General Overview

E-commerce and the digital economy in Mexico are regulated through general laws, including the Civil Code, the Commercial Code and the Consumer Protection Law, rather than through specific e-commerce legislation. These regulations are designed to be technology-neutral, though amendments sometimes address digital-specific matters. There is no overarching framework solely governing e-commerce activities.

Local e-Commerce Regulation

In 2018, the Mexican government introduced voluntary guidelines (NMX-COE-001-SCFI) for businesses operating digital platforms to promote or sell goods and services. These guidelines set standards for advertising transparency, online transaction security, cross-border commerce and consumer protection. Notably, they clarify the roles and liabilities of digital platforms versus sellers, with platforms generally being held accountable only for their specified activities.

Efforts to convert these guidelines into binding Mexican Official Standards (Normas Oficial Mexicana; NOMs) began in late 2024. This process aims to ensure enforceable compliance, with implementation anticipated in 2026.

The United States-Mexico-Canada Agreement (USMCA)

The United States-Mexico-Canada Agreement (USMCA) modernises e-commerce regulation under Chapter 19, addressing digital trade, cybersecurity, algorithms and intermediary liability. It prohibits customs duties on digital products, promotes privacy and consumer protection and ensures safe harbour provisions for intermediaries. Although Mexico has not formally incorporated USMCA provisions into its statutory framework, the Supreme Court has upheld their direct application through case law, allowing their enforcement without formal domestic legislation.

The USMCA is currently under review ahead of the mandatory joint assessment scheduled for 1 July 2026. The primary goal is for the three partners to decide whether to extend the agreement until 2042 or implement changes. Key issues to discuss include digital intermediary liability, AI, among other topics.

Fintech

The 2018 Fintech Act regulates two types of institutions and two business models. The first category of institution includes electronic payment fund institutions (EPFIs; instituciones de fondo de pago electrónico or IFPEs) and investment fund companies (IFCs), which require authorisation from both the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores; CNBV) and the Bank of Mexico (Banxico). Approval is granted by an inter-institutional committee involving the Ministry of Finance (Secretaría de Hacienda y Crédito Público; SHCP), CNBV and Banxico. EPFIs can manage electronic payment accounts, participate in payment networks, facilitate fund transfers and handle national and foreign currencies. Virtual asset operations are limited to internal purposes, with strict segregation from client resources and prior Banxico approval.

The second type of institution is the collective funding institution (CFI), or crowdfunding platform, which intermediates between investors and funding applicants and offers debt, equity and co-ownership or royalty-based financing. Royalty financing refers to sharing profits or losses from projects, not intellectual property (IP) rights.

The Fintech Act also regulates virtual assets, including cryptocurrencies, defining them as electronically registered value representations used for electronically transferable payments. Their use is subject to guidelines such as Circular 4/2018 and Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros (CONDUSEF; the National Commission for the Protection and Defense of Users of Financial Services) provisions, requiring disclosures about risks and compliance with anti-money laundering rules. The Mexican Central Bank has not approved any public cryptocurrency from fintech companies.

Innovative model sandboxes allow business models outside existing financial regulations to operate with temporary, two-year authorisation. These sandboxes function under controlled conditions, with geographical and client limitations. The framework includes regulated and unregulated sandboxes, but no sandbox has been authorised to date despite collaborative efforts.

The Fintech Act mandates application programming interfaces (APIs) for standardised data sharing between financial entities, enabling open financial data, aggregated information and transactional data exchanges with user consent. APIs facilitate open banking by promoting innovation and efficiency, but the lack of detailed regulations has required industry adaptation.

The Fintech Act aims to create an integrated, efficient financial services ecosystem, fostering innovation while ensuring competitiveness, transparency and security in Mexico’s digital finance sector.

Transportation and Food Delivery Apps

The December 2024 amendment to the Employment Act, introduced under President Claudia Sheinbaum, aimed to recognise drivers and delivery workers for digital apps as formal employees. These workers gained rights akin to traditional employees, such as bonuses, social security, flexible work schedules, algorithmic transparency, risk insurance and other benefits. However, the amendment misunderstands the gig economy’s structure, leading to significant criticism. With secondary regulations still pending, constitutionality challenges are anticipated.

The amendment entered into force following a 180-day implementation period that concluded on 22 June 2025. A mandatory pilot programme launched on 1 July 2025 is currently ongoing, designed to test the operational and financial viability of the new social security scheme before definitive implementation. During the pilot phase, labour authorities are evaluating compliance mechanisms, contribution calculations, and the impact on both workers and platforms.

Following analysis of pilot data, the Ministry of Labour updated income calculation rules in December 2025, adjusting exclusion factors based on vehicle type to better reflect operating costs. Despite these advances, these amendments face relevant challenges, including concerns from workers and platforms, considering anticipated constitutionality challenges as secondary regulations continue to develop.

Temporary Hosting Services Apps

In response to concerns about gentrification and competition with traditional hospitality, Mexico City Congress amended the Tourism Act in 2024 to regulate temporary hosting service platforms. The statute imposes strict requirements, including mandatory government registries for platforms and hosts, regular data disclosure and caps on listings, such as limiting hosts to three properties or allowing listings for only 50% of the year. Platforms are also held jointly liable for hosts’ obligations. Critics argue that the amendment misclassifies digital hosting services as tourism services and implements anti-competitive measures. Legal challenges are already underway, though other states are considering adopting similar regulations.

As of January 2026, implementation of the regulations remains incomplete. The government registry system is not yet fully in place, and numerous legal challenges have been filed by property owners, delaying enforcement. Meanwhile, other Mexican states, including Oaxaca, Zacatecas and San Luis Potosí, are monitoring the situation and considering similar regulatory frameworks, though implementation timelines remain uncertain given the ongoing legal disputes and practical challenges facing Mexico City's pioneering approach. Looking ahead to the 2026 World Cup, Mexico faces additional challenges for hosting service apps: regulatory uncertainty, legal injunctions blocking enforcement, and an inactive digital registry.

Digital Advertising

Digital advertising remains largely unregulated in Mexico. A 2021 law designed to ensure transparency and prevent unfair practices in advertising services was struck down by the Supreme Court in 2023 for being unconstitutional. Separately, the Consumer Protection Agency (Procuraduría Federal del Consumidor; PROFECO) issued guidelines for influencer and digital content marketing, attempting to establish basic rules and recommendations for these activities. On the other hand, in matters related to sanitary advertising, the Regulations of the General Health Act on Advertising set forth the rules in connection with the advertising of health-related goods, products and services.

In recent years, Mexico’s former competition regulator, the Federal Economic Competition Commission (Comisión Federal de Competencia Económica; COFECE), which was an autonomous body, launched investigations into various aspects of the digital economy, including the markets for digital payment processing, services, advertising and e-commerce. However, these investigations remain inconclusive, and recent changes concerning regulators could further delay any potential resolution. In July 2025, COFECE was replaced by the National Antitrust Commission (Comisión Nacional Antimonopolio; CNA), operating under the Ministry of Economy, consolidating competition law enforcement across all sectors, including telecommunications and broadcasting. In this regard, the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones; IFT) was replaced by the Telecommunications Commission, overseen by the Digital Transformation and Telecommunications Agency (Agencia de Transformación Digital y Telecomunicaciones; the Agency), as a new Ministry. The IFT previously acted as the antitrust regulator for telecommunications and broadcasting; under the new structure, the Agency was divested of its antitrust powers in the telecommunications sector, which were absorbed by the National Antitrust Commission. Notably, any legal act issued by the Federal Telecommunications Institute prior to the entry into force of this Decree, including those related to the determination of Preponderant Economic Agents in the telecommunications and broadcasting sectors and their asymmetric regulation, shall continue to produce all their legal effects.

