad — mandatory disclosure document, Spanish-language, before or at point of collection
Art 22-27 ARCO rights — Acceso, Rectificación, Cancelación, Oposición; 20-day controller response window
Art 30 Departamento de Datos Personales — every controller must designate a person/department for ARCO requests (de facto DPO mandate)
Art 36 Cross-border transfers — accountability principle; transferor must communicate Aviso de Privacidad and obtain transferee commitment to equivalent protection
Art 63-64 Sanctions — fines from 100 to 320,000 days of UMA (~MXN 11M-35M); doubled for sensitive data

DOF 5 julio 2010; Reglamento DOF 21 diciembre 2011; Lineamientos del Aviso de Privacidad DOF 17 enero 2013

LGPDPPSO

Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados

Public-sector counterpart to LFPDPPP. Covers federal, state, and municipal authorities, autonomous bodies, political parties, and public trusts. Establishes harmonized minimums across the federation; states may legislate stricter rules. Out of scope for typical analytics deployments unless the controller is a sujeto obligado.

Art 16-22 Principles — licitud, finalidad, lealtad, consentimiento, calidad, proporcionalidad, información, responsabilidad
Art 26-32 Aviso de Privacidad for public-sector data subjects
Art 43-57 ARCO rights procedure for public-sector controllers
Art 83 Cross-border transfers by sujetos obligados — stricter than LFPDPPP Art 36

DOF 26 enero 2017

Reforma 2025 — INAI Dissolution

Reforma Constitucional en materia de Simplificación Orgánica (March 2025)

Constitutional reform abolishing seven autonomous bodies including INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales). Data-protection oversight transferred to the federal executive's Secretaría Anticorrupción y Buen Gobierno (Anti-Corruption Secretariat). Transition period unclear; secondary legislation (LFPDPPP, LGPDPPSO) remains in force but enforcement posture is in flux as of mid-2025.

Decreto Constitutional amendments to articles 6 and 28 — eliminates INAI's autonomous status
Transitorios Transfer of personnel, archives, and ongoing procedures to Secretaría Anticorrupción; deadlines staggered through 2025-2026

DOF marzo 2025 — abolición de INAI; transferencia de competencias a la Secretaría Anticorrupción y Buen Gobierno

REPEP

Registro Público para Evitar Publicidad (Padrón Nacional para Evitar la Publicidad)

Mexico's Bloctel-equivalent national do-not-call/do-not-market registry. Marketers must scrub contact lists against REPEP before campaigns. Applies to telephone, SMS, and email direct marketing. Independent of LFPDPPP consent — controllers cannot rely on LFPDPPP Aviso de Privacidad to override a REPEP listing.

LFPC Art 18-Bis Marketers must consult REPEP and exclude registered consumers
LFPC Art 76-Bis E-commerce — explicit consent for promotional emails

Ley Federal de Protección al Consumidor; operated by PROFECO

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

Secretaría Anticorrupción y Buen Gobierno · Secretaría Anticorrupción y Buen Gobierno (sucesora del INAI a partir de marzo 2025)

Federal data-protection authority since March 2025 constitutional reform. Inherits LFPDPPP and LGPDPPSO supervision, ARCO enforcement, breach investigations, and sanctions. Transition period — operational guidance, registry, and enforcement priorities still being defined. Ongoing INAI procedures continue under successor body.

https://www.gob.mx/sfp

Coordination body

Sistema Nacional de Transparencia (SNT) · Sistema Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales

Federal-state coordination body for data-protection and transparency policy. Survives the INAI dissolution as a coordination forum among state-level transparency bodies (Órganos Garantes Locales) and the federal successor. Non-binding guidance.

