Mexico

Can you place cookies without consent?

No, but there is an exception for necessary cookies. The requirement to inform a data subject of how such technologies can be disabled will not be applicable if such a technology or cookie is required for technical purposes. In that sense, the controller must include the use of cookies and other tracking devices (features and purposes) in the relevant privacy notice. Tacit consent (opt-out) is the general rule: when the controller intends to collect the personal data directly or personally from the data subject, they must make the privacy notice available to them prior to such collection. The data subject must be able express their refusal to the processing of their personal data for purposes that are different from those that are necessary and that underline the legal relationship between the controller and the data subject.

Valid consent must be:

  • freely given without error, bad faith, violence, or fraud, which may affect the data subject’s expression of will;
  • specific: referring to one or more specific purposes that justify the processing; and
  • informed: the data subject must be aware of the privacy notice prior to the processing to which their personal data will be subject and the consequences of giving their consent.

For cookies and similar technologies, the principle of consent applies in a singular way, as personal data is being collected when the consumer relationship begins. In addition to consent requirements, there is a requirement to provide consumers with the ability to opt-out. However, regulations usually require that consumers or online users must be informed about how these files are being used and processed. Websites must include a message informing users of the cookies used, how the user may disable such technologies (to the extent it is technically possible) and this should be displayed in a visible section of the website.  

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Although in Mexico there are no specific guidelines on cookies and similar technologies, provisions on these can nevertheless be found in the Privacy Notice Guidelines (only available in Spanish here) ('the Privacy Guidelines') issued by the National Institute for Access to Information and Data Protection.

Under Mexican data protection regulations, cookies do not fall within the definition of 'personal data'. However, through the use of cookies, personal data such as, inter alia, internet protocol ('IP') addresses, personal preferences, and content personalisation, may be collected.

When the controller uses mechanisms in remote or local means of electronic, optical, or other communication technology, which allow for the collection of personal data automatically and simultaneously while the data subject makes contact with them, the controller must immediately inform the data subject. The data must be informed through a communication or warning placed in a visible place as to the use of these technologies and the fact that personal data is obtained from them, as well as how they can be disabled.

In this sense, Mexican data protection law obliges controllers, in a broad sense, to notify of any use of cookies or other tracking devices in the relevant privacy notice, and to provide a means of disabling them.

In addition, the E-Commerce Regulation considers it good practice to provide mechanisms that guarantee the protection and confidentiality of personal data, by allowing users and consumers to actively mark or select privacy settings when this is possible and does not affect the proper functioning of the website.

Are there any exemptions if consent is required?

Yes, for necessary technical purposes.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Yes, however data subjects must be provided with information as described in question 1 and an opt out mechanism.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

Yes, to the extent no sensitive or financial data will be processed by cookies.

Can you set cookies without a cookie notice? 

No.

Can you set cookies without a cookie banner/ management tool?

No. According to the Data Protection Law, it is necessary to place a cookie banner or 'pop-up' on the website or app where cookies and similar technologies are used.

Are you able to use cookie walls? 

There are no specific requirements or guidance regarding cookie walls. However, considering the provisions on cookies established in the law, it is reasonable to interpret cookie walls not to be lawful under the Mexican data protection law.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes. Although there is no express infringement provided in the Law in connection with the use of cookies and there are no relevant decisions from the National Institute of Transparency, Access to Information and Protection of Personal Data  (INAI) in this regard, sanctions may be based on lack of consent for processing or transferring of personal data, or when the data subject is not duly informed through a privacy notice. 

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Yes.

In March 2023, the Mexican Supreme Court ruled INAI is an autonomous constitutional entity with regulatory authority, giving it powers to issue certain regulations necessary for its proper operation and with the aim of improving data protection compliance in the country. Therefore, developments should be expected in the future.