Under President Claudia Sheinbaum, there was a significant amendment regarding data privacy legislation. The autonomous privacy regulator – ie, the National Transparency Institute (Instituto Nacional de Transparencia; INAI), merged with the Anti-Corruption Ministry. In addition, the recent establishment of the Agency could have a substantial impact on the industry. The government has announced plans to enact new laws, including a Cybersecurity Law, a Nearshoring Law, and a Digital Simplification Law, as well as initiatives to attract investment in AI, semiconductors, robotics and data centres.

In November 2025, the Federal Tax Code (FTC) was amended to include a prohibition on advertising of services that facilitate fraudulent tax documents, with violations subject to imprisonment, as detailed in 1.3 Digital Economy Taxation.

No content provided in this jurisdiction.

Tax regulations for the digital economy include a corporate income tax (CIT) of 30% for Mexican residents on income from goods and services, alongside a value added tax (VAT) of 16% under the Mexican Value Added Tax Law (MVATL). Non-resident digital service providers must register with the Mexican Tax Authority (Servicio de Administración Tributaria; SAT) under a simplified regime, collect VAT from Mexican users and remit it monthly. These measures aim to ensure equitable taxation in the evolving digital economy.

Companies providing digital services in Mexico, both domestic and foreign, encounter several challenges.

• VAT credit: the MVATL is silent with respect to the possibility of crediting any VAT input for non-resident companies, which are required to register before the SAT for VAT purposes.
• Registration and reporting requirements: non-resident companies must register before the SAT, a process that may be unfamiliar to businesses outside Mexico. The simplified regime for digital services reduces some of the administrative burden but still requires monthly reporting and payment compliance.
• Electronic invoicing: Mexican legislation mandates the issuance of digital invoices (comprobantes fiscal digital por internet; CFDIs) for transactions. Understanding technical specifications and ensuring accurate issuance is a significant challenge for new entrants.
• Ambiguities in cross-border taxation: determining the source of income for CIT purposes under the Mexican Income Tax Law (MITL) can be complex, especially when distinguishing between digital and traditional business models as well as in relation to the application of tax treaties, including multilateral instruments.

In November 2025, the FTC was amended to introduce new obligations on digital platforms to grant tax authorities permanent, online, real-time access to service operation data to verify compliance with fiscal obligations, with a potential “kill-switch” mechanism for non-compliance. The lack of clarity around the limits of the information the SAT may access also raises concerns; this may be clarified once secondary regulation is issued.

Penalties for Non-Compliance

Non-compliance can lead to penalties, including fines and restrictions on the provision of services to Mexican customers. Also, a kill-switch mechanism established in the MVATL was introduced in 2021, and may be imposed against platforms with no permanent establishment that do not comply with, among others:

• the aforementioned obligations regarding interconnectivity;
• the obligation to be registered before the Federal Taxpayers Registry (RFC);
• failure to designate before the SAT, a legal representative and a physical address in Mexico for notification purposes, in order to comply with the taxpayer’s tax obligations; and
• failure to obtain the taxpayer’s e-signature for tax purposes before the SAT.

Mexican tax residents are subject to CIT at a 30% rate on income derived from the provision of services, such as digital advertising. Additionally, they are subject to VAT at the general rate of 16%.

Additionally, digital advertising services may trigger withholding taxes if the revenue is deemed to have a Mexican source. However, it is important to conduct a case-by-case analysis to determine whether a double taxation treaty (DTT) to which Mexico is a party may apply. To ensure compliance with Mexican tax laws, companies should:

• register with the SAT – non-resident providers must comply with the VAT regime for digital services under the MVATL if applicable, which includes timely registration, monthly VAT reporting and payment;
• maintain accurate records – keep detailed records of Mexican transactions and ensure proper documentation for tax compliance;
• issue compliant electronic invoices – adhering to CFDI standards is mandatory for transactions involving Mexican customers; and
• monitor legislative changes – Mexico frequently updates its tax regulations, and staying informed on changes, such as new provisions or enforcement mechanisms, is critical for ongoing compliance

Also, the recent amendments to the FTC extended liability exposure on digital platforms and their “owners” (titulares) for “allowing” the placement of advertisements related to the acquisition or commercialisation of false tax CFDIs. It should be noted that before the amendment, the advertisement for acquisition of false CFDIs was already criminalised; however, the amendment now targets digital platforms specifically and directly as liable subjects. The amendment is unclear on the scope and standards to conclude that a digital platform “allows” for the placement of advertisements of such items.

In Mexico, consumer protection regulation is technology-neutral, applying the same rules to traditional commerce and e-commerce. The Consumer Protection Law (CPL) is broad enough to encompass digital goods and services, and a pending e-commerce NOM aims to establish specific standards and obligations for entities engaging in e-commerce. This NOM will regulate digital assets, services and transactions, requiring minimum consumer protection measures from providers who habitually market or sell goods or services through electronic means.

The CPL, along with the anticipated NOM and other regulations, mandates suppliers to adhere to rules that ensure consumer rights. PROFECO, the consumer protection regulator, has issued binding and non-binding guidelines for various sectors and situations, including online activities. These regulations apply across digital platforms such as social media, websites and apps, particularly for industries like food and beverages, cosmetics, hygiene products, financial services and tourism.

To uphold consumer rights, companies should design their business models and agreements around principles such as fairness, transparency, competition and quality. Conducting legal and compliance due diligence can help identify, mitigate and prevent risks, be they legal, economic or reputational.

PROFECO is authorised to handle consumer complaints, individually or collectively, submitted in various formats including by written, oral, telephone or electronic means provided they meet legal requirements. Agreements ratified by PROFECO are legally binding and enforceable through expedited or executive proceedings. PROFECO also facilitates conciliation services, which can be conducted via phone or other means, with written confirmation required for any commitments. In cases involving minors, conciliation is bypassed to ensure their rights are safeguarded. If conciliation fails, PROFECO encourages arbitration by either its own mediators or an independent arbitrator. Arbitration ensures fairness, legality and equity, and can occur without prior complaints or conciliation. If arbitration is declined, the parties’ legal rights remain unaffected.

For TMT companies, minimising disputes involves implementing transparent and accessible complaint mechanisms, such as written, electronic and telephone channels, in order to prevent these claims from reaching the authorities. These methods should be clearly explained in their terms and conditions (T&C), a frequently asked questions (FAQ) section or specific guidelines provided by the company. Providing structured resolution frameworks, including conciliation and arbitration, fosters trust and fairness. Conflict often arises from poorly designed complaint systems, such as AI-based chats lacking escalation options or failing to address non-standard issues promptly. Proper management of reimbursements and complaints, especially regarding service quality, is essential. Companies should focus on vulnerable groups, like minors, ensuring their rights are protected. Independent arbitration options and adherence to principles of legality and equality bolster a company’s credibility while demonstrating its commitment to consumer protection.

