Mexican Football Federation fined $2.5 million for data privacy violations
Translated from Spanish, summarized and contextualized by DistantNews.
At a glance
- Mexico's Anti-Corruption Secretariat fined the Mexican Football Federation (FMF) 42.8 million pesos for violating personal data protection laws.
- The violations involved the "FAN ID" system, where the FMF failed to obtain explicit consent for processing sensitive biometric data.
- The federation also failed to adequately inform fans that their biometric data was considered sensitive, breaching data protection principles.
The Mexican Football Federation (FMF) has been hit with a significant fine of 42.8 million pesos by the Secretariat of Anti-Corruption and Good Governance. The penalty stems from violations of personal data protection laws related to the "FAN ID" system, which collects biometric data from fans.
The FMF did not adequately inform fans that their biometric data was considered sensitive personal data.
According to the federal agency, the FMF committed two key infractions. Firstly, it failed to properly inform fans that the photographs collected for the "FAN ID" were considered sensitive biometric data. The privacy notice did not adequately explain the scope of personal data treatment, preventing individuals from making informed decisions about the use of their information.
Secondly, the FMF did not obtain explicit, written consent from fans to process this sensitive data. The law requires unequivocal consent for sensitive information, which the federation failed to secure. Instead, it relied on a simple checkbox on a website without any form of verifiable signature or electronic authentication.
The FMF did not obtain express and written consent from the data subjects to process their sensitive data.
The Secretariat also determined that the FMF breached principles of responsibility and legality by not implementing necessary measures for proper data handling. The fine amount was calculated based on the severity of the infractions, the sensitive nature of biometric data, and the FMF's economic capacity, as indicated by its 2024 tax filings.
The FMF limited itself to using the marking of a box on a website, without collecting an autograph or electronic signature or any other authentication mechanism that would undoubtedly prove that it was the holder who granted consent.
Originally published by El Universal in Spanish. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.