On January 17, 2013, Mexico’s Ministry of Economy published its Lineamientos del Aviso de Privacidad (in Spanish) (“Privacy Notice Guidelines” or “Guidelines”), which it prepared in collaboration with the Mexican data protection authority. The Guidelines introduce heightened notice and opt-out requirements for the use of cookies, web beacons and similar technology, and they impose extensive requirements on the content and delivery of privacy notices generally (with respect to all personal data, not just data collected via cookies and other automated means). The Guidelines will take effect in mid-April.

Cookies, Web Beacons and Similar Technology

Under the Guidelines, if a data controller uses mechanisms such as cookies or web beacons to collect personal data while a user interacts with the mechanism (e.g., a user visits a website that places certain types of cookies), the controller must provide the user with a “communication or announcement located in a visible place” regarding this fact and how to deactivate the collection of the data. The communication or announcement must be provided at the moment the user interacts with the mechanism (e.g., the moment the user visits the website), and it must take place outside the privacy notice. Separately, the privacy notice itself must contain detailed information about the data controller’s practices with respect to the personal data collected with this technology.

Privacy Notice Requirements

The Guidelines impose content requirements for the following three forms of privacy notices and contain rules regarding when and how each may be used: (1) the “Full Notice,” which contains sufficient detail to function as a standalone privacy notice in every case; (2) the “Simplified Notice,” a somewhat abbreviated form of the Full Notice that includes a method for accessing the Full Notice, and (3) the “Short Notice,” a highly abbreviated notice containing only the name and domicile of the data controller, the purposes of the processing and a method for accessing the Full Notice. New content requirements under the Guidelines include the following (not all requirements apply to all forms of the notice):

  • Under existing law, the purposes of data transfers must be specified in the notice. Under the Guidelines, the notice must distinguish between the data transfers that require the data subject’s consent under Mexican law and those that can be carried out without consent.
  • Where the controller relies on the Full Notice or Simplified Notice but does not provide the notice to the data subject in person or in an otherwise direct-to-the-individual manner, the notice must include a warning or announcement that the data subject has five working days to oppose the processing of her personal data for purposes that neither are necessary nor give rise to the legal relationship between the controller and the individual. (Opt-in consent requirements continue to apply for sensitive data and financial/asset data.)
  • Where applicable, the Full Notice should contain information about the use of public do-not-contact registries, such as (1) the Public Register of Consumers established pursuant to the Federal Consumer Protection Law and (2) the Public Register of Users established pursuant to the Law for the Protection and Defense of Users of Financial Services.
  • The Full Notice must contain either certain details about the process by which an individual may exercise her rights (e.g., access, correction), or withdraw consent to processing, or a mechanism by which the individual may learn such details. Under the Guidelines, such details include (1) how a representative making a request on an individual’s behalf may establish the representative’s legal right to do so, (2) information about how long certain steps in the rights-exercising process are permitted to take, and (3) the format in which the data controller will deliver copies of requested information (e.g., electronic copies).
  • Under existing rules, the Full Notice and abbreviated notices must contain the full legal name and full legal address of the data controller. The Guidelines mandate that names and addresses in abbreviated notices be identical to those in the Full Notice, which poses a challenge to companies that wish to use a single notice to cover a group of affiliates.