In terms of recent updates, on 12 December 2025, a bill to amend the CPL was published in the Federal Official Gazette to guarantee and regulate the cancellation of subscriptions and memberships (B2C) with recurring charges through electronic transactions. This amendment imposes obligations on providers offering subscriptions and memberships, to inform in a clear, prominent, and accessible way whether the contracted service involves automatic recurring payments, their frequency, amount, and charge date. Although many companies have already implemented these measures properly, non-compliance with any of these new obligations may result in economic fines.

Blockchain is not directly regulated in Mexico but is addressed through the Fintech Law, which governs virtual assets, digital payments, crowdfunding and sandboxes. The Law classifies virtual assets (commonly called cryptocurrencies) as non-legal tender and strictly limits their use by fintech institutions. These assets are confined to internal purposes, must be segregated from client assets and are subject to stringent oversight.

Trading and custody of virtual assets are not activities permitted for fintech institutions in Mexico. For example, Bitso’s IFPE entity, Nvio, manages wallet services in national currency only, avoiding virtual asset handling. Companies like Bitso and Binance operate fiat-to-virtual asset conversions in jurisdictions like Gibraltar, reflecting the cautious stance of Mexican regulators on domestic virtual asset activities.

The Fintech Law narrowly defines “Fintech” according to three regulated categories, each subject to strict compliance standards akin to those for banks and financial institutions. Requirements include rigorous know your customer (KYC) processes for shareholders and administrators, minimum capital thresholds and high technological infrastructure standards. These regulations pose significant challenges for fintech companies looking to operate in Mexico.

In Mexico, cloud and edge computing lack specific regulation and are governed indirectly under existing laws, particularly the FDPL. Article 52 of the Regulations to the FDPL defines cloud computing as the external provision of on-demand services, including infrastructure, platforms or software. Cloud providers, such as data controllers or processors, must comply with specific rules and obligations.

The former INAI, now replaced by the Anti-Corruption Ministry, offered compliance guidance through the “Minimal Suggested Criteria for Hiring Cloud Computing Services Involving Personal Data Processing”. Draft cybersecurity laws under discussion may designate cloud services as critical infrastructure, requiring stricter security standards. Existing regulations like NOM-151-SCT1-2016 address data integrity and conservation.

Confidentiality in cloud services relies on private agreements and industry standards, with trade secrets protected under the Copyright Law. Other copyright provisions may apply depending on data use. General civil, commercial and regulatory laws govern relationships with cloud and edge providers, as no distinct regulations for these technologies exist.

There are some relevant rules specific to the public sector, as set out below.

• State and federal authorities are bound by their own specific Privacy and Data Protection Statute. In March 2025, the Mexican Congress revoked the previous legislation and enacted a new statute.
• The 2018 guidelines and an Official Agreement (Acuerdo) issued in 2021 by the Presidential Office’s Digital Strategy Bureau promote the safe use of technology by the government, including rules for data centres and cloud services.
• The recently created Intersecretarial Commission of Information Technologies is expected to issue regulations on cloud and edge computing.
• Some agencies and states have provided guidelines and regulations for the acquisition and safe use of technology, particularly for law enforcement agencies.
• NMX-I-27018-NYCE-2021, which is non-binding, provides rules for the protection of personal data located in public cloud services.

The banking and finance sectors in Mexico lack specific regulations for cloud services, operating under the general rules outlined in existing regulations (circulares). These regulations govern information technology service acquisitions, including of cloud services, and address cybersecurity and risk management. Depending on the nature of the service and the provider’s access or administrative privileges, contracting cloud services may require notification or authorisation from financial regulators.

The regulation of AI in Mexico is still in its early stages. Although Congress has yet to pass comprehensive AI legislation, over 100 Bills have been presented, very few are under discussion, and a special commission has been established to address the topic. These proposals primarily focus on criminal issues, with some addressing privacy, IP and the governance of AI. The National AI Alliance (Alianza Nacional Inteligencia Artificial; ANIA), an advisory body to the Senate, has introduced a six-year roadmap for AI regulation, emphasising topics such as authorship, liability, risks of use, damages, prohibited applications and the governance of all ecosystem participants, including developers, implementers and users. Liability is a particularly contentious issue given Mexico’s lack of intermediary liability safe harbours outside of the USMCA and copyright laws. Additionally, the use of AI by government entities, whether as developers or consumers, is a central focus.

At the state level, targeted AI regulatory initiatives are emerging, particularly in Mexico City and Jalisco, reflecting a growing awareness of AI’s challenges. However, these efforts remain limited in scope and resources. While Mexico lacks dedicated AI regulations, existing laws on privacy, IP and civil and criminal matters provide partial frameworks for AI-related issues. Nonetheless, these laws leave significant gaps and require reinterpretation to address the unique complexities of AI, underscoring the need for comprehensive legislation.

In the realm of IP, Mexican law explicitly limits patent protections to human creations. AI cannot be recognised as an inventor, and literary, artistic or software-related works are excluded from patent protection. This restriction highlights the broader challenges of adapting existing legal frameworks to the evolving realities of AI innovation and use. Comprehensive legislation is necessary to provide clarity, close regulatory gaps and promote the responsible development and application of AI in Mexico.

Deepfakes

Deepfakes are partially regulated in Mexico, primarily through existing privacy and copyright laws. Likeness, image and voice are protected as personal data under privacy laws, requiring the data owner’s consent for use. These elements are also safeguarded by the right to self-image, which requires authorisation for their use. Mexico City has a specific law for protecting individuals’ images, with limited exceptions. Additionally, laws addressing violence against women and the criminal codes prohibit impersonation and related acts, potentially categorising certain deepfake misuses as digital violence or privacy infringement. However, criminal law in Mexico requires precise application, leaving some cases in legal grey areas. For example, a recent case involving AI-generated pornographic impersonation resulted in acquittal due to insufficient authorship evidence. Concerns about financial fraud, health risks and electoral manipulation are growing, making deepfake regulation a likely legislative priority given Mexico’s high levels of fraud and deception. The broader absence of AI-specific regulations complicates determining rights and responsibilities for AI-generated works, underscoring the need for comprehensive legislation.

Self-Driven Cars and Drones

Self-driven vehicles remain unregulated in Mexico. While some legislative groundwork has been attempted, general transportation and vehicle regulations, along with civil liability and tort laws, currently apply. However, issues specific to autonomous vehicles, such as safety standards, testing protocols, infrastructure requirements and privacy concerns, lack dedicated regulation.

Drones, by contrast, are subject to specific regulations under the Civil Aviation Law and NOM-107–SCT3-2019. This standard categorises remotely piloted aircraft systems (RPAS) based on their maximum take-off weight (MTOW), with heavier drones requiring registration. Restrictions apply to certain areas, including airports, military zones and populated areas. Operational limits also regulate height, speed, night flights, meteorological conditions and proximity to people. Insurance and safety measures are mandated to ensure responsible use.

Internet of Things (IoT)

Mexico does not have specific IoT legislation, but various laws address related aspects. Privacy laws regulate IoT devices that collect personal data, including metadata such as browsing history, geolocation and digital behaviour, when linked to identifiable individuals. Consumer protection laws cover product safety, warranties and transparency about IoT device functionality. Copyright law protects software embedded in IoT devices and confidential trade secrets. The Federal Telecommunications Law governs network security, service quality and connectivity, which are essential for IoT functionality.

The Constitution, along with criminal and national security laws, broadly protects communication secrecy. However, the absence of a dedicated Cybersecurity Law leaves gaps in regulating IoT-specific vulnerabilities. While current cybersecurity legislative drafts do not explicitly address IoT, future statutes are expected to cover these technologies, especially as they relate to critical infrastructure and national security.

