Outbound Call and Data Privacy Regulations in Mexico

Mexico's consumer protection law provides for a national "do not call" registry to shield consumers from unwanted telemarketing. The Registro Público para Evitar Publicidad (REPEP), maintained by PROFECO (Federal Consumer Protection Agency), is the official DNC list. Consumers can register their phone numbers (mobile or landline) with REPEP – by calling a designated number or via PROFECO's website – to opt out of telemarketing calls for goods, products or services. Once a number is registered, telemarketers have 30 calendar days to cease advertising calls to that number. Companies are prohibited from calling or sending marketing messages to consumers who have expressly indicated they do not wish to receive advertising or who are listed in the REPEP. This prohibition extends to using consumers' personal information for marketing if they have opted out.

Compliance obligations for companies

Telemarketers must consult the REPEP and refrain from contacting any numbers on it. In practice, firms engaging in outbound calls must subscribe to the REPEP database (by region) and regularly scrub their call lists. PROFECO provides access to updated REPEP lists for a fee – for example, an annual subscription for Mexico City numbers costs about MX$24,762.98, with lower fees for other states or a semiannual term. Companies can obtain these lists through PROFECO's online portal or in person, and they must renew their access periodically to capture new registrations. Failing to honor the DNC list can lead to enforcement actions.

Sanctions for DNC violations

Non-compliance with REPEP rules constitutes a violation of the Federal Consumer Protection Law (LFPC). Article 18 Bis of the LFPC explicitly forbids suppliers from sending advertising to consumers who opted out or are in the DNC registry. Violators may be fined heavily – Article 127 of the LFPC provides for fines ranging from MX$701.15 up to MX$2,243,671.49 for breaching this provision. PROFECO can impose these penalties, and in serious or repeat cases it may even apply suspensions of operations (up to 90 days) or additional sanctions. In short, telemarketers in Mexico must scrupulously avoid contacting any consumer who has registered in REPEP or otherwise withdrawn consent, or face significant fines.

Scope of the DNC list

It's important to note the scope of the DNC list: REPEP covers marketing calls from businesses in sectors like telecom, tourism, retail, etc. Certain calls are excluded from DNC restrictions – for instance, debt collection calls, political campaign calls, charitable solicitations, or opinion surveys are not under PROFECO's purview and thus may still be made even if a number is on REPEP. (These are regulated separately or not at all.) Additionally, financial services calls (from banks, insurers, etc.) are handled by a different opt-out registry, discussed next.

REUS – financial services DNC

Mexico has a separate do-not-contact list for financial product offers called the Registro Público de Usuarios (REUS), overseen by CONDUSEF (National Commission for the Defense of Financial Services Users). Consumers who do not wish to receive bank or financial telemarketing (credit card offers, insurance sales, etc.) can register in REUS. The REUS is a directory of users of financial services who do not want to be bothered with promotions by financial institutions. Banks, credit issuers, insurance companies and other financial institutions must check the REUS and are barred from cold-calling or emailing promotions to any consumer listed. Like REPEP, registration in REUS is free for consumers (done online, by phone, or at CONDUSEF offices), and companies are expected to comply or face sanctions under financial consumer protection rules. In fact, recently legislators have moved to tighten rules on financial telemarketing, explicitly prohibiting financial institutions from sharing or using customer data for marketing without consent (see Call Center Regulations below).

Accessing and consulting DNC lists

Companies operating call centers need to integrate REPEP/REUS checks into their processes. Typically, a company must register with PROFECO/CONDUSEF to query these databases. PROFECO's system allows businesses to purchase the list segmented by region (e.g., Mexico City, by area code) and download updates. CONDUSEF's REUS can be consulted through its portal or via requests to the commission. Best practice is to screen any contact list against both REPEP and REUS (for relevant sectors) on a recurring basis (e.g. monthly) to remove newly registered numbers. The law gives consumers the right to file complaints if they continue to receive unsolicited calls 30 days after registering. PROFECO has reported thousands of such complaints, and firms have been fined accordingly. In summary, before initiating any outbound marketing campaign in Mexico, a company must cleanse its call list against the national DNC registries to avoid contacting protected consumers.

The concept of "Do Not Originate" – blocking calls that spoof legitimate or unused numbers – is an emerging measure globally to combat fraudulent calls. In Mexico, while there is no single formal DNO list published for public use, regulators are increasingly implementing DNO-like mechanisms through telecom rules to curb scam calls and number spoofing. The Federal Telecommunications Institute (IFT), which regulates telecom carriers, has recognized the need for carriers to prevent the origination of calls from numbers that should not generate traffic (such as unassigned numbers or numbers only used for inbound calls).

Current status

Mexico's telecom operators (carriers) have been collaborating with IFT to address spam and fraud calls. In early 2024, major mobile carriers signed an agreement on "Acciones para la Prevención de Spam en Comunicaciones Móviles" (Actions for Preventing Mobile Spam). Furthermore, the IFT has drafted new "Lineamientos" (guidelines) on voice call security and CLI (Caller Line Identification) management, which introduce DNO-type obligations. According to the draft IFT guidelines, voice service providers must authenticate caller ID information and block calls that fail certain validity checks. For example, carriers would be required to block calls where the calling number is not a valid number or not assigned to any user, as well as calls using numbers that don't conform to the national numbering plan. They also must block obviously spoofed scenarios, such as calls that appear to come from the recipient's own number. In practice, this means if a fraudster tries to impersonate a legitimate entity's number (e.g. a government agency or bank) or use a number that isn't even in service, Mexican telecom networks should detect and prevent that call from completing.

While these rules are in the proposal/early implementation stage, they signal that DNO is being adopted indirectly. IFT's draft explicitly cites international best practices – noting that regulators abroad require strict observance of "Do Not Call" lists and call blocking to protect users from fraud and spam. Mexican operators are expected to take similar steps. Some measures likely to be mandated or already voluntarily in place include:

• Blocking of unallocated or invalid numbers: If a caller ID comes in with a number that is not assigned to any customer (or not allocated to the originating carrier), the call can be presumed illegitimate and dropped. This prevents scams that spoof random or unused numbers.
• Blocking of certain high-risk patterns: As noted, calls where the Caller ID mimics the called party's number, or where a domestic call carries a caller ID that doesn't match Mexican numbering format, must be filtered out.
• Incoming international call screening: Mexican international gateway operators will be required to block foreign-originated calls that fraudulently present a Mexican number as their Caller ID. (Legitimate foreign calls should normally show a non-Mexican number or an approved identification.) This helps stop schemes where overseas scammers pretend to be calling from a local number.
• Preventing misuse of official numbers: Although not explicitly stated, it is expected that numbers reserved for government institutions or emergency services (e.g., 911) will be protected so that calls appearing to originate from them are not completed – a classic DNO measure.

