On March 20, 2025, the New Federal Law on Personal Data Protection in Possession of Private Parties was published in the Official Gazette of the Federation. It came into effect the following day, March 21, repealing the previous law that had regulated this matter until that date.

Below, we explore the main changes introduced by the new Law and their potential impact on businesses:

Key Changes and Their Impact

1. More precise and technologically neutral definitions. Key definitions, such as “personal data processing“, have been clarified to cover any operation carried out manually or through automated means. This means that companies must review their processes to ensure that any handling of personal data, including those involving automated systems and artificial intelligence, complies with the new regulations.
2. Restrictions on the use of publicly accessible sources. Sources whose information has been obtained unlawfully will no longer be considered “publicly accessible sources”. This requires companies to be more rigorous in verifying the origin of the data they use in their business strategies to avoid legal risks.
3. Greater clarity in consent requirements. Consent must now be free, specific, and informed, with expanded exceptions for cases where consent is not required, including compliance with legal provisions and judicial rulings. While this provides some flexibility in data management, it also demands that companies be more transparent in their practices and properly document consent collection.
4. Changes in Privacy Notices. Privacy notices must now clearly specify which data will be processed. If data is collected through electronic means, the notice must be available in a simplified format with access to the full document. Companies operating digital platforms or managing databases must update their privacy notices to comply with these new requirements.
5. More flexible exercise of ARCO rights. Barriers to the exercise of Access, Rectification, Cancellation, and Opposition (ARCO) rights have been reduced. Data subjects no longer need to specify which right they wish to exercise; they only need to submit their request. This means companies must adjust their internal procedures to efficiently respond to such requests in compliance with the new law.
6. Increased oversight and regulatory authority powers. The Anti-Corruption and Good Governance Ministry is now the new regulatory authority overseeing personal data protection for private parties. Companies must strengthen their compliance mechanisms and be prepared for more rigorous audits and inspections.

Recommendations

• Update privacy notices, ensuring they are clear and meet the new requirements.
• Review databases, verify the legality of information obtained from public sources.
• Train staff, on the new data protection guidelines.
• Strengthen consent management processes, ensuring they are well-documented and traceable.
• Implement efficient protocols, to handle ARCO rights requests in line with the new legal flexibility.
• Prepare for audits and inspections, by the new regulatory authority with robust compliance mechanisms.

At Calderón Marín, S.C., we are prepared to assist your company in adapting to this new regulatory framework, ensuring full compliance and efficient personal data management. Contact us for personalized consultancy.