Mexico has implemented several soft regulations through the Economy Ministry’s normalisation body, Normalización y Certificación Electrónica (NYCE), to address security and operational aspects of IoT environments. NMX-I-1362-NYCE-2021 establishes a simple encryption procedure to enhance data transmission security for IoT systems. Other relevant standards include NMX-I-4903-NYCE-2021 for smart and sustainable cities, NMX-I-20000-NYCE-2021 and NMX-I-2000-1-NYCE-2019 for service management systems, NMX-I-22301-NYCE-2021 for communication interruptions recovery and NMX-I-22316-NYCE-2021 for recovery capability resilience.

The IFT, now replaced by the new Telecommunications Commission (CRT), has also issued various regulations that align with international standards like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). One example is the Guidelines for the Standardization of Products, Equipment, Devices, or Apparatus for Telecommunications or Broadcasting (June 2022), which requires Homologation Certificates for devices. These certificates standardise connectivity, installation, operation and use, ensuring compliance with mandatory technical standards.

Internationally, the Budapest Convention on Cybercrime and the recent United Nations Convention against Cybercrime, which has not been ratified in Mexico, addresses computer-related crimes.

The absence of a comprehensive legal framework for IoT in Mexico creates significant uncertainty for companies deploying IoT solutions. Compliance challenges arise from navigating overlapping, evolving laws that do not account for IoT’s unique characteristics. This gap underscores the need for dedicated legislation to provide clarity and support responsible IoT deployment in the country.

Privacy

IoT devices often collect vast amounts of data, some of which may be considered personal data (eg, location, usage patterns, biometric data). Companies must ensure they:

• provide clear and comprehensive privacy notices to users;
• collect explicit consent for data collection and processing;
• implement robust security measures;
• collect only the minimum necessary data for specific, legitimate purposes, as IoT devices tend to collect data that may not be necessary, posing a compliance risk; and
• effectively anonymise or pseudonymise data to reduce privacy risks, which can be technically challenging in IoT environments due to the interconnected nature of devices and data flows.

Cybersecurity

Companies must provide device security; securing IoT devices is paramount. Many devices have limited processing power and memory, making it difficult to implement strong security measures. Companies need to address vulnerabilities such as default passwords, lack of firmware updates, insecure communications protocols and physical tampering.

Concerning network security, companies need to implement measures to prevent unauthorised access, data breaches and denial-of-service attacks. Concerning data security, protecting data in transit and at rest is essential. This includes using encryption, access controls and data loss prevention measures. Finally, concerning incident response, having a plan to respond to security incidents and data breaches is crucial, including providing proper notification to users and regulators.

Consumer Protection

Concerning product safety, companies must comply with safety standards and regulations to prevent harm to users. Concerning transparency and information, companies must provide clear and accurate information to consumers about the functionalities of IoT devices, data collection practices and potential risks. Finally, determining liability for accidents or damages caused by IoT devices can be complex. Companies need to consider product liability, negligence and other legal issues.

Interoperability and Standardisation

Companies must comply with national and international interoperability and standardisation regulations to avoid interoperability and safety issues. Proper risk assessments are crucial for IoT companies, encompassing compliance with general and sector-specific regulations, best practices and a thorough evaluation of their supply chains, components and products.

Domestic and international transfers of personal data in Mexico require the data owner’s informed consent. The privacy notice of the IoT company must specify the transferees (or their category) and the purpose of the transfer. Additionally, the IoT company must provide the transferee with its privacy notice to ensure they process and transfer data only for the consented purposes.

The Privacy Law applies uniformly to all companies handling personal data, including IoT companies, with exceptions for transfers within the same corporate group. In such cases, consent is not required but must be disclosed, and binding internal rules for data protection must be in place.

Sensitive personal data, including financial, patrimonial and biometric data, is subject to stricter regulations under the Privacy Law. This includes express and written consent, restricted databasing and doubled administrative liabilities. However, no additional requirements specifically govern the transfer of sensitive data beyond these general provisions.

In telecommunications and broadcasting, a licence is mandatory for providing public services. These licences, issued under the Federal Telecommunications and Broadcasting Law (FTBL), are granted for up to 30 years and may be renewed. Free-to-air TV, broadcast radio and other services requiring spectrum frequencies must either lease the spectrum from licensed holders or acquire their own spectrum licences, which are auctioned and are subject to annual fees. Satellite telecommunications services necessitate a separate orbital slot concession, granted based on international treaty availability and public tender proceedings.

Conversely, online audio-visual platforms and over-the-top services (OTTs), such as video-sharing platforms, streaming services and platforms featuring user-generated content (UGC), are not classified as telecommunications or broadcasting services. Consequently, they do not require licences to operate in Mexico.

To obtain a telecommunications or broadcasting licence, applicants must file with the CRT, submitting technical plans and documents proving their administrative, legal and economic capacity to provide the proposed services. The CRT has 60 calendar days to evaluate the application, request additional information if needed and, upon satisfaction of all requirements, grant the licence. This process underscores the structured regulatory approach for traditional media while exempting emerging digital platforms from similar obligations.

To obtain a telecommunications or broadcasting licence in Mexico, applicants pay approximately USD1,200. Spectrum licences, granted through public tenders for commercial services, require an upfront payment and annual royalties. These licences last up to 20 years and can be renewed for equal terms. The CRT evaluates applications based on economic proposals, service coverage, quality, innovation, affordability, prevention of market concentration and promotion of competition.

TV, Fixed and Wireless Broadband, Voice and Satellite Communications

OTT platforms, such as streaming and messaging services, are excluded from these regulations. While owning or commercialising telecommunications infrastructure like towers, antennas or fibre optics does not require a licence, only licensed carriers may provide services using such infrastructure. Infrastructure use is regulated as part of the telecommunications network.

The former IFT, responsible for enforcing telecommunications and broadcasting regulations, was dissolved and replaced by the Telecommunications Commission within the Agency. Its competition and asymmetrical regulation functions will be transferred to a new competition and markets authority, while some responsibilities may revert to the Ministry of Communications and Transportation.

Other cases where authorisation from the regulator is required include:

• incorporating and operating, or exploiting, a telecommunications service provider without licensee status (resale of services);
• installing, operating or exploiting earth stations to transmit satellite signals;
• installing telecommunications equipment that crosses national borders;
• exploiting the rights of emission and reception of signals and frequency bands associated with foreign satellite systems that cover and can provide services within Mexico (landing rights); and
• temporarily using spectrum bands for diplomatic visits.

The regulator may grant an exempt from authorisation for earth stations that meet established standards and do not interfere with other telecommunications systems. These authorisations are valid for up to ten years and can be renewed for equal terms. Applications must be resolved within 30 business days, and if no decision is issued within this period, the authorisation is considered granted.

The FTBL enshrines net neutrality principles, requiring internet service providers (ISPs) to ensure users can freely access legal online content, applications and services without discrimination, restriction or limitation. Exceptions include national emergencies, public safety and preventing network damage. ISPs must inform users of any limits or restrictions and are permitted to manage network traffic, provided such management is reasonable and non-discriminatory.