Use in fraud prevention

These DNO-style interventions are aimed squarely at tackling robocalls, Wangiri callbacks, and impersonation scams. Mexico, like many countries, has seen a rise in spam calls and incidents where criminals spoof bank phone numbers or government lines to defraud people. By enforcing network-level blocks on disallowed originations, telecom providers can dramatically reduce such fraudulent traffic. For instance, if scammers spoof a bank's main customer service number, the DNO rules would flag that the number is not actually originating from the bank's facilities and block the call, thus protecting consumers. IFT has highlighted that caller ID spoofing (suplantación de identidad) is a particularly harmful practice that needs addressing because it erodes trust and facilitates fraud.

It is worth noting that Mexico's efforts in this area are evolving. The IFT is also studying caller ID authentication frameworks akin to STIR/SHAKEN (already mandated by the U.S. FCC). As IP-based telephony grows, implementing digital signature of calls will further help verify originating numbers. While STIR/SHAKEN is not yet a requirement in Mexico, awareness is growing. We can expect that in the near future Mexican carriers will deploy authentication systems and maintain internal "do-not-originate" lists (for numbers like government hotlines, etc.) as standard practice.

Bottom line

Companies operating call centers should be aware that Mexican telecom networks may automatically block certain types of calls deemed fraudulent. If your outbound dialing uses a Mexican number as caller ID, ensure it is a number properly assigned to your organization. Avoid practices like neighbor-spoofing (using numbers similar to those you call) or masking your identity, as these might run afoul of telecom filtering. The trend is that regulators and operators will increasingly filter out illegitimate or spoofed calls to protect consumers. While this primarily impacts scammers, legitimate call centers should take care to use accurate caller identification and follow numbering rules so their calls are not inadvertently blocked under these anti-spam measures.

Overview of Mexico's data protection law

Mexico's comprehensive data protection statute is the Federal Law on the Protection of Personal Data Held by Private Parties, often abbreviated LFPDPPP (for Ley Federal de Protección de Datos Personales en Posesión de los Particulares). Enacted in 2010 (and updated in 2025), this law regulates how businesses and other private entities must handle personal data. Its goal is to ensure the processing of personal information is legitimate, controlled, and informed, in order to guarantee individuals' privacy and their right to "informational self-determination". In essence, any company collecting or using personal data in Mexico must comply with the LFPDPPP. The law applies to all private persons or companies that process personal data, regardless of size or industry. (Notably, there is a separate law for data held by government bodies, and certain exceptions like credit bureaus governed by a special law.)

Core requirements and principles

The LFPDPPP is built on a set of fundamental principles very similar to those found in regulations like the EU's GDPR. According to the law, data controllers must adhere to principles of lawfulness, consent, information, quality, purpose limitation, loyalty, proportionality, and accountability when processing personal data. These principles translate into concrete obligations, including:

Consent

As a general rule, data processing requires the data subject's consent. Mexico recognizes two forms of consent:

• Tacit consent – if a privacy notice has been provided to the individual and they do not object, consent is inferred. For most ordinary (non-sensitive) personal data, tacit consent is permitted by law, meaning that after you inform the person of your privacy policy, you may proceed unless they say "no."
• Express consent – the individual affirmatively agrees (in writing, electronically, or verbally) to the data processing. Sensitive personal data (e.g. health information, financial data, biometric identifiers, etc.) requires express consent, in writing. In practice, many companies obtain express consent via checkboxes or signed forms especially for sensitive data or when required by other regulations. (If another law requires express consent for certain data uses, that must be honored as well.)

The law does not require consent in a few limited situations – for example, when processing is necessary for a legal obligation, for the performance of a contract with the data subject, or for exercise of legal rights, etc., similar to some GDPR legal bases. But by default, consent (tacit or express) is the cornerstone for using personal data in marketing contexts.

Privacy Notice (Aviso de Privacidad)

Data controllers must provide a clear and comprehensive privacy notice to individuals at the time of data collection. The privacy notice is a document or statement that informs data subjects about how their information will be used. According to the LFPDPPP, an integral privacy notice should include at least:

• The identity and address of the data controller (the company collecting the data).
• The purposes of processing – describing why the data is collected and how it will be used.
• The options and means offered to data subjects to exercise their rights (access, rectification, cancellation, opposition) and to revoke consent.
• Information on any data transfers to third parties, and how the data subject can limit use or disclosure of their data.

The notice must be made available before or at the time the data is obtained (if data is collected directly from the person). In telemarketing scenarios, this can be tricky – best practice is to have a brief verbal notice at call start or a readily available full notice on a website and inform the person where to find it. If data is obtained indirectly, a privacy notice still should be provided to the individual via an accessible medium (e.g., email or public posting).

Privacy notices in Mexico can be provided in layered formats (short/summary notice vs. full notice). Regardless of format, the content requirements above must be met in some form. The notice must be easy to understand, with plain language and not contain misleading or vague terms.

Purpose limitation and proportionality

Personal data may only be processed for the purposes stated in the privacy notice and for purposes that are legitimate, relevant, and not excessive. Companies cannot use the data for purposes beyond what was consented to. For example, if you collected a customer's phone number for a product delivery, you cannot later use it for telemarketing unless you obtained consent for that purpose, as that would violate the principle of purpose limitation (and likely the law's requirement of consent for marketing uses).

Data quality and accuracy

The data held should be accurate, complete, and kept up to date to ensure it is reliable for its intended use. If data is no longer necessary or is incorrect, controllers should correct or delete it to uphold data quality.

Security measures and breach notification

Companies must adopt administrative, technical, and physical safeguards to protect personal data from unauthorized access, loss, or leakage. The LFPDPPP requires data controllers to implement appropriate security measures (proportional to the sensitivity of the data) and a duty of confidentiality on those who process data. If a data breach occurs that "significantly affects the property or moral rights" of individuals, the controller is obligated to inform the affected individuals so they can take appropriate actions. In practice, this means if a call center or company experiences a leak of customer data (say, a list of phone numbers with associated personal details), they should notify those individuals about the incident and provide guidance (though the law doesn't set a strict 72-hour rule as GDPR does for notifying authorities). Currently, unlike GDPR, Mexican law does not mandate notifying the regulator (INAI) of breaches in the private sector, but notifying the data subjects is required in certain serious cases. Preventing data breaches through strong security and training is a key part of compliance, and failing to protect data can lead to enforcement action and liability.

Data Subject Rights (ARCO rights)

Mexico recognizes the rights of individuals to Access, Rectify, Cancel, and Oppose the processing of their personal data – commonly known as ARCO rights. A data subject can request:

• Access – to be informed what personal data a company holds about them and to obtain a copy.
• Rectification – to correct or update their data if it is inaccurate or outdated.
• Cancellation – to cancel or delete their data when they believe it's not being lawfully processed or is no longer needed (akin to the right to erasure).
• Opposition – to object to specific processing (for legitimate reasons). For instance, a person can object to their data being used for marketing; once exercised, the company must cease that use (similar to GDPR's right to object to direct marketing, which must be honored). Mexican law explicitly gives individuals the right to opt-out of marketing at any time, separate from the REPEP list – they can withdraw consent or demand stoppage directly with the company as well.

