In brief
Mexico's Ministry of Anti-Corruption and Good Governance (Secretaría Anticorrupción y Buen Gobierno – (SABG)) recently announced a fine of approximately MXN 42.8 million (approximately USD 2.14 million) against the Mexican Football Federation (Federación Mexicana de Futbol Asociación, A.C. – (FMF)) for alleged violations of Mexico's personal data protection laws in connection with its FAN ID system.
The authority concluded that FMF failed to adequately inform data subjects that the photographs collected to generate FAN IDs constituted sensitive personal data and failed to obtain the express written consent required for the processing of such data. Although the decision may still be challenged through the available legal remedies, it represents one of the most significant precedents in Mexico's privacy and data protection landscape. This is the first major enforcement action issued by SABG following its assumption of the data protection authority's functions from the former National Institute for Transparency, Access to Information and Personal Data Protection (INAI), making the decision noteworthy both for the amount of the fine and for the legal analysis adopted by the new regulator.
Recommended actions
- Identify whether your organization collects or processes biometric data from customers, users, visitors or employees.
- Review privacy notices to ensure they appropriately describe the processing activities and the sensitive nature of biometric data.
- Assess whether current consent mechanisms satisfy the requirements applicable to sensitive personal data processing.
- Verify that sufficient evidence exists to demonstrate that valid consent was obtained from data subjects.
- Conduct periodic privacy and data protection compliance reviews to mitigate regulatory risks.
In more detail
One of the most significant data protection enforcement actions in Mexico
On 12 July 2026, Mexico's Ministry of Anti-Corruption and Good Governance announced a fine of MXN 42,849,095 (approximately USD 2.14 million) against the Mexican Football Federation in connection with the processing of personal data through its FAN ID system.
According to the official announcement, the authority determined that FMF acted as the data controller with respect to the personal data collected through the platform and concluded that it had violated several obligations established under Mexico's personal data protection framework.
Failure to disclose the sensitive nature of biometric data
The authority found that FMF collected photographs from fans to generate FAN IDs but failed to disclose in its privacy notice that such information constituted sensitive personal data.
According to the decision, this omission prevented data subjects from fully understanding the scope of the processing activities and from making an informed decision regarding the use of their personal information.
Failure to obtain express written consent
The decision also concluded that FMF failed to obtain the express written consent required for the processing of sensitive personal data.
According to the official announcement, FMF relied on a website checkbox mechanism without implementing additional authentication measures capable of conclusively demonstrating that consent had actually been provided by the relevant data subject.
The authority therefore determined that insufficient evidence existed to establish the valid express consent required under applicable law.
Violations of lawfulness and accountability principles
In addition, the authority concluded that FMF violated the principles of lawfulness and accountability by failing to adopt the measures necessary to ensure the proper processing of personal data under its control.
The decision emphasizes the importance of implementing appropriate governance, documentation and compliance measures when organizations deploy technologies involving biometric information.
Why is this decision important?
The decision sends a clear signal that SABG intends to adopt a robust enforcement approach in privacy and data protection matters. Its first major decision imposes a higher fine than any previously issued by INAI and provides important insight into how the new regulator may interpret and enforce privacy obligations going forward.
The ruling may be particularly relevant for organizations that use:
- Facial recognition systems
- Digital identity platforms
- Biometric authentication tools
- Physical or logical access control systems
- Fraud prevention solutions
- User, visitor or event registration systems
- Technologies involving categories of personal data that may fall within regulatory gray areas regarding their classification as sensitive data, including geolocation data, biometric information and similar datasets
The case also demonstrates that regulatory scrutiny extends beyond cybersecurity controls and technical safeguards. Authorities are closely examining the content of privacy notices, transparency obligations and the validity of the mechanisms used to document consent.
Call to action
Organizations using biometric technologies should consider conducting a priority review of their privacy notices, consent mechanisms, internal policies and compliance programs to identify potential regulatory exposure.
Our Privacy, Cybersecurity & Digital Innovation team has extensive experience advising domestic and multinational organizations on compliance programs involving biometric data, digital identity initiatives and emerging technologies, and would be pleased to discuss the implications of this development for your business.