Mexico is the second-largest economy in Latin America and one of the most active markets for AI deployment in the region. It has no comprehensive federal AI statute as of June 2026. That absence does not mean a compliance vacuum. A combination of constitutional data rights, the 2010 federal data protection law, sector-specific regulatory obligations, competition authority guidance, and the USMCA digital trade framework creates a layered compliance environment that any operator deploying AI systems in or for the Mexican market must understand. This guide sets out that environment in full, including where the Senate's draft AI governance initiative stands and what to monitor as Mexican AI legislation develops.

Key takeaways

  • Mexico has no enacted federal AI statute as of mid-2026. The operative compliance framework is built from the LFPDPPP (2010 data protection law), sector regulator circulars (CNBV, COFEPRIS, IFT), and Cofece competition guidance rather than a dedicated AI law.
  • INAI, the data protection authority, supervises enforcement of the LFPDPPP for private-sector operators. Automated decision-making using personal data triggers the LFPDPPP's ARCO rights regime and the Article 37 opposition right, which functions as Mexico's operative automated-decision safeguard.
  • CNBV technology risk circulars cover AI systems in financial institutions. Operators in financial services face documented governance, risk, and control obligations for AI under existing sector regulation, independent of any AI-specific statute.
  • USMCA Chapter 19 prohibits data localisation between Mexico, the United States, and Canada. Operators moving AI-processed personal data across these borders must satisfy both the trade liberalisation rules of USMCA and the lawful-basis and data-subject rights conditions of the LFPDPPP simultaneously.
  • Mexican companies supplying AI products or services into EU markets face EU AI Act extraterritorial reach under Regulation (EU) 2024/1689. Mexico has no bilateral agreement with the EU that incorporates AI Act obligations, so this exposure must be assessed separately from domestic Mexican compliance.

Constitutional and legal foundations

Mexico's approach to privacy and information rights is grounded in the Constitution. Article 6 of the Political Constitution of the United Mexican States establishes the right to access public information and, following the 2013 constitutional reform, the right to the protection of personal data as a fundamental guarantee. Article 16 protects individuals against arbitrary interference in their private life and correspondence, and the 2009 constitutional reform to Article 16 introduced an explicit right to the protection of personal data, creating a constitutional basis for both the public-sector and private-sector data protection frameworks that followed.

These constitutional provisions are significant for AI operators because they establish that data protection is not merely a statutory requirement subject to ordinary legislative modification but a constitutional entitlement enforceable against both public and private actors. An AI system that processes personal data of Mexican residents in ways that deny individuals effective control over their information engages constitutional rights, not only statutory ones. This constitutional grounding has influenced how INAI has approached enforcement and how Mexican courts have interpreted data protection obligations in contested cases.

The practical statutory expression of these rights in the private sector is the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), enacted in 2010 and regulated by the Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (RLFPDPPP), published in 2011. For public-sector actors, the Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados (2017) governs. This article focuses on the private-sector framework relevant to commercial AI operators.

LFPDPPP: the operative data protection framework

The LFPDPPP establishes the data protection obligations that any private-sector entity processing personal data of individuals in Mexico must satisfy. For AI operators, several provisions are particularly material.

The principle of consent (consentimiento) under Article 8 requires that personal data be processed with the data subject's consent unless one of the enumerated legitimate grounds applies. AI systems that ingest personal data for training, inference, or profiling must identify a valid legal basis under the LFPDPPP for each processing activity. The RLFPDPPP elaborates the conditions for implied and express consent, with sensitive personal data (datos personales sensibles), defined in Article 3(VI) to include health information, biometric data, racial or ethnic origin, religious beliefs, and sexual preferences, requiring express written consent for any processing.

The ARCO rights (Acceso, Rectificación, Cancelación, Oposición) under Articles 28 to 37 give individuals the right to access, correct, delete, and oppose the processing of their personal data. Article 37 is the provision most directly applicable to AI-driven automated decision-making: it allows individuals to oppose the processing of their personal data when the processing produces decisions that affect them legally or significantly and that are based solely on automated procedures. This opposition right functions as Mexico's current operative safeguard against unchecked automated decision-making in the absence of AI-specific legislation.