In 2021, the former IFT issued guidelines on traffic management and internet administration to clarify net neutrality principles. These guidelines address traffic management, ISP services, reducing the digital divide, transparency and regulator monitoring. However, the guidelines are criticised for their weaknesses, including ineffective enforcement against practices like paid prioritisation and insufficient transparency regarding network traffic management. While ISPs must publish a Traffic Management and Network Administration Policy, issues regarding compliance and clarity remain.

Mexico’s approach to emerging technologies is inconsistent. Often, regulators and lawmakers adopt a “wait and see” approach, especially in areas like AI and self-driven vehicles. Proper study and engagement with stakeholders, including experts, academics and industry representatives, alongside comparative reviews of international frameworks, could lead to more effective regulation.

In other cases, such as the Fintech Law, Mexico has acted quickly, becoming a global pioneer in regulating financial technology. These swift actions are often driven by pressure from interest groups or political and media attention following high-profile events. However, rapid regulatory responses sometimes fail to account for the nuances of emerging technologies, as seen in recent laws addressing mobility and delivery app workers or temporary service apps, which misunderstand key differences between these technologies and their traditional counterparts.

Mexico currently lacks a centralised and coherent strategy for addressing emerging technologies or fostering technological innovation. However, the creation of a Technology and Innovation Secretariat under the new government signals potential changes. Several regulations related to TMT have been identified as government priorities.

For companies incorporating TMT features or operating in the TMT sector, proper legal due diligence and compliance programmes are essential. Navigating grey areas of regulation presents varying levels of comfort dependent on the company’s risk tolerance. High-reward emerging technologies inherently carry regulatory risks that must be addressed proactively.

One significant challenge in the technology sector is the lack of contract standardisation, which complicates negotiations. While some sectors have achieved limited standardisation, this remains the exception. The complexity of these agreements can create challenges during litigation, particularly given the recent judiciary amendment in Mexico. Judges may struggle to interpret the technical aspects of technology agreements accurately, often prompting parties to seek arbitration instead. Arbitration provides decision-makers with specialised technical knowledge that is often lacking in the judiciary.

Conversely, some technology contracts are insufficiently technical, leading to ambiguity and broad interpretation by parties or judges. Custom definitions and clauses, often necessary due to the lack of specific regulation, require lawyers with a deep understanding of the technology to tailor agreements properly. Missteps in this process can result in poorly aligned contracts that fail to address the needs of the transaction.

Technology agreements must account for key regulatory and legal elements, including IP rights, data protection and privacy regulations, confidentiality and trade secrets, consumer protection laws (if applicable), and general civil and commercial law. Upcoming cybersecurity regulations are also likely to impact such agreements. Highly regulated industries, such as banking, insurance, finance and healthcare, face stricter requirements for technology acquisitions due to their sensitivity to technological risks. Similarly, technology agreements with government entities are subject to stringent regulations, including those related to procurement, national security and public sector standards.

While most agreements are open for discussion between the parties, there are some elements that must be accounted for, such as

• copyright and IP rights;
• privacy and personal data protection regulations;
• confidentiality and trade secrets;
• consumer protection laws, if applicable;
• standard commercial and civil law requirements; and, ideally
• cybersecurity regulations.

Service agreements in Mexico primarily focus on the relationship between service providers and their customers, while interconnection agreements regulate the establishment of network connections between telecommunications operators, ensuring interoperability. Both types of agreements play critical roles in the telecommunications ecosystem.

Telecommunications operators are obligated to interconnect their networks with those of other licensed operators upon request. In this regard, operators providing mobile services must enter into interconnection agreements that define the T&C of such interconnection. Elements of interconnection agreements include (i) network access and interoperability; (ii) terms of access and traffic exchange; (iii) pricing and payment terms; and (iv) quality service. These agreements must be registered with the CRT.

Telecommunications operators are free to determine their pricing; however, this does not apply to the preponderant carrier, whose rates are established and published by the CRT.

In the event of a disagreement between the licensees, the CRT is responsible for resolving any outstanding terms or conditions related to the interconnection service requested by the user. On 22 October 2024, the former IFT published the minimum technical conditions for licensees and outlined the methodology for calculating interconnection rates, which will be used to resolve any interconnection disputes.

Mexico’s legal framework for trust services, electronic signatures and digital identity is less comprehensive than the EU’s electronic identification, authentication, and trust services (eIDAS) regulation. The Mexican Commercial Code, the basis for electronic commerce, recognises electronic signatures as equivalent to handwritten ones under certain conditions. It distinguishes three types – simple electronic signature, advanced or reliable electronic signature and certified advanced electronic signature, defined as follows.

• Simple electronic signature: consists of electronic data linked or associated with a message, serving to identify the signatory and demonstrate their approval of the message’s content. This signature has the same legal validity as a handwritten signature and is acceptable as evidence in court.
• Advanced or reliable electronic signature: not only identifies the signatory and shows their approval of the message but also meets additional requirements such as being unique to the signatory and under their exclusive control at the time of signing, allowing the detection of any changes to the signature after signing and ensuring that any alteration to the message’s content can be detected after the signature.
• Certified signature (now called eSignature): a signature that has been verified and certified by a certification service provider accredited by the Secretary of Economy. These signatures meet the same requirements as uncertified signatures, but with the added assurance of having been validated by a certification service provider.

The 2012 Advanced Electronic Signature Law regulates the legal effects of advanced and certified electronic signatures, granting electronic documents and data messages the same probative value as traditional ones. This is particularly relevant in the fiscal sector, enabling tools like the tax mailbox for declarations, appeals and official notices. These documents hold full evidentiary value under fiscal laws.

The Federal Code of Civil Procedures and Commercial Code also validate electronically generated information as evidence, provided the method of generation, communication or storage is reliable. NOM-151-SCFI-2016 mandates standards for preserving data messages, ensuring the integrity, authenticity and availability of electronic records over time. Additionally, the Consumer Protection Law allows electronic signatures for eCommerce, provided minimum standards are met.

While judicial precedents affirm electronic signature validity, their susceptibility to alteration poses challenges. In disputes, the signatory must prove reliability and authenticity, which often requires technological evidence. For critical agreements, using signatures with the highest probative value is advisable. However, these challenges have slowed adoption.

The USMCA (Article 19.6) mandates that electronic signatures cannot be denied legal validity solely because they are electronic. It prohibits measures limiting authentication methods or compliance demonstrations in disputes and encourages interoperable electronic authentication across parties. Specific transactions may require certifications or performance standards.

Digital Identity Schemes

Mexico is gradually implementing a national digital identity scheme, with the Unique Population Registry Code (Clave Única de Registro de Población; CURP) serving as a cornerstone of its ecosystem.

The CURP has been implemented for many years to identify individuals through a unique 18-digit code. However, the General Population Law was amended in July 2025 to mandate the incorporation of biometric elements such as fingerprints and a photograph into the CURP, to become the mandatory national identification document, universally accepted and mandatory throughout the national territory, and will be available in physical and digital format.

Such law also sets forth that the CURP shall be used in the processes of validation and authentication of the identity of persons in digital media, and that any public or private entity must request the CURP for the provision of its procedures and services. The law does not address the treatment of foreign entities that provide services from abroad to users located in Mexico, and it also lacks clarity regarding which provision of procedures and services require obtaining the user/consumer CURP, or in which cases private entities must obtain the CURP to validate and authenticate user/consumer identity. This ambiguity should be clarified when secondary regulations are issued.

The regulation of gaming in Mexico is complex and fragmented. While gambling has a long regulatory history, modern video games, particularly those with online elements, are not explicitly addressed.