Companies must provide easy mechanisms for individuals to exercise ARCO rights – typically an email or portal to send requests – and respond within the timelines set by law (usually 20 business days to respond, plus 15 more days to execute the request if approved, under the original 2010 law's rules). Denials are only permitted on limited grounds (e.g., a legal requirement to keep the data). Importantly, if an individual opts out or withdraws consent for marketing calls, the company must honor that and place the person on an internal do-not-call list in addition to the national REPEP.

Data transfers

If a company wishes to share personal data with third parties (e.g., selling a leads list to another telemarketing firm, or transferring data to a parent company abroad), the law requires certain precautions. In general, transfers of personal data to third parties require the consent of the data subject, unless a statutory exception applies. The privacy notice should disclose what transfers are intended. For international transfers, the data controller must ensure the recipient country or entity will protect the data according to standards similar to Mexican law. Often this is done via contractual clauses with the recipient. (Under the new 2025 law changes, it appears the obligation to explicitly list data transfers in the privacy notice was eliminated to streamline notices, but the requirement to have consent for certain transfers and to ensure adequate protection by the recipient remains.) If the call center is going to send personal data (like calling lists) to a foreign call center or cloud provider, it must have an agreement in place and ideally get consent from individuals, unless it falls under allowable exceptions.

Accountability

Mexico's law, especially with the 2025 update, reinforces the principle of accountability (responsabilidad). Organizations must not only comply but be able to demonstrate compliance. This includes having a privacy policy, training employees who handle personal data (such as call center agents) on confidentiality, and perhaps appointing a person or department in charge of data protection. While the LFPDPPP does not formally require appointing a Data Protection Officer as GDPR does, it strongly implies that controllers should have someone responsible for overseeing data protection compliance and responding to data subjects (often termed the "Department of Personal Data" in companies). Record-keeping of processing activities and obtaining certifications (where available) are also part of demonstrating accountability.

Applicability to domestic vs. foreign companies

The LFPDPPP has a scope that can extend to companies outside Mexico in certain scenarios. Generally, the law applies to processing carried out on Mexican territory by any private party. For foreign companies with a presence in Mexico (e.g., a Mexican subsidiary or office), the law clearly applies to their operations in Mexico. Additionally, if a company with no establishment in Mexico "uses means located in Mexican territory" to process personal data, the law applies except when those means are used only for transit. This provision could encompass, for example, a foreign call center that makes calls into Mexico using Mexican telecom infrastructure or stores data on servers in Mexico. In practice, enforcement against an entirely foreign entity is challenging, but if the foreign company is targeting Mexican consumers (thus collecting Mexican personal data), they should assume Mexican law protects those individuals. At the very least, Mexican consumers have rights under this law that they could attempt to exercise even against a foreign data controller. For instance, a person in Mexico could demand ARCO rights from a foreign e-commerce or telemarketing company that collected their data. If that company ignores the request, the individual might file a complaint with the Mexican data authority (which could lead to the authority seeking cooperation from foreign counterparts or taking action if the company later enters Mexico).

It's also worth noting that in March 2025 a new version of the LFPDPPP was published, which repealed the 2010 law and introduced some changes. Notably, the enforcement authority changed (discussed under Regulatory Bodies below). Substantively, the 2025 law kept the core principles and rights intact, but updated certain definitions and requirements. For example, the definition of "controller" (responsable) was broadened to include any person who processes personal data, even if they don't make decisions about the processing, effectively extending obligations to data processors as well. Privacy notices no longer need to list third-party data transfers, but must explicitly list what data will be processed (distinguishing sensitive data) and which purposes require consent. The new law also formalized concepts like data retention periods (requiring data to be blocked and then deleted once the retention period expires). It strengthened confidentiality duties (making sure employees and contractors keep data confidential even after their involvement ends). It clarified that the right to object includes the right to oppose processing based on automated decision-making that significantly affects the person. However, notably, the new law did not add certain GDPR-style concepts that were absent before – there is still no explicit right to data portability, no mandated privacy by design/default, and no requirement for DPIAs (privacy impact assessments) in the Mexican law. So while the 2025 update modernized some aspects, it is still not as stringent or comprehensive as the EU's GDPR in those advanced areas.

Comparison with GDPR

There are many similarities between Mexico's LFPDPPP and the EU GDPR, but also key differences:

• Both frameworks uphold core principles of lawful, fair, and transparent processing, purpose limitation, data minimization/proportionality, accuracy, storage limitation, security, and accountability. Mexico's list of principles maps closely to these (e.g., "quality" and "proportionality" align with data minimization and accuracy).
• Data subject rights are comparable: Mexico's ARCO rights parallel GDPR's access, rectification, erasure (cancelación), and objection rights. One difference: GDPR provides an explicit right to data portability and a right to restriction of processing, which Mexico's law does not explicitly grant. Mexico's law does have the concept of data cancellation (erasure) and after the 2025 update it implicitly includes something akin to restriction in the requirement to block data prior to deletion, but portability (the ability to obtain your data in a reusable format and transfer it) is not a guaranteed right under LFPDPPP.
• Legal bases for processing: GDPR offers multiple legal justifications for processing (consent, contract necessity, legal obligation, vital interests, public interest, legitimate interests). LFPDPPP is more consent-centric. While it does allow some exceptions where consent isn't needed, it doesn't have a broad category like "legitimate interests" that a controller can independently invoke for marketing. In Mexico, for marketing calls, one should generally have consent (even if tacit) and honor any objection. This means Mexican law is in some ways stricter about requiring consent for marketing than a regime like GDPR which allows a company to argue "legitimate interest" for marketing provided the individual hasn't objected. In Mexico, unsolicited marketing would typically violate the consumer's right to privacy unless they failed to opt-out via the provided notice (tacit consent scenario) or explicitly opted in.
• Extraterritorial reach: GDPR famously has extraterritorial scope (it can apply to non-EU companies processing EU residents' data if they target the EU). Mexico's law is primarily territorial (focused on processing in Mexico or using Mexican means). A foreign company without any presence in Mexico might not de jure fall under LFPDPPP unless it's using equipment/means in Mexico. In telemarketing terms, if a call originates entirely abroad and the data is stored abroad, the company might not be easily subject to Mexican law enforcement – but the individuals are still protected from a consumer law standpoint (through PROFECO's rules) and potentially could raise issues under privacy law if the foreign company later comes into Mexican jurisdiction.
• Enforcement and penalties: GDPR violations can lead to fines up to 4% of global annual turnover or €20 million (whichever is higher). Mexico's data protection law has its own penalty scheme, which historically allowed fines up to approximately MX$50 million (depending on unit multipliers) and even criminal penalties (e.g., unauthorized commercial use of sensitive data could result in criminal charges with prison terms). Under the 2025 law, enforcement is being restructured under a new authority, but we expect the fines to remain significant (though generally not as high as GDPR's percentage-of-revenue model). One source indicates fines could go up to about $6 million MXN for serious infractions under the updated law. Additionally, GDPR has a strict breach notification to authorities (72 hours) and potential compensation to individuals. Mexican law focuses more on corrective measures and fines, with individuals having the right to sue for damages in court separately if a violation caused harm (though such cases have been rare).