The principle of data minimisation (proporcionalidad) under Article 13 requires that data collected and processed be limited to what is necessary for the declared purpose. AI systems trained on personal data must be able to demonstrate that the data used was proportionate to the system's stated objective. The principle of purpose limitation (finalidad) under Article 12 prohibits secondary use of personal data for purposes incompatible with those disclosed to the data subject at collection. An AI system using personal data originally collected for customer service purposes to train a profiling model for credit risk assessment would, without renewed consent or a new notice, engage both the purpose limitation and minimisation principles.

The privacy notice (aviso de privacidad) obligations under Articles 15 to 18 require that data subjects be informed, at the point of collection, of the identity and address of the data controller, the purposes of processing, the third parties to whom data will be disclosed, and how ARCO rights may be exercised. For AI operators, the aviso de privacidad must disclose, with adequate specificity, that personal data will be used in automated processing or profiling if that is part of the system's operation.

INAI: supervision and enforcement

The Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) is the constitutional autonomous body responsible for overseeing compliance with both public information access law and the private-sector data protection framework under the LFPDPPP. INAI has authority to investigate complaints, conduct audits, issue binding resolutions, and impose administrative penalties.

INAI has issued guidance specifically addressing automated data processing and profiling. The Guía para el Tratamiento de Datos Personales con Fines de Mercadotecnia, Publicidad y Prospección Comercial (2018) addresses how the LFPDPPP's principles apply to profiling and behavioural targeting, with direct relevance to AI operators using personal data for recommendation, personalisation, or audience segmentation. INAI has also published guidance on data minimisation and purpose limitation that addresses automated profiling in terms consistent with, though predating, the GDPR Article 22 framework.

INAI has publicly declared its intent to align its supervisory approach with international standards, including the OECD AI Principles (revised November 2024) and the Council of Europe's Framework Convention on Artificial Intelligence (Convention 307, opened for signature September 2024). This declared intent signals that INAI will interpret existing LFPDPPP obligations in AI contexts with reference to international best practice, even in the absence of AI-specific statutory authority. Operators who can demonstrate alignment with OECD AI Principles documentation will be better positioned in any INAI investigation.

On penalties: INAI may impose administrative fines ranging from 100 to 320,000 times the daily general minimum wage for LFPDPPP violations, with the higher range applicable to violations involving sensitive personal data. As of 2026, the daily general minimum wage in the general economic zone is MXN 278.80, placing the upper administrative penalty at approximately MXN 89.2 million (roughly USD 4.5 million at current exchange rates) for the most serious violations. Intentional violations involving sensitive data may be referred for criminal prosecution under Articles 67 to 69 of the LFPDPPP, with criminal penalties including custodial sentences for natural persons responsible for the violation.

No AI-specific penalty regime. Mexico's current penalty exposure for AI operators derives entirely from the LFPDPPP data protection framework, sector-specific regulatory instruments, and general competition law. There is no AI-specific penalty regime, no AI risk classification system, and no mandatory pre-deployment notification requirement of the kind created by Regulation (EU) 2024/1689 for high-risk AI systems. This means compliance exposure in Mexico is currently calibrated to the data and market conduct dimensions of AI deployment rather than to the AI system as such.

The Senate's AI governance initiative and legislative status

The Mexican Senate presented a Punto de Acuerdo in 2023 calling on the federal executive to develop a national AI strategy and to establish an ethical and regulatory framework for AI development and deployment. A Punto de Acuerdo is a parliamentary resolution that requests action from another branch of government rather than itself creating binding law. It does not have the force of statute.

Following the Punto de Acuerdo, a legislative proposal for a comprehensive AI framework was reviewed by the Chamber of Deputies. As of June 2026, the proposal has not been adopted. Mexico's legislative session calendar and the shifting political priorities following the 2024 presidential transition have slowed the legislative process. Industry consultation on an AI governance framework has continued at the executive level, with the Secretaría de Economía and the Secretaría de Ciencia, Humanidades, Tecnología e Innovación (SECIHTI, formerly CONACyT) both engaged in policy development processes.

