Mexico Fines Football Federation $2.3 Million for Data Privacy Violations
Translated from Spanish, summarized and contextualized by DistantNews.
At a glance
- Mexico's government has fined the Mexican Football Federation (FMF) 42.8 million pesos (approximately $2.3 million) for violating data protection laws with its FAN ID system.
- The FMF failed to properly inform fans about the use of biometric data and obtain explicit consent, particularly regarding sensitive personal information like photographs.
- The FAN ID system was used for stadium access during the World Cup, and the fine reflects the severity of the infractions and the sensitive nature of the data handled.
The Mexican government has imposed a substantial fine of 42.8 million pesos, equivalent to about $2.3 million, on the Mexican Football Federation (FMF). This penalty stems from violations of personal data protection legislation concerning the operation of the FAN ID system, which was implemented for stadium access during the ongoing World Cup.
The Secretariat for Anticorruption and Good Governance concluded that the FMF did not adequately inform fans about the processing of their biometric data. Crucially, the federation failed to obtain the explicit consent required by law, particularly concerning sensitive personal information. This oversight prevented individuals from fully understanding how their data was being used.
This omission prevented data subjects from knowing the real scope of the processing of their personal information and being able to make an informed decision about its use.
Specifically, the FMF was found to have committed two infractions. Firstly, it did not disclose that photographs collected for the FAN ID constituted sensitive personal data in its privacy notice. Secondly, the federation obtained consent through a pre-checked box on a website, a method deemed insufficient by the authority for handling sensitive personal data. The law requires explicit, written, and unequivocal consent for such information.
The penalty amount was determined based on the severity of the violations, the sensitive nature of the biometric data, and the FMF's financial capacity, as indicated by its 2024 tax return. The FMF retains the right to challenge the resolution through legal means. The FAN ID system was introduced by the FMF following incidents of stadium violence, aiming to identify fans attending matches.
To process sensitive data, the law requires express and written consent from the data subject, which must be unequivocal, meaning there are elements that undoubtedly demonstrate its granting.
Originally published by ABC Color in Spanish. Translated, summarized, and contextualized by our editorial team with added local perspective. Read our editorial standards.