In summary, Mexico's data privacy regime shares many of the user-centric protections of GDPR but is somewhat less far-reaching. Companies should not assume it is "lighter," however – the consent and notice requirements are robust and enforced by the data protection authority. In the context of call centers, this means any personal data of Mexican consumers (like phone numbers, call recordings, etc.) must be handled in line with these requirements. Before calling someone, ensure you have provided a privacy notice and have at least tacit consent to use their data for that call (if not, you may be violating LFPDPPP in addition to the consumer DNC rules). Telemarketing lists should consist of individuals who at some point gave their data for such purposes (for example, they signed up on your website or are existing customers) – buying random lead lists without proper consent can lead to legal trouble under LFPDPPP. Also, if a consumer asks "How did you get my number?" or requests not to be called, the agent should be prepared to handle that in compliance with both privacy and consumer regulations (e.g., direct them to the company's privacy officer or opt them out immediately).

Operating a call center in Mexico entails complying not only with data and consumer protection laws as discussed, but also with specific rules governing telemarketing practices and labor standards. Recent regulatory attention has been given to telemarketing call practices, call timing, consent, and employee working conditions. Below are key regulations and standards:

Telemarketing call rules (operating hours and consent)

In response to consumer complaints about harassment and abuse by incessant calls, Mexico's legislature has moved to strictly regulate when and how call centers can contact individuals for promotional purposes. Amendments to the consumer protection law (and related laws) have introduced time-of-day and day-of-week restrictions on telemarketing calls. Promotional calls are only allowed Monday through Friday, between 8:00 a.m. and 7:00 p.m. local time. Calls are prohibited on weekends (Saturdays and Sundays) and official public holidays. These limits aim to protect consumers' peace and rest periods. A call center must schedule its outbound campaigns within the permitted hours; calling outside of 8am-7pm on a weekday, or at any time on a Sunday, is now against the law for marketing calls.

In addition, there has been a shift toward a consent-based model for telemarketing. While historically Mexico used the opt-out approach (i.e., everyone can be called unless they register in REPEP), lawmakers debated flipping this to an opt-in system. An initial Senate proposal aimed to require that only consumers who explicitly opt in (sign up on a list to receive promotions) can be called. However, that particular change was not adopted in the final version – REPEP remains an opt-out list as before. Nonetheless, the spirit of the reform is clear: telemarketing must respect consumer consent. The law now emphasizes that calls should not be made to anyone who has not given consent. In practice, this means call centers should treat the absence of an explicit opt-in as a do-not-call, aside from existing customers where some implicit consent might be inferred. It's wise to maintain an internal list of consumers who have consented (e.g., through a web form or agreement) if you plan to call individuals not covered by a previous relationship. Any call to a person who "has not consented to be contacted" can be grounds for penalties.

Penalties for violating calling rules

The new amendments include specific fines for breaching the calling hour restrictions or contacting consumers without consent. Fines can range roughly from MX$783 up to MX$3.5 million for each infraction. The law makes it an infraction both to call outside permitted hours and to call someone who has not agreed to receive such calls. These fines are on a similar order as those for DNC violations, but with a higher maximum in the new framework (3.5 million pesos). Also, if a company were to persistently violate the rules (for example, a rogue call center making thousands of illegal calls), regulators could treat it as a serious offense potentially leading to business closures or revocation of permits in extreme cases, under general consumer law enforcement provisions.

Furthermore, the sharing of personal data for marketing has come under stricter control. Financial institutions are explicitly forbidden from sharing their clients' data with third parties for marketing or from having their call centers use client data for cross-selling without consent. This rule, enforced by financial regulators in coordination with consumer protection, protects bank customers from being bombarded by offers either from the bank's partners or even the bank's other departments unless they agreed. More generally, any company that shares or sells consumer information for marketing without authorization can face sanctions under both the privacy law and consumer law.

Call recording and monitoring

Call centers commonly record calls for quality assurance or record-keeping. In Mexico, call recording is allowed but subject to privacy requirements. Because a voice recording is considered personal data (it can identify or relate to an individual), LFPDPPP applies. This means the caller should be informed that the call may be recorded and the purposes of recording, typically as part of the privacy notice at the start of the call. Often this is done with a message like, "Esta llamada puede ser grabada con fines de calidad en el servicio" ("This call may be recorded for quality purposes"). By continuing the call after hearing this notice, the consumer's consent is implied (tacit). However, if the person objects to being recorded, the company should offer a non-recorded channel or respect that objection to avoid violating privacy rights. From a legal standpoint, at least one-party consent is required to record in Mexico, and given that the company is obviously a party to the call, the primary concern is notifying the other party. Best practice is always to announce the recording. Additionally, recorded calls must be safeguarded securely and only retained as long as necessary. If a customer exercises their ARCO rights, they could request the deletion of call recordings that contain their personal data (except where retention is legally needed, e.g., a recorded contract acceptance).

If the call center is handling sensitive data over the phone (credit card numbers, health info), there may be sectoral guidelines: for instance, PCI-DSS standards for payment card information (though not a law, many companies adhere to this) would require not recording the part of a call where a credit card CVV is read aloud, etc. Also, the Health Privacy norms (if applicable) would require explicit consent to record any conversation containing medical information.

Operating hours and labor considerations

Mexico's Federal Labor Law sets out maximum working hours, overtime pay requirements, mandatory breaks, and employees' rights that call centers, like any employer, must follow. There aren't special labor laws only for call center employees, but enforcement agencies pay attention to common issues in call centers such as excessive work hours or not paying legally required benefits. A standard work shift in Mexico is 8 hours a day if diurnal, or 7 hours if nocturnal, or 7.5 if mixed, with at least one rest day per week. If a call center runs multiple shifts to cover extended hours (for markets in different time zones, for example), it must ensure each agent's shift and weekly schedule complies with these limits. Overtime beyond the legal limit (9 hours per week) must be paid double or triple as mandated. Also, employees are entitled to profit-sharing (PTU), holidays, Christmas bonus (aguinaldo), and social security – call center companies must budget for and comply with all these obligations.

There are also health and safety standards: A call center environment involves long hours at a computer and telephone; employers should implement ergonomic measures and allow breaks to prevent repetitive stress or voice strain issues. During the COVID-19 pandemic, additional regulations applied for teleworkers and distancing in call centers, which might still influence best practices now.