The practical implication for operators is that AI-specific statutory obligations are not imminent in Mexico. The compliance environment for the next twelve to eighteen months will remain the existing data protection framework supplemented by sector regulation and competition law. Operators building governance programmes for the Mexican market should not wait for a dedicated AI statute before establishing controls; the existing framework already creates material obligations.

When a Mexican AI statute is eventually enacted, the most likely model, based on the legislative proposals reviewed to date and Mexico's regional context, is a risk-based framework with reference to OECD AI Principles and significant alignment with the Brazilian PL 2338 model, which itself draws on the EU AI Act. For the current state of the Brazilian framework and what regional convergence may look like, see the Brazil AI Bill PL 2338 operators guide published on this site.

Sector regulators with AI-relevant authority

In the absence of a horizontal AI statute, sector regulators carry the primary compliance burden for AI applications in regulated industries. Three regulators are particularly material for most AI operators.

The Comisión Nacional Bancaria y de Valores (CNBV) supervises banks, brokerage firms, investment funds, and other financial intermediaries. CNBV Circular 4/2019 on technology risk management and its subsequent amendments establish obligations for financial institutions using technology systems, including AI, to maintain documented risk management frameworks covering system design, validation, monitoring, and incident response. Institutions are required to assess the operational risks created by algorithmic decision-making in credit, trading, and customer-facing applications. Financial institutions operating in Mexico that use AI for credit scoring, fraud detection, algorithmic trading, or customer segmentation face CNBV governance obligations that are already enforceable, regardless of any future AI statute.

The Comisión Federal para la Protección contra Riesgos Sanitarios (COFEPRIS) regulates pharmaceutical products, medical devices, food, and health services. AI applications used in diagnostic support, drug development, clinical decision support, or health data analysis fall within COFEPRIS jurisdiction and must comply with the sector's applicable authorisation, validation, and post-market surveillance requirements. The intersection of LFPDPPP sensitive data obligations (health data is sensitive personal data under Article 3(VI)) and COFEPRIS sector requirements creates a dual-compliance obligation for health AI operators that is more demanding than either framework alone.

The Instituto Federal de Telecomunicaciones (IFT) regulates telecommunications and broadcasting. AI systems used in network management, content recommendation, or user profiling by telecommunications operators are subject to IFT jurisdiction alongside LFPDPPP obligations. IFT has authority under the Federal Telecommunications and Broadcasting Law (Ley Federal de Telecomunicaciones y Radiodifusión, 2014) to regulate the treatment of subscriber data and to establish requirements for algorithmic systems that affect service quality or content access.

Cofece and competition law exposure

The Comisión Federal de Competencia Económica (Cofece) is Mexico's federal competition authority. Cofece has published analysis identifying the competitive risks associated with AI-driven pricing systems and algorithmic coordination between market participants. Operators using AI in pricing, supply chain optimisation, or market-facing recommendation systems should assess their exposure under the Ley Federal de Competencia Económica (LFCE) in addition to their data protection obligations.

The primary competition law risk for AI operators in Mexico is algorithmic collusion, sometimes called concerted practices through algorithm, where competing firms using similar pricing AI independently arrive at coordinated market outcomes without explicit agreement. Cofece has signalled that it will apply the standard LFCE analysis of concerted practices to algorithmic coordination, meaning that the absence of an express agreement does not insulate operators from liability if the AI system's behaviour is found to have the object or effect of restricting competition. This is consistent with the European Commission's enforcement approach under Article 101 TFEU and with Cofece's own jurisprudence on hub-and-spoke coordination.

A second competition exposure arises from AI systems used to process commercially sensitive data about competitors obtained through platform or marketplace participation. Operators running AI on input data that includes competitor pricing, volume, or customer information sourced from a shared platform should review the data governance arrangements against Cofece guidance on information exchange.

USMCA Chapter 19: digital trade and cross-border data flows

The United States-Mexico-Canada Agreement (USMCA), which entered into force in July 2020, contains a Digital Trade chapter (Chapter 19) that is directly relevant to AI operators moving data across the three member states. Article 19.11 prohibits parties from requiring the localisation of data as a condition of conducting business in their territory. Article 19.11 also prohibits discriminatory treatment of digital products of another party, including AI-based services and outputs. This means Mexico cannot require that AI systems processing data about Mexican users store or process that data exclusively within Mexico, nor can it treat US or Canadian AI products less favourably than domestically produced equivalents.

