Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Civil Federal Code provides that a person under the age of 18 is a minor for the purposes of Mexican law.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC is incorporated into Mexican domestic law. It was ratified by Mexico in 1991. Therefore, the rights under the UNCRC can be directly relied upon by children before domestic courts.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
There is a general ombudsperson known as the National Commission on Human Rights (CNDH for its acronym in Spanish) in charge of protecting human rights including children’s rights.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The National Commission on Human Rights (CNDH for its acronym in Spanish) is responsible for receiving complaints regarding human rights violations and promoting awareness of human rights, amongst other things. Its competence extends only to investigations of complaints taken against public bodies as such complaints relate to human rights violations. As such, it does not have competence as regards the investigation of such complaints against private entities.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
The Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations (RLFPDPPP), and the Guidelines for the Privacy Notice henceforth the “Mexican data protection legislation” do not establish any specific requirements for obtaining one or both parents’ consent when processing a child’s personal data. However, the representation rules established by the Federal Civil Code apply. Hence, the consent of the parents or legal guardians of the minor is needed to process children’s personal data.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
In Mexico, individuals can consent to the processing of their own personal data without parental permission or consent once they reach 18 years of age, as they will have full capacity under the Federal Civil Code.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
The Mexican data protection legislation (see details here) does not have a specific requirement for the collection and/or verification of parental consent. However, the former local data protection authority, the National Institute For Transparency, Access of Information and Protection of Personal Data (INAI for its acronym in Spanish) published the Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (not a binding document, only considered best practice) where it establishes that methods for verification of parental consent used should be proportionate and risk based, with greater levels of stringency and certainty required where the processing of a child’s data poses higher risks
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
Mexican data protection legislation (see details here) establishes that the privacy notice must be drafted in clear and plain language, with a structure and design that facilitates understanding for the Data Subjects. The Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (not binding, only considered best practice) (see details here) recommends that information regarding personal data must be concise and in clear and adequate language for children. Moreover, it should include additional explanations regarding how children’s personal data is processed.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
The Mexican data protection legislation establishes that the exercise of data protection rights by children will be subject to the representation rules set forth in the Federal Civil Code.
Therefore, children cannot exercise their data protection rights without the involvement of their parents or legal guardians.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
There is no provision in the Mexican data protection legislation (see details here that allows children to make complaints on their own behalf to the data protection authority, This procedure will be subject to the representation rules set forth in the Federal Civil Code.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
The Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (the Code) (see details here) (not binding, only considered good practice), establishes that children’s personal data must not be processed in a way that may be detrimental to their well-being or that goes against the provisions of regulations, commercial codes, codes of good practice of an industry sector, self-regulatory schemes, or other regulatory provisions.
b) and c):
Furthermore, the Code emphasizes that special care must be taken when profiling minors. The option of profiling is recommended to be turned off by default unless it is strictly necessary and takes into account the best interest of the child. Additionally, it is recommended that profiling only be performed when there are sufficient measures to protect minors from any damage derived from it. Moreover, the Code establishes that data controllers must adopt the minimization principle, which consists of processing only the strictly necessary personal data for the purposes established in the privacy notice.
Finally, the Code recommends that any geolocation feature must be deactivated by default unless there is a strictly necessary motive. It is recommended to inform minors about the use of geolocation, how it can be deactivated, and when it is active
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To this day, there has been no relevant enforcement action by the data protection authority. However, it is important to mention that penalties for infringing Mexican data protection legislation (see details here) can range from USD 560 to 1.8 million dollars. The sanctions are imposed by taking into account the categories of processed data, the intentional nature (or lack thereof) of the action or omission constituting the infraction, the economic capacity of the person in charge, and recidivism. Sanctions may also depend on the number of infringements. The amount of the sanction can be doubled if sensitive data was processed.
Are there specific rules concerning electronic direct marketing to children?
Yes.
In Mexico consumer law is regulated by the Federal Consumer Protection Law ("FCPL"), its Rulings and Mexican Official Standards.
Regarding direct marketing, general rules apply for all consumers; there is no specific rule for direct marketing sent to children.
As a general rule, advertisements sent to consumers must include clear information, such as the name, address, phone number, and, if applicable, the email address of the provider and the Consumer Protection Agency (“PROFECO”)
Consumers have the right to know if their information is being used for marketing or advertising purposes. They can request, at no cost, information that companies hold about them and can correct any inaccuracies.
There is a public registry where consumers can enroll to avoid unwanted advertising. It is prohibited for companies to send advertisements to those who have explicitly requested not to receive them.
Furthermore, there is national legislation that expressly prohibits marketing of alcohol to children. Plus, there is an auto-regulatory scheme for enterprises related to the food industry that establishes rules for advertising food products to children.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
There are no concrete rules specifically addressing the processing of children’s personal data; however, the general rules regarding these technologies apply.
Technologies such as adtech tracking, profiling, and targeted advertising should be disclosed in the privacy notice. The privacy notice must inform what type of personal data is collected, how it is processed, and if the data is transferred. Moreover, it is a legal requirement to include a banner informing data subjects about the use of these technologies and how they can be deactivated. Additionally, it is important to inform children about these practices in a way they can fully understand. The Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (see details here) (not binding, only considered best practice) establishes that profiling of children must be deactivated by default. Profiling should only be permitted when appropriate measures are in place to protect children from accessing any content that could be detrimental to their health or well-being.
Are there specific rules concerning online contextual advertising to children?
Yes.
