LFPDPPP in Mexico: Data Protection for Your Website

If your website serves people in Mexico, you almost certainly collect personal data. An email address in your contact form, a name and an address in your store's cart, a phone number that comes in through WhatsApp chat, the cookies that track who visits your blog. That everyday act places you within the scope of the Federal Law on the Protection of Personal Data Held by Private Parties, known by its Spanish acronym: LFPDPPP.

It doesn't matter whether you sell clothing, offer consulting, run a landing page on Wix, or use WordPress with a store. If a company or private individual processes people's data, this law applies. The good news is that meeting the essentials doesn't require being a lawyer or a programmer: it comes down to clear decisions about what you ask for, how you disclose it, and how you protect it.

In this guide we explain what the LFPDPPP is, its principles, the privacy notice (which is mandatory), ARCO rights, who oversees compliance in Mexico, and what security measures are expected of you. We close with an actionable checklist for your website.

This is a practical guide, not legal advice. Mexico's data protection framework has changed significantly in recent years. Whenever something depends on the version of the law currently in force or on the authority in charge, we'll tell you to verify it with the official source.

What the LFPDPPP Is

The LFPDPPP is the law that governs how private parties (companies, independent professionals, associations) process people's personal data in Mexico. "Processing" covers almost anything you can do with a piece of data: collecting it, using it, storing it, sharing it, or deleting it.

It helps to pin down three roles, because the law assigns different obligations depending on which one you are:

• Data subject: the person the data belongs to. Your customer, your subscriber, whoever fills out your form.
• Data controller: the party that decides how the data is processed. If it's your business or your website, that's usually you.
• Data processor: the party that processes the data on the controller's behalf. Your vendors: hosting, the email marketing platform, the payment gateway, the analytics tool.

This matters because, even if you delegate processing to vendors (Processors), the responsibility toward the data subject remains yours. That's why it pays to know which tools you work with and where your people's data ends up.

Important note on the current framework: in recent years, Mexico reformed the institutional structure for transparency and data protection, and the relevant legislation was updated. The exact name of the applicable law, the authority in charge, and some deadlines may have changed. Before making legal decisions, verify the text currently in force in the Official Gazette of the Federation (Diario Oficial de la Federación) and on the portal of the relevant authority.

The Principles That Govern Processing

Data protection in Mexico rests on a set of principles. Don't memorize them word for word; understand the intent, because they guide how you should design your forms and your operation:

• Lawfulness: you process data in accordance with the law and in good faith.
• Consent: as a general rule, you need the data subject's consent to process their data.
• Information: the data subject must know what data you collect and why. This is where the privacy notice comes in.
• Quality: data must be accurate and up to date. That's why "edit my data" flows exist.
• Purpose: data is collected for specific, legitimate purposes. Don't ask for a tax ID "just in case."
• Fairness: you don't obtain data through deception or covertly.
• Proportionality: you ask only for the data needed for the stated purpose.
• Accountability: you must be able to demonstrate that you comply, not just claim it.

Pay attention to purpose and proportionality: most websites are guilty of asking for too much. Every extra field on your form is a piece of data you have to safeguard, justify, and, when the time comes, be able to delete.

The Privacy Notice (Mandatory)

The privacy notice is the centerpiece, and it is mandatory. It's the document through which you inform the data subject who you are, what data you collect, what you use it for, and how they can exercise their rights. On the web, it's usually your "Privacy Notice" or "Privacy Policy" page, linked from the footer and next to your forms.

While the details depend on the version of the law currently in force, a reasonable privacy notice usually includes:

• The controller's identity and address (your company or you).
• The personal data being processed (what you collect).
• The purposes of the processing, distinguishing the necessary ones from those that aren't (for example, sending promotions).
• The mechanisms for exercising ARCO rights and a contact channel to do so.
• Data transfers to third parties, if any, and their purpose.
• The procedure for learning about changes to the notice itself.
• If you use cookies or other tracking technologies, how to disable them.

In practice, people talk about notices in different formats: a comprehensive one (complete) and simplified or short versions that point to the comprehensive one, useful when space is limited, such as on a form or at a counter. The key point: the data subject must be able to find out before or at the moment they hand over their data.

Avoid two very common mistakes: copying another company's notice without adapting it (you'll end up declaring purposes that aren't yours), and hiding it. If no one can find your notice, in practice it's as if you didn't have one.

ARCO Rights

ARCO rights are the heart of what your users can ask of you. There are four:

• Access: to know what data you hold about the person and how you use it.
• Rectification: to correct inaccurate or incomplete data.
• Cancellation: to have you delete their data when there's no longer a reason to keep it.
• Objection: to refuse to let you use their data for certain purposes (for example, marketing).

On top of this comes the ability to revoke the consent they previously gave.