2017-01-26 · LGPDPPSO entry into force — Public-sector law harmonizes data-protection minimums across the federation; states retain capacity to legislate stricter rules.
2024-11 · Reforma simplificación orgánica — Senate approved constitutional reform abolishing INAI alongside six other autonomous bodies.
2025-03 · INAI dissolution — Constitutional amendment promulgated; functions transferred to Secretaría Anticorrupción y Buen Gobierno. Transition period — secondary regulations pending.

https://www.snt.org.mx/

Notable enforcement

Pre-dissolution, INAI was an active enforcer in telecom, financial services, and consumer-tech sectors. Notable fines targeted Banca Mifel, Caja Popular Mexicana, Cinemex, and Volaris for Aviso de Privacidad deficiencies, ARCO non-response, and breach-notification failures. Following the March 2025 INAI dissolution, enforcement posture is uncertain — the Secretaría Anticorrupción successor body has not yet published an enforcement priority document, and ongoing investigations are in administrative limbo. Controllers should treat the transition period as a compliance baseline-maintenance window, not a holiday: secondary law (LFPDPPP, LGPDPPSO) remains fully in force, and the federal executive may issue retrospective sanctions once the successor body's procedural rules are gazetted.

GA4 status

GA4 is usable in Mexico with prior delivery of an Aviso de Privacidad and consent (express for sensitive data; tacit acceptable for non-sensitive analytics under LFPDPPP Art 8 once Aviso has been delivered before collection). Cross-border transfers to Google's US servers are permissible under LFPDPPP Art 36 accountability principle — DPF certification, while not formally required by Mexican law, supports the equivalent-protection demonstration. The Secretaría Anticorrupción successor body has not issued post-transition guidance specific to GA4, so pre-dissolution INAI criteria remain the practical baseline.

DPA	Stance
Secretaría Anticorrupción y Buen Gobierno	Successor to INAI as of March 2025 — transition period; no GA4-specific guidance published. Pre-dissolution INAI posture (Aviso de Privacidad + transfer documentation) treated as default.
INAI (legacy)	Pre-dissolution — active enforcement on Aviso de Privacidad form, ARCO compliance, and Art 36 transfer documentation. Cited as historical baseline.

Cross-border transfers + Schrems II

Mexico is not part of the EU-US Data Privacy Framework. LFPDPPP Art 36 governs cross-border transfers from Mexican controllers under an accountability principle: the transferor must communicate the Aviso de Privacidad to the recipient and obtain a commitment to equivalent protection. Transfers to the US, EU, Canada (PIPEDA-adequate), and most jurisdictions are permissible with documented safeguards (intra-group binding rules, contractual clauses, or recipient certification). Sensitive data and onward transfers require heightened scrutiny.

No official Mexican SCC template exists. Controllers typically rely on contractual clauses derived from EU 2021/914 SCCs adapted to LFPDPPP Art 36 language, or on intra-group binding corporate rules. The Secretaría Anticorrupción successor body is expected to issue updated transfer guidance during the 2025-2026 transition period.

Topic: International transfers

Employee data

Employee monitoring — Ley Federal del Trabajo + LFPDPPP overlay

When analytics tools can monitor employees (Hotjar on internal dashboards, productivity-tracking pixels, server-side logs of staff behavior), Mexican employee-data rules apply on top of LFPDPPP. The Ley Federal del Trabajo (LFT) governs the employment relationship — Articles 132 and 134 require that workplace monitoring be proportionate and disclosed. LFPDPPP overlays its own consent and Aviso de Privacidad obligations: employees must receive a workplace-specific Aviso de Privacidad covering monitoring purposes, retention, and ARCO procedures. Sensitive-category employee data (health, biometrics, union membership) requires express written consent under LFPDPPP Art 9. Unlike Germany's BetrVG works-council co-determination, Mexico has no equivalent veto right — sindicato (union) consultation is recommended but not legally required for monitoring rollouts.

Key thresholds

DPO mandatory at

≥1 employees

Child consent age

18 years

Article 27 representative

Required

Marketing consent

Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red

Vendor	Status	Rationale
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

Mexico vs United States

COMPARE

Mexico vs Brazil (LGPD)

Common questions

Is Google Analytics legal in Mexico in 2026?

Yes, conditionally. GA4 is usable in Mexico with prior delivery of a Spanish-language Aviso de Privacidad enumerating GA4 as a data recipient and the US transfer purpose. Consent is express for sensitive data; for non-sensitive analytics LFPDPPP Art 8 accepts tacit consent once the Aviso has been delivered before collection. Cross-border transfers to Google's US servers are permissible under LFPDPPP Art 36 with documented equivalent-protection commitment from the importer.