For practical compliance, operators moving AI-processed personal data from Mexico to the United States or Canada must satisfy two sets of conditions simultaneously. Under USMCA Chapter 19, data flows cannot be blocked by localisation requirements. Under the LFPDPPP Articles 36 to 37 governing international transfers, personal data may only be transferred internationally if the recipient country provides an adequate level of protection or if the transfer is covered by standard contractual clauses (cláusulas contractuales), binding corporate rules, or another recognised mechanism. The interplay between USMCA's anti-localisation rule and LFPDPPP's transfer conditions does not create a conflict: USMCA prevents Mexico from imposing a blanket localisation requirement, while LFPDPPP's transfer conditions remain operative as data protection obligations that the operator must satisfy.

Mexico has no adequacy decision, bilateral AI agreement, or equivalence mechanism with the European Union. Operators transferring AI-processed personal data from Mexico to EU-based processors must comply with LFPDPPP's international transfer provisions on one side and GDPR's Chapter V transfer restrictions on the other, without the benefit of an equivalence bridge. For the EU regulatory context on cross-border AI data flows, the EU AI Act's extraterritorial reach guide on agentliability.eu covers the EU side of this equation in full.

EU AI Act extraterritorial exposure for Mexican operators

Article 2(1)(c) of Regulation (EU) 2024/1689 applies the EU AI Act to providers and deployers of AI systems established outside the Union where the output of those systems is used in the Union. A Mexican company that develops or deploys an AI system whose outputs are used by EU-based operators, consumers, or institutions is within the scope of the EU AI Act for those outputs. This applies regardless of whether the Mexican operator has any physical establishment or legal entity in the EU.

Mexican AI companies with EU market exposure should therefore conduct a dual-track compliance assessment: domestic Mexican compliance under the LFPDPPP and sector frameworks, and EU AI Act compliance under Regulation (EU) 2024/1689 for the EU-facing dimension of their operations. The two frameworks do not conflict, but they are not equivalent. The EU AI Act's prohibited practices (Article 5), high-risk classification (Annex III), conformity assessment requirements (Articles 43 to 44), technical documentation obligations (Article 11 and Annex IV), and market surveillance mechanisms create obligations that have no direct analogue in Mexico's current domestic framework.

For an overview of the global comparative picture, including how US, EU, and UK frameworks interact for operators with multi-jurisdictional exposure, see the resources section of this site and the frameworks reference for a structured comparison of the major AI regulatory instruments.

Practical compliance checklist for operators in Mexico

The following steps reflect the current compliance environment for AI operators active in the Mexican market. They are not a substitute for legal advice specific to an operator's use case and sector.

First, map LFPDPPP obligations across all AI systems processing personal data of individuals in Mexico. Identify the legal basis for each processing activity, confirm that the aviso de privacidad adequately discloses automated processing and profiling activities, and verify that the ARCO rights procedure addresses the Article 37 opposition right for automated decision-making. This mapping should cover both AI systems operated directly in Mexico and AI systems operated elsewhere whose outputs produce effects on individuals in Mexico.

Second, review INAI guidance on automated profiling. The Guía para el Tratamiento de Datos Personales con Fines de Mercadotecnia and INAI's published resolutions (resoluciones) in contested cases provide interpretive guidance on how INAI applies LFPDPPP principles to automated data processing. Operators who have not reviewed INAI's published resolution record since 2022 should update their analysis.

Third, assess CNBV technology risk circular obligations for any AI system operating in financial services. The CNBV framework requires documented risk governance for algorithmic systems. If the operator's AI governance documentation was prepared for EU AI Act purposes, it likely covers most of what CNBV requires, but the specific reporting formats and supervisory notification requirements differ and require adaptation.

Fourth, evaluate Cofece competition law exposure for AI systems involved in pricing, market recommendations, or the processing of commercially sensitive competitor data. The risk assessment should cover both the algorithmic collusion exposure and the information exchange exposure, and should be reviewed by competition counsel familiar with Cofece enforcement practice.