Key Laws and Regulations

The 1947 Federal Gaming and Sweepstakes Law prohibits games of chance, except for authorised activities like lotteries, casinos and sports betting, which require a Secretary of the Interior (Secretaría de Gobernación; SEGOB) licence. Only permitted games can be advertised. The law primarily focuses on traditional gambling, offering little guidance for modern gaming.

The 2004 Regulations of the Federal Gaming and Sweepstakes Law provide additional rules for authorised gambling but do not address digital or video game-related activities.

Consumer protection laws may ensure transparency and prevent deceptive practices in gaming, particularly regarding in-game purchases and loot boxes.

Recently, the Congress enacted a new tax for “violent video games”, but the Executive requested it be annulled, due ambiguity in the law and ambiguity concerning enforcement.

In-Game Purchases, Loot Boxes and Gambling Elements

Mexico has no specific regulations for in-game purchases or loot boxes. Gambling laws apply only to games of chance, not skill-based games. If a game with loot boxes is deemed predominantly chance-based, it may fall under the Federal Gaming and Sweepstakes Law, requiring SEGOB authorisation.

Online Gambling Regulation

Land-based casinos can obtain licences for online gambling, but there is no framework for standalone online operators, creating a regulatory grey area.

Age Ratings and Content Restrictions

Mexico has mandatory age rating regulations, issued by SEGOB in 2020 and based on the Law on Children and Adolescents. These ratings aim to protect minors from inappropriate content and roughly align with the Entertainment Software Rating Board (ESRB) system in the USA. The ratings use categories A (E), B (E 10+), B15 (T), C (M) and D (Ao), and include required warnings, content descriptions and interactive element disclosures for parental controls. The regulation mandates disclosure of in-game purchases, loot boxes, UGC, shared geolocation and similar interactive features before purchase.

Industry Codes of Conduct and Best Practices

Mexico lacks specific industry codes of conduct for the gaming sector. Developers and publishers often follow international best practices related to development, marketing and player protection.

eSports Regulation

eSports in Mexico remain unregulated, operating in a legal grey area. While existing laws on sports, contracts, IP and consumer protection may apply, there is no clear framework. In 2019, the National Commission of Physical Culture and Sports (Comisión Nacional de Cultura Física y Deporte; CONADE) recognised the Mexican Federation of eSports (Federación Mexicana de Esports; FEMES) as a national sports federation, legitimising esports as a sport. However, challenges persist regarding the regulation of tournaments, leagues, integrity, match-fixing and player contracts.

Gaming in Mexico is not comprehensively regulated. SEGOB oversees games of chance and age ratings for video games, putting economic sanctions in place. Enforcement, however, is inconsistent, particularly for internet-based games and those purchased via digital platforms like Steam, Google Play Store or Apple Store. SEGOB primarily focuses on physical and online casinos, leaving general gaming outside its purview unless gambling becomes an issue.

For example, if eSports betting involves games of chance, it could fall under the Federal Gaming and Sweepstakes Law, requiring SEGOB authorisation. This scrutiny would increase if minors participate, potentially drawing SEGOB’s attention. Despite ongoing discussions, no significant amendments have been implemented to address broader gaming regulation.

In Mexico, software, including apps, video games and other virtual technologies, is protected under copyright as a literary work under the Federal Author’s Rights Law (LFDA). This protection covers both source code and object code, granting creators exclusive rights to use, distribute and modify their software unless otherwise agreed. However, software is explicitly excluded from patentability under the Industrial Property Act (LFPPI). Game developers can protect IP through trade mark and copyright registration, though registration is not mandatory. Registering copyrighted works grants pre-emptive rights, shifting the burden of proof to the challenger. Developers must also secure authorisation for image rights, as the LFDA requires express consent for the use of a person’s likeness. Image rights last for 50 years after the person’s death.

The LFDA also protects creators’ rights in virtual environments, covering digital works, software, non-fungible tokens (NFTs) and virtual assets that meet originality and fixation criteria. It grants economic rights (reproduction, distribution, adaptation) and moral rights (attribution, integrity). Creators should carefully navigate platform terms, licensing agreements and international protections to maintain control over their IP.

Additional IP protections in Mexico include trade marks, domain names and reservations of rights, such as for fictional characters. These rights, akin to trade marks, last five years if renewed. Licensing agreements are critical for monetising trade marks, software and virtual goods.

The rise of NFTs introduces new copyright challenges. Ownership of an NFT does not transfer rights to the underlying content unless specified in licensing agreements. Clear contracts are essential to define rights over reproduction, distribution and adaptation. Licensing models, such as open-source or proprietary licences, govern usage, modifications and redistribution.

Platforms hosting digital art, software and virtual goods can be held accountable for user-posted infringing content unless they promptly remove it upon notification. As digital technologies evolve, Mexico’s legal framework must adapt to address emerging issues in virtual environments and digital assets.

In August 2025, the Mexican Supreme Court issued a ruling that works exclusively created by AI cannot be registered for copyright protection in Mexico.

Trade Mark Law: Applicability to Digital Goods and Services

Trade Mark laws in Mexico, governed by the LFPPI, apply to virtual goods and services in much the same way they do to physical goods and services, with some additional considerations for the digital realm. Protection extends to virtual assets such as in-game items, NFTs, and digital services and can also apply to virtual services, such as brand experiences in the metaverse, online gaming, or virtual event hosting, allowing creators and businesses to protect their brands and prevent infringement. The Nice Classification system is used to categorise goods and services for trade mark purposes. Virtual goods (like in-game items, NFTs, or digital products) would likely fall under classes for goods related to software, electronics, or entertainment, while virtual services could fall under services like entertainment, education, or technology-related services. Enforcement is supported by digital platforms and online mechanisms, which help in combating counterfeiting and unauthorised use. As virtual worlds like the metaverse continue to grow, trade mark law will play an increasingly important role in securing brands’ rights in these new digital spaces.

User-Generated Content and Intellectual Property

UGC raises complex issues of IP ownership. Platforms hosting UGC, such as social media platforms, video-sharing sites and virtual worlds, typically operate under licensing models defined in their terms of service (ToS). These agreements often grant platforms rights to use, distribute or modify uploaded content, while users retain underlying copyright. In some cases, users may assign or licence additional rights to platforms, such as the ability to display, share or monetise their content. For paid or contracted creators (eg, influencers or freelance artists), platforms or employers may claim ownership of UGC under work-for-hire provisions or contractual agreements, transferring IP rights to the commissioning entity.

Platforms hosting UGC face liability for infringing content unless they comply with safe harbour provisions. Mexico’s copyright laws, aligned with USMCA standards, include mechanisms similar to the Digital Millennium Copyright Act (DMCA). These allow copyright owners to notify platforms of infringement, requiring platforms to remove or disable access to unauthorised content. Such processes are essential for balancing IP protection and platform responsibilities.

The interplay between UGC and IP rights in Mexico involves ownership, licensing, moral rights and infringement risks. While users retain copyright, they often grant platforms significant rights, potentially limiting their control over their creations. Unauthorised use of third-party materials adds further complexity, requiring careful adherence to licensing agreements, fair use standards and protection of moral rights. Both creators and platforms must navigate these issues to ensure proper management and compliance in the UGC ecosystem.

Mexico does not have a single, comprehensive law specifically regulating social media. Instead, various existing laws and regulations touch upon different aspects of online activity, including social media use. This creates a fragmented legal landscape. Some attempts have been made in the past to enact an overall general law, but they have all failed at Congress.