What's the difference between LFPDPPP and LGPDPPSO?

LFPDPPP (2010) governs the private sector — companies, NGOs, and individuals processing personal data in or from Mexico. LGPDPPSO (2017) governs the public sector — federal, state, and municipal authorities, autonomous bodies, political parties, and public trusts. They share principles (licitud, finalidad, consentimiento, ARCO rights) but LGPDPPSO is stricter on cross-border transfers (Art 83) and harmonizes minimums states cannot fall below. Most analytics deployments fall under LFPDPPP.

What happened to INAI?

INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) was dissolved in March 2025 as part of a constitutional reform abolishing seven autonomous bodies. Its data-protection competencies transferred to the federal executive's Secretaría Anticorrupción y Buen Gobierno. The substantive laws (LFPDPPP, LGPDPPSO) remain in force unchanged — only the supervisory authority changed. Transition period is ongoing; secondary procedural regulations are pending.

Who is my data-protection regulator now?

As of March 2025, the federal regulator is the Secretaría Anticorrupción y Buen Gobierno, which absorbed INAI's competencies. Ongoing INAI procedures, registries, and breach notifications transferred to the successor body. State-level Órganos Garantes Locales survive for state-public-sector matters. The Sistema Nacional de Transparencia (SNT) continues as a coordination forum.

Do I need a DPO in Mexico?

Yes, effectively. LFPDPPP Art 30 requires every controller to designate a person or department (Departamento de Datos Personales) responsible for handling ARCO requests and channeling internal compliance. Unlike GDPR's risk-based DPO trigger, Mexico's mandate is universal — there is no employee-count threshold. Small businesses can designate an existing role; large controllers typically appoint a dedicated officer.

What language must my Aviso de Privacidad be in?

Spanish. The Lineamientos del Aviso de Privacidad (DOF 17 Jan 2013) require Spanish-language delivery for Mexico-targeted services. English-only notices are insufficient. Bilingual notices are acceptable, but Spanish must be at least equally prominent. Targeting indicators include .mx domains, MXN pricing, Mexican Spanish marketing copy, and address-of-business in Mexico.

What must my Aviso de Privacidad contain?

LFPDPPP Art 16 mandates: (1) controller identity and address, (2) personal data categories collected, (3) processing purposes (separated into primary vs secondary), (4) transfers and recipients, (5) ARCO rights exercise procedure, (6) means to revoke consent, (7) Aviso amendment-notification mechanism. Three formats exist — integral (full), simplified (short), and short (oral/sign) — but the integral version must be accessible from any short version. Required at or before the point of collection.

Does Mexico recognize the EU-US Data Privacy Framework?

Not formally. Mexico is not party to the DPF and has not issued an adequacy-equivalent finding for the US. However, LFPDPPP Art 36 operates on accountability rather than adequacy: a Mexican controller transferring to a DPF-certified US importer can cite DPF certification as supporting evidence of equivalent protection alongside contractual safeguards. Pre-dissolution INAI accepted this approach in practice. Post-transition guidance from Secretaría Anticorrupción is pending.

Do I need a representative in Mexico if I'm a non-Mexican controller?

Yes. Non-Mexican controllers using means located in Mexico (e.g., Mexican IP-targeted servers, Mexican CDN nodes processing personal data) or directly targeting Mexican residents fall within LFPDPPP territorial scope per Art 4. While the law does not use the EU's Article 27 'representative' terminology, controllers must designate a Mexican point of contact for ARCO requests and Aviso de Privacidad service. In practice this is a Mexican counsel or compliance contractor.

Is the REPEP registry like Bloctel for marketing?

Yes. REPEP (Registro Público para Evitar Publicidad, also called Padrón Nacional para Evitar la Publicidad) is Mexico's do-not-call/do-not-market registry, operated by PROFECO under the Ley Federal de Protección al Consumidor. Marketers must scrub telephone, SMS, and email contact lists against REPEP before campaigns. Double-opt-in is the prudent standard for promotional emails — LFPC Art 76-Bis requires explicit consent, and LFPDPPP Aviso de Privacidad does not override a REPEP listing. Children under 18 require parental consent for any marketing collection.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Mexico's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.