For you, as the website owner, this translates into something very concrete: you need a real channel to receive and handle these requests (a contact email or a form will do), and the operational capacity to fulfill them. If someone asks you to delete their data, you must be able to actually do it, not just "hide" their profile.

The law sets deadlines for responding to ARCO requests. Those deadlines may have been updated by the recent regulatory changes, so verify the terms currently in force and design your operation to meet them with room to spare.

Who Oversees Compliance in Mexico

For years, the guarantor authority at the federal level was the INAI (National Institute for Transparency, Access to Information and Protection of Personal Data). Here we need to be clear and cautious.

Verify the current status of the body. As part of a reform to autonomous bodies, the institutional structure for transparency and data protection in Mexico was modified, and the oversight functions may have been reassigned to another federal government agency. Before directing a request or a complaint, confirm which authority is competent today and how to contact it, by consulting up-to-date official sources.

Regardless of what the authority is called today, the underlying idea doesn't change: there is a body that oversees compliance, handles data subjects' complaints when a controller fails to resolve them, and can open proceedings and impose sanctions. Fines are calculated according to criteria defined by the law and can be significant, especially when sensitive data is involved or there is recidivism.

We don't cite an exact amount here because the caps and the calculation method get updated. If you need the current figure, look it up in the official source or with your legal advisor. The practical point: the authority has the power to sanction, and noncompliance has a cost.

Security Measures

Here's the part that many legal guides leave out. The LFPDPPP doesn't ask you for good intentions: it requires security measures, administrative, technical, and physical, to protect data against damage, loss, alteration, destruction, or unauthorized access.

"Technical measures" sounds abstract, but it shows up in things anyone can observe from outside your website. Think of it this way: if an attacker can intercept the form where your customer types their name and address, you're not applying reasonable measures, no matter what your notice says. Examples of observable security that backs up compliance:

• HTTPS across the entire site, not just on login or checkout. Personal data travels through many forms.
• Security headers (such as HSTS and a solid Content-Security-Policy) that reduce interception and code injection.
• Session cookies marked as Secure and HttpOnly where appropriate.
• No obvious leaks: exposed admin routes, error messages that reveal internal structure, accessible backups or configuration files.

These signals are auditable. In fact, they're exactly the kind of findings a scanner detects in minutes. Passing a scan doesn't automatically make you "compliant" with the LFPDPPP (compliance is broader: it includes your notice, your processes, and your data governance), but a weak technical configuration directly contradicts the security obligation and is the first thing worth closing.

With Pursecure, you paste your website's URL and get a score from 0 to 100 with findings ranked by severity. Each finding comes with a plain-language explanation and a ready-to-use prompt so you, your team, or your AI can fix it. It's a fast way to see, today, how far your site is from the security the law expects. You can run a free scan at pursecure.app.

What to Check on Your Site Today

An actionable list, half legal and half technical, for any site or business that serves Mexico:

Legal and process items

• You have a privacy notice published, adapted to your business, and linked from the footer and the forms.
• The notice describes who you are, what data you collect, for what purposes, transfers to third parties, and how to exercise rights.
• The data subject sees the notice (or a short version that points to the comprehensive one) before or at the moment of handing over their data.
• You ask only for the data needed for a stated purpose (the proportionality principle).
• There is a clear channel for ARCO requests (access, rectification, cancellation, objection) and consent revocation.
• You can actually fulfill those requests, within the deadlines in force, including deleting data when appropriate.
• You've identified your Processors (hosting, email, payments, analytics) and know where the data ends up.
• If you process sensitive data (health, financial data, biometric data, among others), you've reviewed the stricter regime.

Technical items (observable)

• The entire site is served over HTTPS, and HTTP traffic redirects to the secure version.
• HSTS is active and security headers are configured (CSP, X-Content-Type-Options, among others).
• Session cookies use the Secure and HttpOnly flags.
• There are no admin routes, backups, or environment files exposed publicly.
• Forms that collect personal data don't leak information in error messages.
• If you use tracking or analytics cookies, you disclose it and offer a way to manage them.

If you checked the technical boxes by eye, it's worth confirming with a measurement. Many of these fail silently: HTTPS is there, but the redirect is missing; the cookie exists, but without Secure; the notice mentions cookies, but the banner never showed.

Conclusion

The LFPDPPP isn't a one-time formality. Data protection in Mexico asks you to handle your people's information with purpose, transparency, and, very concretely, security. You need a real privacy notice, a channel for ARCO rights, and technical measures that protect what you collect. And because the institutional framework has changed in recent years, it pays to verify with the official source which law is currently in force and which authority oversees compliance today.

You work through the legal part carefully and, if needed, with a lawyer. The technical security part you can start closing today, because it's measurable. Paste your website's URL at pursecure.app/scan, review the findings by severity, and use the prompts to fix what the security obligation requires of you. It's the most concrete step you can take this week toward real compliance.