In summary, the laws and regulations that apply are:

• privacy laws, which provide rules for users’ data collection, data processing, informed consent, data transfers and data rights, where the backbone of social media is user data;
• the LFDA, which protects IP rights, including copyrighted content on social media – it governs copyright infringement, fair use and takedown requests, which are particularly relevant to UGC;
• the Consumer Protection Law, which ensures consumers are protected from misleading advertising and unfair practices and applies to social media marketing and advertising – it also regulates content monetisation by influencers, supplemented by specific guidelines;
• the Mexican Standard (NMX) on e-commerce, which is likely to become a NOM and applies to social media platforms facilitating e-commerce activities, such as the sale of goods or services;
• the FTBL, which primarily focuses on telecommunications but indirectly affects social media by regulating ISPs and ensuring network neutrality;
• federal and local penal codes – these address cybercrimes like hacking, identity theft and online harassment, which frequently occur on social media;
• federal and local civil codes, which regulate defamation, libel and general liability issues arising from online speech and interactions on social media;
• USMCA Chapter 19 – although not yet a domestic law, this Chapter provides intermediary liability safe harbours for UGC, offering some protection for social media platforms;
• in the near future, a cybersecurity law – depending on what the future law provides, social media would be differently impacted;
• electoral law, which is relevant to organic and paid electoral content; and
• goods and health regulations – these are relevant to organic and paid health-related content, including the advertising and promotion of regulated goods and services such as food, drinks, pharmaceuticals and drugs, weapons and financial services, among other things.

In addition to the foregoing regulations, there are some key challenges for social media and intermediary service providers in Mexico.

• Free speech: despite strong case law before the Supreme Court, complex content such as electoral content and hate content (including political gender violence), among other types of content, can lead to media pressure and defamation and libel actions that challenge the legality of the content and seek to establish who is liable.
• Intermediary liability and UGC: there is a very important case related to free speech pending before the Supreme Court, in which Google was initially sanctioned with a USD250 million fine due to UGC being considered defamatory towards a user. In a more recent privacy case, the Supreme Court clarified that content intermediaries cannot be held liable for UGC. The Mexican Supreme Court affirmed the safe harbour for intermediaries (specifically internet search providers) by limiting their liability for unlawful content. However, it is also important to mention that, in the same judgment, the court recognised that intermediaries may act as data processors.

• Copyright and UGC: for copyright, a specific law provides a notice and take down intermediary liability system.
• Profiling and targeting via algorithms: the use of algorithms for profiling and targeted advertising raises concerns about privacy and potential discrimination.
• Data monetisation: the monetisation of user data by social media platforms is a complex issue.

• Misinformation, disinformation and fraud: the spread of misinformation and disinformation on social media is a growing concern, with potential implications for public health, elections and social stability. This was seen particularly during the recent elections, and social media is also being used to commit fraud and other crimes, as well as for organised crime recruitment purposes.
• Online harassment and cyberbullying: addressing online harassment, cyberbullying and hate speech on social media platforms is a significant challenge. Several laws and regulations have already been created to combat these problems.
• Jurisdiction: determining jurisdiction in legal disputes involving social media can be challenging, especially when users and platforms are located in different countries. Several cases attest to the complexity of this issue.

• Account security: protecting user accounts from unauthorised access and cyberattacks is a major challenge. The number of accounts that have been hacked on most popular social media platforms has become alarming.
• Minors: protecting minors and their rights is a sensitive topic, largely because most social media platforms allow access for the +13 age group even though the age of majority is 18. There are no specific Mexican laws that directly impose age verification requirements on social media platforms. Existing laws regarding child protection could be applied in cases of harm to minors.
• New products and features: most social media platforms are constantly developing products and features, and Mexico has been a beta testing ground due its geographical, demographic, geopolitical and economic relevance.
• Content moderation and safety: managing harmful or inappropriate content through human or AI intervention remains a significant challenge for social media platforms.

Regulatory oversight for digital content in Mexico depends on the specific law or issue involved, with enforcement typically falling to agencies such as:

• PROFECO (consumer protection);
• the Anti-Corruption Ministry (privacy);
• the National Antitrust Commission (antitrust);
• the Mexican Institute of Industrial Property (Instituto Mexicano de la Propiedad Industrial; IMPI) (IP and copyright);
• the National Electoral Institute (Instituto Nacional Electoral; INE) (electoral matters);
• the Federal Commission for the Protection against Sanitary Risk (La Comisión Federal para la Protección Contra Riesgos Sanitarios; COFEPRIS) (human health); and
• SEGOB.

Law enforcement and judicial authorities also play a role in certain cases.

These regulators actively monitor and enforce compliance regarding digital content on social media. To facilitate enforcement, many platforms have established co-operation channels for handling regulatory requests to remove infringing or unlawful content. For example, during the recent Mexican elections, INE requested social media platforms to remove hundreds of thousands of posts violating electoral laws. Similarly, other regulators, such as COFEPRIS, issue takedown requests according to their regulatory scope.

Mexico lacks a sector-specific data privacy legislation for telecommunications providers. Instead, telecommunications companies are subject to the FDPL, which establishes obligations in general for data controllers and data processors. Additionally, the FTBL, issued in July 2025 (though the relevant provisions are mainly identical to the previous law), contains certain provisions related to data retention requirements for telecoms operators. As mentioned in 1.1 Legal Framework, the regulatory authority for telecommunications matters is the Agency, whilst the Anti-Corruption Ministry oversees data privacy compliance.

Also, Article 19.8 of the USMCA establishes a legal framework concerning the protection of personal information of users of digital trade, taking into account principles and guidelines of relevant international bodies, such as the APEC Privacy Framework and the OECD Guidelines, as valid mechanisms to facilitate cross-border information transfers. The USMCA is currently under renegotiation, and it is estimated that the Global CBPR (Cross-Border Privacy Rules) Forum might be the new standard for data protection frameworks and cross-border transfers.

Telecommunications companies in Mexico face challenges in managing customer data privacy under the FDPL. Obtaining consent from data subjects is complex due to the digital environment, high customer volumes and the nature of diverse data processing activities. Providers must balance FDPL compliance with consent management across multiple purposes (eg, service provision, marketing, and third-party data sharing) whilst adhering to data minimisation principles. Additionally, managing data subject rights requests at scale, particularly access and deletion rights, presents operational challenges due to the data retention obligations under the FTBL.

Mexico does not impose data localisation requirements. Article 19.12 of the USMCA prohibits requiring computing facilities in Mexican territory as a condition for conducting business, whilst Article 19.11 prohibits restricting cross-border data transfers for business purposes (applicable to treaty members).

Under the FDPL, cross-border transfers must be disclosed in privacy notices, including transfer purposes. Consent is not always required; transfers may proceed without it when expressly authorised by law or international treaty, conducted within the same corporate group under common control with aligned internal policies, or necessary to fulfil a contract in the data subject’s interest. Operators implement a combination of legal, technical, and contractual measures, including data processing agreements, mapping data flows and equivalent safeguards to manage these transfers in compliance with the law.

Data provision and surveillance obligations for telecommunications companies are imposed by the FTBL. This Law requires telecoms and other content and app service providers to comply with legal mandates from competent authorities as required by law. They must collaborate with law enforcement authorities for real-time geographic location and maintain detailed communication and metadata records for 24 months, implementing technical measures to guarantee data conservation, protection against unauthorised access, manipulation or destruction. Under the Mexican Constitution, private communications remain inviolable unless a federal judicial authority authorises interception.