Sector-specific regulations

Certain industries impose additional requirements on how call center communications are handled:

• In the financial sector, besides the REUS list, there are specific rules for collection calls. The CONDUSEF has guidelines on how banks and collection agencies can conduct calls to customers or debtors – for example, collection agents cannot threaten or harass, can only call within certain hours (similar to the marketing call limits, typically not late at night or very early), and must properly identify themselves and the debt. While these apply to collections (not telemarketing sales), many large financial institutions also self-regulate their telemarketing practices to avoid customer anger.
• For health data or providers, if a call center is used to communicate medical results or to market health services, health privacy laws (General Health Law and norms) classify medical data as sensitive. Express consent is required to use that data in any marketing. Also, if they call patients, they must ensure confidentiality (e.g., not disclosing sensitive info to whoever answers the call).
• Telecommunications sector: The IFT's consumer protection provisions (like NOM-184-SCFI-2018, which is an official standard for telecom service contracts) actually include a rule that telecom service providers cannot make telemarketing calls to their customers for upselling additional services without the customer's express consent. So, for instance, an internet provider in Mexico should not have its call center call you about a new package unless you agreed to receive promo calls. This is an example of a sector-specific restriction – enforced jointly by IFT and PROFECO's user rights framework – to prevent unwanted solicitation by service providers.

Quality and other standards

Mexico does not have a specific "telemarketing license" or federal permit required to operate a call center (aside from registering as a business and tax obligations). However, companies may choose to comply with international standards such as ISO 18295 (Customer Contact Center standards) for service quality, although not mandated. Adhering to such standards can indirectly help with compliance (e.g., by establishing proper disclosure scripts, training on handling personal data, etc.).

In summary, operating a call center in Mexico requires balancing effective outreach with respect for customers' rights and comfort. Companies must:

• Only call during legal calling hours and never spam-call someone who opted out.
• Obtain consent for marketing calls – ideally written or via an opt-in, especially for new prospects.
• Always identify the calling company/agent at the start of a call and honor any request to be added to an internal no-call list (this is both courtesy and part of ARCO "opposition" rights).
• Provide a brief privacy notice if the call involves collecting personal data (e.g., "We will use your data only for X purpose, you can read our full privacy policy at…") and inform if the call is recorded.
• Record calls lawfully and ensure recordings or any personal data collected are protected.
• Not engage in deceptive or aggressive practices (which could also violate the consumer law's separate provisions on abusive marketing).
• If outsourcing or using a third-party call center, ensure the contract binds that call center to all these rules as well – the company on whose behalf the calls are made is jointly responsible for any violations by their vendor and can be fined if the vendor breaks the law.

By following these rules, call centers not only avoid fines but also build trust with consumers, which is crucial in a climate where many are fed up with relentless spam calls.

Mexico's regulatory and enforcement landscape for telemarketing and data privacy involves several government bodies, each with specific jurisdiction:

PROFECO vs Data Protection Authority – coordination

It's worth noting the interplay: PROFECO handles the marketing aspect (did you call someone on DNC? did you call outside allowed hours?), while INAI/Secretariat handles personal data (did you get that person's phone number legally? did you provide a privacy notice and honor their right to opt out?). In many cases, an incident will trigger both. For instance, a telemarketer that buys a lead list and cold-calls thousands of people could be violating consumer law (if some numbers were on REPEP or no consent) and privacy law (processing personal data without valid consent or notice). Both authorities have jurisdiction. In practice, they sometimes coordinate – there have been joint efforts like consumer awareness campaigns and possibly info-sharing. But a company might face two separate proceedings. PROFECO would pursue based on LFPC and could fine up to ~MX$3.5 million (as noted) per offense. Data authority would pursue under LFPDPPP and could fine perhaps a few million pesos depending on the number of data subjects affected and severity. It's important to address compliance on both fronts.

Other bodies

If the telemarketing involves specialized areas:

• The National Banking and Securities Commission (CNBV) or the central bank might have regulations on how banks handle client data (bank secrecy laws mean banks must keep clients' personal data confidential, which reinforces that they shouldn't be sharing phone numbers with third-party telemarketers without consent).
• The Ministry of Health could get involved if there were breaches of health data during calls (unlikely scenario for marketing, more for patient communication issues).
• The Federal Telecommunications Law enforcement is largely by IFT, as noted.
• There is also a general consumer protection aspect by local (state) consumer protection offices, but PROFECO is federal and usually takes the lead.

In essence, PROFECO, IFT, and the Data Protection Authority (formerly INAI) form the triangle of regulators relevant to outbound calling:

• PROFECO = Telemarketing and consumer rights (opt-out lists, no harassment).
• IFT = Telecom and technical compliance (numbering, call blocking frameworks).
• Data Protection Authority (INAI/Secretaría) = Personal data handling (consent, privacy notice, data security).

Each has powers to investigate and sanction. Businesses should be aware of all three and may need to interface with each for different compliance aspects. For example, if setting up a large outbound call operation, one might register with PROFECO for REPEP, coordinate with IFT/carriers to get the numbers and ensure CLI compliance, and file a "privacy notice" copy or consultation with INAI (though not formally required to file, companies often consult INAI guidance to draft their privacy notice correctly). Also, any mandatory reporting or registration (discussed next) typically involves these bodies – e.g., REPEP with PROFECO, possibly registration of databases was not required by INAI, etc.

Companies engaging in outbound calling in Mexico must pay attention to a few mandatory registrations and databases to stay compliant:

REPEP (Consumer "Do Not Call" Registry)

As detailed earlier, any company that plans to conduct telemarketing must register for access to the REPEP list and regularly consult it. This isn't a registration in the sense of a one-time filing; rather it is an ongoing requirement to subscribe to the database service that PROFECO provides. The process involves creating an account with PROFECO's REPEP system (online or via their office) and purchasing the list for the relevant regions in which you will call. A company should document that it has obtained the REPEP data and integrate it into its dialing system (to automatically block any number on the list). Maintaining proof of REPEP subscription is important in case of a PROFECO audit – it shows proactive compliance. Technically, if a company fails to consult REPEP and calls prohibited numbers, it is violating the law, so accessing REPEP is effectively mandatory for telemarketers.

REUS (Financial Users Registry)

If your outbound calls involve offering financial services (bank accounts, loans, insurance, investment products, etc.), you must also consult the REUS managed by CONDUSEF. This requires registering with CONDUSEF's "Portal Único de Registros" to query the REUS database. Banks and insurance companies are already integrated with REUS, but if you are a third-party call center contracted by a bank, you need to ensure you get the REUS filtered lists from your client or have access yourself. The REUS registration for businesses is generally through the CONDUSEF systems (the link between financial institutions and the regulator). In practical terms, a financial institution will typically include in its contract with a call center the requirement to use REUS-cleaned data. From a compliance perspective, treat REUS just like REPEP: you must not contact any person listed. The REUS covers phone numbers and also emails and physical mail addresses for users who opted out. So a call center doing, say, an email campaign for a bank must scrub emails against REUS as well.

