No, but there is an exception for necessary cookies. The requirement to inform a data subject of how such technologies can be disabled will not be applicable if such a technology or cookie is required for technical purposes. In that sense, the controller must include the use of cookies and other tracking devices (features and purposes) in the relevant privacy notice. Tacit consent (opt-out) is the general rule: when the controller intends to collect the personal data directly or personally from the data subject, they must make the privacy notice available to them prior to such collection. The data subject must be able express their refusal to the processing of their personal data for purposes that are different from those that are necessary and that underline the legal relationship between the controller and the data subject.
Valid consent must be:
For cookies and similar technologies, the principle of consent applies in a singular way, as personal data is being collected when the consumer relationship begins. In addition to consent requirements, there is a requirement to provide consumers with the ability to opt-out. However, regulations usually require that consumers or online users must be informed about how these files are being used and processed. Websites must include a message informing users of the cookies used, how the user may disable such technologies (to the extent it is technically possible) and this should be displayed in a visible section of the website.
Although in Mexico there are no specific guidelines on cookies and similar technologies, provisions on these can nevertheless be found in the Privacy Notice Guidelines (only available in Spanish here) ('the Privacy Guidelines') issued by the National Institute for Access to Information and Data Protection.
Under Mexican data protection regulations, cookies do not fall within the definition of 'personal data'. However, through the use of cookies, personal data such as, inter alia, internet protocol ('IP') addresses, personal preferences, and content personalisation, may be collected.
When the controller uses mechanisms in remote or local means of electronic, optical, or other communication technology, which allow for the collection of personal data automatically and simultaneously while the data subject makes contact with them, the controller must immediately inform the data subject. The data must be informed through a communication or warning placed in a visible place as to the use of these technologies and the fact that personal data is obtained from them, as well as how they can be disabled.
In this sense, Mexican data protection law obliges controllers, in a broad sense, to notify of any use of cookies or other tracking devices in the relevant privacy notice, and to provide a means of disabling them.
In addition, the E-Commerce Regulation considers it good practice to provide mechanisms that guarantee the protection and confidentiality of personal data, by allowing users and consumers to actively mark or select privacy settings when this is possible and does not affect the proper functioning of the website.
Yes, for necessary technical purposes.
Yes, however data subjects must be provided with information as described in question 1 and an opt out mechanism.
Yes, to the extent no sensitive or financial data will be processed by cookies.
No.
No. According to the Data Protection Law, it is necessary to place a cookie banner or 'pop-up' on the website or app where cookies and similar technologies are used.
There are no specific requirements or guidance regarding cookie walls. However, considering the provisions on cookies established in the law, it is reasonable to interpret cookie walls not to be lawful under the Mexican data protection law.
Yes. Although there is no express infringement provided in the Law in connection with the use of cookies and there are no relevant decisions from the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) in this regard, sanctions may be based on lack of consent for processing or transferring of personal data, or when the data subject is not duly informed through a privacy notice.
None that we are aware of.
Yes.
In March 2023, the Mexican Supreme Court ruled INAI is an autonomous constitutional entity with regulatory authority, giving it powers to issue certain regulations necessary for its proper operation and with the aim of improving data protection compliance in the country. Therefore, developments should be expected in the future.