Fifth, establish a monitoring protocol for the Mexican legislative process. The Senate AI governance initiative and the Chamber of Deputies proposals will continue to develop. A statute is not imminent, but implementing regulations, INAI guidance updates, and CNBV circular amendments may create new compliance obligations on shorter timelines than primary legislation. Operators should receive notice of INAI and Cofece regulatory publications as a standing workflow.

Sixth, conduct a USMCA Chapter 19 analysis for any AI system that moves personal data across the Mexico-US or Mexico-Canada border. Confirm that transfer mechanisms satisfy both USMCA's anti-localisation requirement and LFPDPPP's international transfer conditions. Document the analysis for both domestic regulatory purposes and potential cross-border enforcement scenarios.

Frequently asked questions

Does Mexico have a federal AI law in 2026?

No. As of June 2026, Mexico has no enacted comprehensive federal AI statute. The operative compliance framework for AI operators is built from the LFPDPPP, sector-specific regulations, and competition law. The Senate Punto de Acuerdo from 2023 requested a national AI strategy, but no binding AI-specific legislation has been adopted.

What is the LFPDPPP and how does it apply to AI systems?

The Ley Federal de Protección de Datos Personales en Posesión de los Particulares (2010) is Mexico's primary private-sector data protection law. Any AI system processing personal data of individuals in Mexico triggers the LFPDPPP's obligations, including the ARCO rights and the Article 37 opposition right against solely automated decisions that produce significant effects.

Which sector regulators in Mexico have AI-relevant authority?

CNBV (financial services technology risk), COFEPRIS (health and pharmaceutical applications), and IFT (telecommunications) each have sector-specific obligations applicable to AI systems in their domains. Cofece, the competition authority, has flagged AI-driven pricing and algorithmic collusion as competition law risk areas.

How do USMCA Chapter 19 digital trade rules interact with AI data flows between Mexico and the United States?

USMCA Chapter 19 prohibits data localisation requirements and discriminatory treatment of digital products across Mexico, the US, and Canada. Operators moving AI-processed personal data across these borders must satisfy USMCA's anti-localisation rules and the LFPDPPP's lawful transfer conditions simultaneously. These requirements do not conflict but must each be satisfied independently.

What penalties apply for LFPDPPP violations involving AI systems?

Administrative fines range from 100 to 320,000 times the daily general minimum wage, with the upper range applicable to violations involving sensitive personal data. At 2026 rates this represents up to approximately MXN 89 million. Intentional violations involving sensitive data may trigger criminal referrals under Articles 67 to 69 of the LFPDPPP.

References

  1. Constitución Política de los Estados Unidos Mexicanos, Articles 6 and 16, as amended by constitutional reform Decree of 20 July 2007 (Article 6) and Decree of 1 June 2009 (Article 16 privacy and data protection).
  2. Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), Diario Oficial de la Federación, 5 July 2010.
  3. Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (RLFPDPPP), Diario Oficial de la Federación, 21 December 2011.
  4. Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI). Guía para el Tratamiento de Datos Personales con Fines de Mercadotecnia, Publicidad y Prospección Comercial. 2018.
  5. CNBV Circular 4/2019 on Technology Risk Management for Financial Institutions, and subsequent amendments.
  6. Ley Federal de Telecomunicaciones y Radiodifusión, Diario Oficial de la Federación, 14 July 2014.
  7. Ley Federal de Competencia Económica (LFCE), Diario Oficial de la Federación, 23 May 2014.
  8. United States-Mexico-Canada Agreement (USMCA), Chapter 19: Digital Trade. Entered into force 1 July 2020.
  9. Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act), OJ L, 12 July 2024, Articles 2, 5, 11, 43, 44, Annex III, Annex IV.
  10. OECD Recommendation on Artificial Intelligence, OECD/LEGAL/0449, adopted May 2019, revised November 2024.
  11. Council of Europe Framework Convention on Artificial Intelligence (Convention 307), opened for signature Vilnius, 5 September 2024.
  12. Senado de la República de México. Punto de Acuerdo on national AI strategy and ethical framework. 2023 legislative session.
  13. Cofece. Opinion on algorithmic collusion and digital markets. 2022.
  14. ISO/IEC 42001:2023, Artificial intelligence management system.