Internal "no-call" list

While not a government-operated registry, it is mandatory (under both consumer law and privacy law principles) for companies to maintain their own internal list of individuals who have requested not to be contacted. If a consumer tells your call agent "Please remove me from your calling list" or opts out via your website, you need to log that and ensure they are not contacted again. This internal suppression list should be kept up-to-date and honored across all campaigns. Regulators expect companies to have this mechanism (it's part of the ARCO right to Opposition). During an investigation, a company should be able to show that it logs opt-out requests and refrains from calling those individuals.

Privacy Notice and ARCO mechanism registration

Mexico does not require companies to register their data processing activities or privacy notice with the government (unlike some jurisdictions that had database registration requirements). However, companies must have a privacy notice and in some cases, it may be advisable to notify or register certain things:

• If a company engages in extensive personal data handling, it might voluntarily enlist in programs like the "Empresa Segura en Datos" or seek a certification (which INAI used to offer in collaboration with standard bodies). These are not mandated, but they show compliance.
• Companies must designate a contact (or department) for data protection – essentially the person who will handle ARCO requests and liaise with the authority. Many companies include this contact info in the privacy notice. While not a formal registration, internally the appointment of a data protection responsible person is an expected part of compliance.
• There used to be a requirement (by regulation) that if a company changed its privacy notice in ways that affect consent, it might need to notify individuals or even inform the authority. For instance, if you plan to use data for new purposes not originally in your notice, you should obtain fresh consent and update the notice.

Sectoral registrations

Depending on the industry:

• A call center offering financial advisory by phone might need the company itself to be registered or approved by financial authorities (for example, offering certain insurance products requires being an authorized broker). Ensure that if your call center is selling regulated products, the necessary licenses are in place for the entity or the script is such that it forwards to a licensed entity.
• If the call center is going to handle credit card data for payments, compliance with CONDUSEF's SOCAP/SOFOM registries (for finance co's) or others might indirectly come into play, but typically the main ones are REUS and general business registration.

Telecom service registration

If the call center obtains its own telecommunication resources (like a block of numbers or a call server connected to the PSTN), the company might need to register as a telecom service user or even get a permit if they provide VOIP termination. Most call centers simply contract telecom service from licensed carriers, in which case no separate telecom registration is needed. But if, hypothetically, a company wanted to operate a large PBX that directly interconnects, they'd liaise with IFT for numbering resources.

Employment and tax registrations

On an operational note, any call center must register with the Mexican Social Security Institute (IMSS) to enroll employees, and with the tax authority (SAT) for obtaining a tax ID and invoicing. Also, if the call center is a foreign company's branch, it should be registered as a foreign branch or subsidiary in Mexico to hire staff and operate. These are general business obligations, not specific to calling, but non-compliance (like hiring staff off the books) can lead to serious legal issues.

Public security registry (locational)

If the call center operation involves autodialers or bulk communication systems, sometimes local laws (or even IFT) might ask for those systems to be registered, mainly for emergency contact or oversight. For instance, large automated dialing systems might have to ensure they don't call emergency numbers or overload networks – in some countries they require registration of autodialers; in Mexico this is not specifically codified, but it's good to be aware of any technical compliance docs from IFT.

In summary, the must-do registrations boil down to:

1. DNC list subscriptions (REPEP, and REUS if financial) – to legally operate telemarketing.
2. Having a compliant privacy notice and accessible ARCO procedures – effectively "registering" your commitment to data transparency with the public (not an authority, but via your channels).
3. General business and employment registrations – ensuring your entity is recognized and compliant in Mexico.
4. If you are a foreign entity without a local presence, strongly consider engaging a local partner or representative: even if not legally mandated by LFPDPPP (unlike GDPR's Article 27 representative concept, which Mexico doesn't explicitly have), dealing with authorities and consumers in Spanish and on Mexican soil will be easier with a local agent or office.

Foreign companies often run call campaigns targeting Mexico (for example, a call center in the U.S. or Central America making sales calls to Mexico). Such companies must be mindful that Mexican regulations can still apply to their activities in important ways:

Extraterritorial application of law

As noted, Mexico's data protection law applies if a foreign company is using means in Mexico to process data. In a telemarketing context, the act of placing a call to a Mexican phone number means you are interacting with Mexican telecom infrastructure (the call terminates in Mexico). This could be interpreted as "using means in Mexican territory" for processing personal data (the telephone network and the fact that you're handling a Mexican person's data). Thus, the foreign company could be seen as a data controller under Mexican law for that call list. There isn't yet jurisprudence of Mexico penalizing a purely foreign telemarketer with no presence, but the risk exists. Also, Mexico is party to international cooperation mechanisms (for example, consumer protection cooperation within Latin America and with the U.S.). PROFECO has been known to coordinate with the U.S. FTC and other bodies for cross-border scams. If a foreign call operation seriously violates Mexican consumers' rights, PROFECO or the new data authority could coordinate with authorities in the country where the call center is located to take action.

Need for local representation

While not explicitly mandated, if a foreign company will consistently target Mexican individuals, it's advisable to appoint a local representative or establish a local entity. This not only signals good faith but provides a point of contact for regulators. Under GDPR, foreign companies must have an EU representative – Mexico's law had no such requirement, but the new 2025 law broadened who is considered a responsible party (potentially covering processors). Mexican regulators could deem a foreign company's local distributor or partner as the responsible party if that partner supplied the data or facilitated the calls. So ensure contracts clarify compliance duties and representation. If you have no physical presence, at least provide in your privacy notice a Mexico-oriented contact (an email that can handle Spanish inquiries, and perhaps a toll-free Mexico number or address for correspondence).

Enforcement and legal nexus

If a foreign telemarketer calls a Mexican consumer who is on the REPEP list, that consumer can file a complaint with PROFECO. PROFECO could start a proceeding and, if it identifies the company (say the agent gave a company name or the Caller ID is traceable), it could impose fines. Collecting those fines is another matter if the company has no assets in Mexico. But non-compliance could lead to blocking: IFT might direct Mexican carriers to block calls from the offending foreign call center (especially if it's a pattern of violation or fraud). There's also reputational harm; news outlets and social media in Mexico often publicize scam/spam operations, which could affect the brand image if it's known.

Local laws of the foreign company's location

A company outside Mexico must also consider that country's telemarketing laws when calling into Mexico. For example, a U.S. call center calling Mexico must comply with U.S. TCPA (Telephone Consumer Protection Act) rules, if applicable (like respecting auto-dialer restrictions and maintaining an internal DNC list). Fortunately, complying with Mexican rules usually dovetails with good practices anywhere: don't call people who opted out, honor reasonable calling times, etc.