In México, according to Federal Consumer Protection Law, providers must refrain from using sales or advertising strategies that do not provide the consumer with clear and sufficient information about the services offered, especially regarding marketing practices aimed at vulnerable populations, such as children, the elderly, and the sick, incorporating mechanisms that warn when the information is not suitable for that population.
In this regard, NMX-COE-001-SCFI-2019, Mexican E-commerce non-mandatory guideline, establishes that special care must be taken with advertising directed at vulnerable populations, namely that e-commerce platforms must incorporate mechanisms that alert the user or consumer when the information about the goods, products, or services being offered is not suitable for that type of population.
The Consumer Protection Agency’s (PROFECO) non-mandatory Code of Ethic establishes that providers must include warning statements on their platforms or online stores, and throughout the purchase process, advising children and adolescents not to provide personal data without parental or guardian consent, ensuring that purchases are made directly by these guardians.
Additionally, the provider is obligated to verify the following: a) They must identify content intended exclusively for adults; b) They must not directly encourage children or adolescents to purchase a product or service by exploiting their inexperience or credulity, nor persuade their parents or guardians, or the parents or guardians of others, to make such purchases; c) They must not, without justified reason, expose children or adolescents to dangerous situations; d) They must not publish illegal content, statements, or visual presentations on their websites that could cause mental, moral, or physical harm to children or adolescents.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We do not have knowledge of any enforcement specifically concerning advertising to children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
This is the age of civil capacity to enter into a contract in Mexico.
Do consumer protection rules apply to children?
Yes.
In Mexico, consumers are protected under consumer law, regardless of their age. This protection includes:
(i) The right to receive timely, complete, clear, and truthful information about goods and services offered to them. (ii) All products and services must meet established safety and quality standards.
(iii) Consumers cannot be denied access to products or services based on gender, race, religion, economic status, nationality, sexual orientation, or disability. (iv) If a consumer purchases a defective product, they are entitled to a replacement, a refund, or compensation of at least 20% of the purchase price. (v) Clear and sufficient information about services must be provided, requiring suppliers to implement mechanisms that alert when information is unsuitable for children.
If suppliers violate consumer rights or engage in abusive practices, the Consumer Protection Agency, PROFECO can initiate administrative proceedings to protect and defend these rights.
Notably, issues involving children have a ten-year statute of limitations from the date of the breach, in contrast to the general statute of limitations of one year. Violations affecting children are treated as serious matters.
Are there any consumer protection rules which are specific to children only?
No.
(Please see the information here). The most notable is the advertising provision that states that providers must refrain from using sales or advertising strategies that do not provide the consumer with clear and sufficient information about the services offered, especially regarding marketing practices aimed at vulnerable populations, such as children, the elderly, and sick people, incorporating mechanisms that warn when the information is not suitable for that population.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
We do not have knowledge of any enforcement in this regard.
Are there any age-related restrictions on when children can legally access online/ digital services?
No.
There are no age-related restrictions on when children can legally access online digital services. However, as mentioned above, for processing children’s personal data it is necessary to collect consent from the parents or legal guardian.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (the Code) (see details here) establishes good practices and recommendations related to online/digital safety for children, however, the provisions established in the Code are only considered good practice and are not binding.
The principles emphasize prioritizing children’s best interests in online services. This includes conducting data privacy impact assessments (DPIAs) to mitigate risks, designing age-appropriate services, and clearly communicating policies to children. Children’s data should not be used harmfully or against regulations.
Other principles include complying with terms and conditions, setting strict default privacy settings, and minimizing data use. Personal data should not be disclosed without justification, and geolocation should be off by default. Parental controls should be transparent, and profile creation restricted. Reward techniques for data collection are discouraged, and tools for understanding rights should be accessible.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
The Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (the Code) (see details here) (not binding, only considered best practice) mentions in the principle for age-appropriate design that it is necessary to have appropriate age assurance mechanisms to mitigate risks derived from the processing of personal data. The Code mentions various age assurance mechanisms such as self-declaration, artificial intelligence mechanisms, third party verification services, confirmation by another account belonging to an adult or physical evidence. However, it is relevant to mention that this should be determined on case by case basis.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
The Code of Good Practices to Guide the Online Processing of Personal Data of Children and Adolescents (the Code) (see details here) (not binding, only considered good practice) mentions that it is relevant to inform children and parents about the use of parental controls. Therefore, it is important to communicate that children could be monitored by their parents and certain functions could be deactivated due to parental controls. Moreover, it is relevant to adapt the information provided about parental controls to children according to their age.
The National Institute For Transparency, Access of Information and Protection of Personal Data (INAI for its acronym in Spanish) has published two guides on parental control tools for parents (not binding, only considered best practice):
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To our knowledge, there has been no relevant regulatory enforcement action concerning online/digital safety.
Are there any existing requirements relating to children and AI in your jurisdiction?
No.
To date Mexico does not have specific laws or regulations on AI. Nonetheless, any processing of personal data of children with AI systems must comply with the data protection regulations and the requirements set forth in the General Law on the rights of children and adolescents.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are several bills submitted to the Mexican congress related to AI and related with children, however it is uncertain when they will be discussed and approved.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There are several bills to modify the Mexican data protection legislation (see details of existing legislation here) to thoroughly protect the personal data of children; however, none of these bills are expected to be discussed soon.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
No.
To our knowledge, there has been no relevant regulatory enforcement action concerning children’s use of digital services.
Contributors
Adolfo Athie Cervantes
Basham
Renata Denisse Buerón Valenzuela
Basham
Ivan Garcia Argueta
Basham