However, the Mexican Congress has recently amended existing laws and issued new ones requiring private entities, including telecoms operators, to interconnect their databases, in some scenarios in real time, with a centralised government system, for purposes such as prosecuting crimes, identifying missing persons or even auditing tax compliance.

Additionally, the Federal Tax Code requires telecoms and digital services providers to grant tax authorities permanent, real-time access to user information strictly for the purposes of tax compliance and enforcement. 

Vendor obligations depend on their classification as either data processors or third parties, a distinction that significantly impacts compliance requirements. Processors must operate under written data processing agreements and process data only as instructed and under the original privacy notice; transfers to processors require no consent or prior notice. In contrast, transfers to third parties trigger independent obligations, requiring data subject notification and consent for transfers.

For cloud service providers, controllers must ensure providers maintain FDPL-aligned data protection policies, ensure subcontracting transparency, refrain from claiming data ownership, and maintain confidentiality.

Evolving data privacy regulations directly impact telecoms infrastructure and innovation. Compliance with the FDPL’s security requirements and the FTBL’s 24-month data retention obligations necessitates significant investment in secure storage infrastructure and access controls. The recent Congressional mandates requiring real-time database interconnection with government systems impose additional technical and operational burdens, requiring telecoms operators to redesign data architectures whilst maintaining privacy safeguards.

These requirements can constrain innovation, particularly for new services involving personal data processing. However, robust compliance frameworks also create competitive advantages, enabling operators to differentiate on privacy and build customer trust ‒ an increasingly important factor as Mexican consumers become more privacy-conscious. Future sector-specific regulations from the Anti-Corruption Ministry or the Agency may further reshape infrastructure requirements and service development strategies.

Digital media and streaming providers in Mexico face significant challenges under the 2025 PDPL. The expanded definition of “personal data” now includes any information related to an identifiable person, broadening compliance scope for platforms processing viewing habits, preferences, and behavioural data. Consent requirements have been tightened ‒ providers can no longer process data for “analogous purposes” without obtaining fresh consent, impacting content recommendation algorithms and targeted advertising.

The current legal framework does not explicitly address cybersecurity in a dedicated manner but outlines general principles and obligations requiring organisations to implement security practices, which implicitly include cybersecurity measures as part of broader data protection strategies. The regulations do not provide clear or specific guidelines on what constitutes “technical security measures” nor articulate concrete cybersecurity obligations, creating challenges in ensuring comprehensive compliance and uniformity in practices across different sectors. The criminal code also includes a series of cybercrimes, but with limited enforceability. Mexico has not ratified any cybercrime conventions, including the Budapest Cybercrime Convention or the recent United Nations Convention against Cybercrime.

Mexico has been discussing different cybersecurity bills in recent years, but none have been enacted yet. Mexico’s main challenge in protecting critical infrastructure and user data is the lack of a cybersecurity landscape. The Mexican government has indicated that cybersecurity is one of its core priorities and intends to regulate it soon. At the same time, the Mexican Congress has created special commissions to draft, discuss and approve a cybersecurity law. Most of the prior drafts have mainly focused on the public sector and critical infrastructure, with limited obligations and regulation for the private sector unrelated to these areas.

Therefore, until a new Cybersecurity Law is enacted, the FDPL is the closest regulation. The FDPL provides some requirements for data breach notifications to be sent to affected data subjects, but not to the regulator. Some sectors, such as banking and finance, include tightened and more specific regulations. Operationally, streaming platforms must implement robust security measures to protect user data against unauthorised access, due the legal, economic and reputational risks associated with it.

The LFPDPPP introduces explicit regulation of automated decision-making and AI systems, which is important for streaming platforms using algorithms for content curation, personalisation, and user profiling. It requires mandatory notice when algorithms make decisions affecting individuals and granting users objection rights for automated processing producing undesired effects.

Additionally, transportation and delivery digital apps were recently required, in a significant amendment to the Federal Labour Law, to issue algorithmic transparency policies that explain how their algorithms make automated decisions impacting the platform operation.

Mexico’s position as one of Latin America’s most cyber-threatened countries, accounting for over half of regional cyber-incidents by 2024, intensifies security obligations for platforms handling massive user databases and payment information. The recent amendments to the security and tax laws requiring real-time interconnection with regulators increase concerns and operational challenges.

Streaming and digital media platforms must embed privacy-by-design (PbD) from initial platform architecture through ongoing operations under the LFPDPPP. Controllers must consider the state of the art, implementation costs, processing nature, and risks to users when designing content delivery systems, recommendation engines, and user authentication mechanisms.

Practical implementation for streaming services includes threat modelling during platform design phases, privacy-focused automated testing in development pipelines, Privacy Impact Assessments for new features (particularly AI-driven recommendation systems), and data governance frameworks controlling the collection of viewing data, device information, and user preferences. Technical measures include pseudonymisation of viewing histories, encrypted data transmission and storage, access controls limiting employee access to user data, malware detection systems protecting payment information, and regular security audits of content delivery networks and third-party integrations. Data protection by default requires that only data necessary for service provision is collected ‒ platforms must implement default privacy settings that minimise data collection, limit profiling activities, and restrict data accessibility.

This regulatory gap results in a lack of standardisation of cybersecurity policies. Each company is left to its own devices to develop an efficient way to protect user privacy, with some using leading international standards such as ISO 27001, taken as a benchmark by Mexican courts and regulators, together with NIST Cybersecurity Framework and SOC 2 standards, making documented risk assessments essential for demonstrating compliance, particularly given the high-value nature of aggregated user viewing data.

Streaming and digital media platforms face complex third-party sharing challenges given their reliance on advertising networks, content analytics providers, payment processors, and content delivery networks. Under the FDPL, the redefined “data controller” definition creates classification risks ‒ processors must have contracts clearly stating their processor status; otherwise, they may be deemed controllers with full compliance obligations. This is particularly important for programmatic advertising relationships and audience measurement services.

Controllers must adopt sufficient measures to enforce data protection principles and ensure third parties respect privacy notices through contractual relationships. Purpose limitation requirements prohibit processing viewing data for purposes incompatible with original collection, and the elimination of “analogous purposes” processing means platforms must obtain fresh consent for new uses ‒ impacting cross-platform advertising, audience profiling, and data monetisation strategies.

Streaming and digital media providers manage these challenges through robust data processing agreements with advertising networks and CDN providers, granular consent management systems allowing users to control advertising and analytics preferences, and regular audits of third-party pixel tracking and SDK integrations to ensure ongoing compliance.

As mentioned above, Mexico lacks a comprehensive cybersecurity statute, creating challenges for streaming platforms managing distributed infrastructure and cross-border data flows. As previously discussed, streaming platforms must align with international standards to demonstrate reasonable security. Platforms design internal governance programmes around ISO 27001, the NIST Cybersecurity Framework, and industry-specific standards like the Motion Picture Association’s content security best practices. Technology agreements with cloud providers, CDN operators, and payment processors must address vendor security obligations, incident response protocols for platform breaches or content piracy incidents, and data governance controls. Regarding AI, streaming platforms should implement transparency measures for recommendation algorithms, content moderation systems, and automated decision-making affecting user access or content availability.