Obligations if collecting data from Mexico

If your call center collects personal data from individuals in Mexico (e.g., you call and they provide an email or address), you might inadvertently trigger data export provisions. Mexico does not forbid transferring data abroad, but it requires that the foreign recipient (you) handle it under similar protections. It would be wise for foreign companies to adhere to the LFPDPPP standards as if they were in Mexico. For instance, have a privacy notice in Spanish that you read or send to the person, get their consent for whatever processing, and provide them means to exercise ARCO rights. If a Mexican resident emails your foreign company demanding deletion of their data (citing Mexican law), a prudent approach is to honor it, both out of courtesy and to eliminate any jurisdictional issue.

Local presence for dispute resolution

The obligation to respect the consumer's right not to receive unsolicited calls applies regardless of where the calling company is established. In other words, if a foreign company calls a Mexican number to offer a product or service, it must comply with the same rules of consent and non-disturbance as a national company.

Article 66.1.b) of Law 11/2022 and the AEPD's interpretation refer to "data controllers that make commercial calls, regardless of the sector to which they belong," which includes foreign entities when they process data of Mexican consumers. In addition, the GDPR has extraterritorial effect: any company outside the EU that directs marketing communications to people in the EU is subject to the GDPR (Article 3.2) and could be sanctioned through representatives in the EU or when processing data of European citizens.

In practice, the AEPD has processed complaints against companies with call centers in other countries (Latin America, for example) that harassed Mexican users, coordinating with international counterparts. Therefore, being outside is not an escape route: legally, the same respect for the DNC list, consent, and the right to object is expected.

Use of Mexican Numbering from Abroad

Many international companies use Mexican numbers to facilitate interaction with consumers in Mexico (for example, they contract a Mexican number to show in the identifier, although the call originates via VoIP from another country). With the new 2025 Order, this scheme will have to be carefully reviewed.

If the call goes out to the public telephone network from an international gateway, the anti-spoofing filter (Article 5 of the OM) will block it for having a Mexican CLI with foreign origin. To avoid this, the foreign company has two options: either route its calls through an operator in Mexico (for example, contract a SIP trunk with a Mexican operator, so that technically the call originates in national territory with its Mexican number) or use international numbering (show a number from its country, although that may reduce user response).

The first option is the most common: the foreign call center signs with a Mexican VoIP operator to obtain Mexican numbering and process calls; thus, in the eyes of the network, the call is domestic. This will continue to be viable, but with the caveat that the Mexican operator will have to comply with the rules (will not allow using a mobile as CLI, etc.).

What will not be possible is what some platforms did before: sending the call through cheap international routes "injecting" a Mexican number into the signaling. Now, the Mexican operator that receives that call at the border will discard it.

Foreign Companies with Assigned Mexican Numbering

Some multinationals have a presence in Mexico only to obtain numbering ranges, but operate from outside. They must ensure that they comply with the usage conditions of that numbering as if they were operating within. For example, if they have 900 numbers assigned in Mexico for their global call center, they will have to use them according to the Plan (toll-free calls, etc.) and respect the prohibition on improper use.

If a foreign company uses a Mexican mobile number that it bought from a third party, from June 2025 it will be violating the regulations (due to the prohibition in Article 9); it could face the cancellation of that number by the provider operator. Therefore, foreign companies must re-evaluate the types of Mexican numbers they use: it is advisable to migrate to fixed or toll-free numbers for B2C campaigns in Mexico.

Requirements for International Operators Delivering Traffic to Mexico

Operators from other countries (international carriers) that terminate calls on Mexican networks are also affected. Mexican operators will require in interconnection agreements compliance with these policies, and in fact many will directly implement filters in their gateways.

For example, if a foreign operator sends traffic with a high percentage of calls with manipulated CLIs, the Mexican receiver may block or even cut the interconnection for violation of the conditions (which usually include anti-fraud clauses). It is expected that there will be greater international collaboration: sharing lists of unassigned numbers, exchanging signaling to distinguish legitimate roaming calls from fraudulent VoIP traffic, etc.

Carriers will have to ensure they properly mark roaming calls in the signaling (via SS7 or SIP protocols) so they are not blocked by mistake. Likewise, any terminator in Mexico will want to know who the real source of the call is; they may begin to require origin operator identification codes or STIR/SHAKEN authentication in international SIP sessions when possible. In summary, international traffic to Mexico will be subject to more filters, and serious foreign operators will have to filter out spam on their side to prevent their routes from being closed.

Scope of Sanctions for Foreign Companies

While it is true that directly sanctioning a company without presence in Mexico can be complicated, authorities have indirect mechanisms. In data protection, the AEPD can cooperate with the authority of the country where the company resides, or address the parent company if one exists. In telecommunications, the CNMC/SETELECO can sanction the Mexican operator that facilitates the irregular activity of the foreign company.

For example, if a Mexican operator acts as a mere gateway for a foreign company that does mass spam, and does not prevent it, the Mexican operator will be sanctioned here, and then internally will have to terminate the contract with that company. Additionally, consumer protection rules (General Consumer Law) could enable administrative sanctions to foreign companies for aggressive commercial practices towards Mexican consumers. This is substantiated case by case, but the trend is clear: it doesn't matter where the call comes from, calls to Mexico are subject to Mexican laws to protect the end user.

In conclusion, foreign companies making B2B or B2C calls to Mexico must adapt to the same level of demand as national ones. They must obtain the necessary consents, respect the Mexican DNC list, and technically route their calls legitimately. If they use Mexican numbering, they will have to do so through Mexican operators complying with the new restrictions (fixed or 900 numbers, not mobile, authenticated CLI). Failure to do so will result in blocked calls and possible legal repercussions. On the positive side, those foreign companies that align with these good practices will be able to continue contacting the Mexican market without setbacks, benefiting from a more reliable ecosystem less saturated with fraudulent calls.

To wrap up, here are best practice recommendations to ensure your outbound calling operations comply with Mexican regulations and maintain goodwill with consumers:

Obtain and document consent

Wherever possible, use an opt-in approach for marketing calls. For example, if you collect leads via a website or in-store, include a checkbox for the person to agree to be contacted by phone. Keep records of when and how consent was obtained (databases with timestamps, etc.). If you rely on tacit consent (allowed in Mexico for non-sensitive data), make sure the person received a privacy notice and did not object. It's prudent to have a system to capture if a customer said "don't call me" – and immediately mark them as opted-out. Never assume consent just because you have someone's number; if in doubt, don't call until consent is confirmed.

Scrub call lists against REPEP/REUS frequently

Incorporate the DNC lists into your dialing workflow. Ideally, automate the filtering of outbound numbers by cross-checking with the latest REPEP and REUS data. This can be done by updating your CRM or dialer software with the list of blocked numbers. Since new numbers are added to REPEP every day, update your suppression list at least every 15 days (if not in real-time via API). Also, train agents that if a customer says they are on "la lista de PROFECO" or REPEP, the call should politely end and be logged for do-not-call. Complying with these lists not only avoids fines, it also helps your call center focus on receptive consumers instead of wasting time on those who will be annoyed.

Mind your Caller ID (CLI) and numeration

Always present a valid Caller ID number when calling. Do not hide your number (blocking CLI can raise suspicion and some consumers won't answer "No Caller ID" calls). Use a number that is properly allocated to your business – either a number from a Mexican carrier if you have one, or if calling internationally, ensure the number is one that can be called back or traced to you. Avoid using short codes or numbers that might mislead, such as resembling an official entity's number or a local mobile number if you're actually calling from abroad (unless it truly is your number). With IFT's forthcoming rules, calls with improperly formatted numbers or known unassigned numbers will be dropped, so adhering to correct numbering is not just legal but necessary for call completion. It can be beneficial to register your numbers with analytic call labeling services (there are apps and services that label calls as "Spam likely" or show the company name – some countries have registries where legitimate callers can register their numbers to avoid being labeled spam). While Mexico's ecosystem for that is still developing, proactive identification can help your calls be answered and not flagged.

Provide an easy opt-out mechanism

Make it simple for call recipients to withdraw consent or opt out. This could be as direct as telling the agent: "Por favor, no me llame de nuevo" – the agent should have a procedure to mark that immediately. Additionally, if using automated messages or SMS follow-ups, include a line like "Para no recibir más llamadas, por favor envíe NO al …" or a callback number to opt out. The new IFT draft guidelines even suggest that non-residential voice service users (businesses) implement an opt-out mechanism for each campaign. This might become a requirement. Even if not mandatory yet, it is a best practice to allow people to easily say "no more." Not only does this keep you compliant with the law's spirit, it improves your targeting – those who opt out aren't likely to buy anyway, so better to stop expending effort on them.

Use compliant call scripts

Ensure your call scripts contain the necessary disclosures up front. The agent should identify themselves and the company, state the reason for the call, and if applicable, mention the key points of the privacy notice (at minimum, that any personal data they provide will be handled according to our privacy notice which can be found X, and that they can exercise ARCO rights). For example: "Good afternoon, my name is Maria calling on behalf of XYZ Co. We are calling to offer you ___ . [If needed: We obtained your contact from ____; your data is protected under our privacy policy]. Is this a good time to talk?" This kind of introduction respects transparency. If the person expresses hesitation or asks how you got their number, train agents to be honest and, if the person is upset about being contacted, to apologize and offer to remove them from the list. A non-pushy, transparent approach can often diffuse a potential complaint.

Train call center staff on privacy and courtesy

Your employees (or agents of a outsourced provider) should be trained on the importance of these regulations. They should understand what REPEP is, why they must honor opt-out requests, and how to handle personal data like names, phone numbers, account info securely. Emphasize that unprofessional or aggressive behavior is not only bad service but can violate regulations. For instance, an agent should never threaten a consumer or lie about being from a government agency – those could trigger legal issues (even fraud allegations). They should also know that if a customer asks to exercise a right (like "send me all the info you have on me" or "delete my data"), that request must be escalated to the proper department immediately.

Secure data management

Maintain strong security around your call lists and any customer data. Use up-to-date antivirus, encryption for data at rest and in transit (especially if recordings or personal details are stored). Limit access to personal data on a need-to-know basis – for example, an agent making cold calls might only need a first name and phone number, not the person's ID number or credit info. By minimizing data exposed, you reduce risk. Also, have an incident response plan: if you suspect a data breach (say, a rogue employee took a copy of the call list), know how to investigate and whether to notify affected individuals. Show regulators that you treat data security seriously by having policies in place (this ties into the accountability principle and can mitigate penalties if something does go wrong).

Comply with call blocking frameworks

As telecom operators implement spam filters (perhaps using analytics to detect mass dialing patterns), legitimate call centers might occasionally get caught in the net. To avoid this, monitor your call answer rates and any indicators of blocking. If you see unusually high call failure rates, check with the carrier to ensure your calls aren't being flagged. Adhering to moderate call pacing (not blasting tens of thousands of calls with short durations) can avoid looking like a robocaller. When STIR/SHAKEN or similar caller ID authentication becomes available via your carrier, adopt it – it can help prove your calls are legitimate. Essentially, cooperate with carriers' anti-spam measures; if they offer a whitelisting program for numbers, use it.

Monitor regulatory updates

Regulations in this space are evolving (as evidenced by the 2025 changes). Keep an eye on official sources – PROFECO press releases, IFT announcements, and any guidelines from the data authority. For example, if IFT finalizes the CLI rules, there might be a grace period and then enforcement. Or PROFECO might update fine amounts or publish new guidance on telemarketing scripts. Being aware early allows you to adapt. It might be useful to join industry associations or forums in Mexico related to contact centers or direct marketing, as they often disseminate compliance best practices and news.

Maintain documentation

In case you are ever audited or challenged, have a compliance dossier ready:

• Copies of your privacy notice (in Spanish) and evidence it's distributed (e.g., posted on your website with a timestamp, recordings of agents reading the notice if applicable).
• Logs of REPEP/REUS list checks (like receipts from PROFECO for list purchase, or system logs showing numbers were filtered).
• Training materials and attendance records showing agents were trained on relevant policies.
• Sample call recordings demonstrating that agents are following protocol (within privacy bounds).
• Records of any consumer complaints and how they were resolved. Showing a regulator that you respond and fix issues can sometimes lead to leniency.
• Contracts with any third-party dialer software providers or data providers, including clauses that they comply with Mexican law and that data was obtained legally.

Use technology wisely

Modern dialing and CRM systems can help manage compliance. Utilize features like call time restriction settings (your dialer should automatically prevent dialing outside 8am-7pm Mexico time, based on area code), blacklist functionalities (for REPEP/REUS and internal DNC), and consent tracking (marking contacts with their consent status). Some systems even provide real-time scrubbing against known spam number databases or can detect if an outgoing call gets tagged as spam by Android/iOS and alert you. Leverage these to stay ahead.

Respect employees' rights

A compliant call center isn't just about how you treat consumers, but also how you treat your employees. Satisfied, law-abiding employees will perform better and be less likely to engage in rogue behavior that could cause compliance breaches. Ensure you follow labor law: reasonable shifts, proper pay, not imposing unrealistic call quotas that might tempt agents to violate rules to meet targets. Provide headsets and ergonomic setups to reduce physical strain. And have a channel for agents to report any concerns (for instance, if an agent feels pressured by a supervisor to call a list that includes obvious DNC entries, they should be able to flag that).

Plan for local storage and transfer rules

If your calls are recorded or data collected, decide where that data will reside. If you're a foreign company, consider storing Mexican call data on servers in Mexico or at least ensure cross-border transfer is disclosed and safeguarded. If you're using cloud software (like a SaaS CRM), make sure the provider contract includes compliance with Mexican privacy principles. Not only is this prudent, it could also become a selling point – some Mexican clients prefer data stays in-country.

By following these best practices, a company can greatly reduce the risk of legal violations and build trust with both regulators and customers. Ultimately, compliance in Mexico is about respect: respect the consumer's choices (don't call if they don't want it), respect their time (call at decent hours), respect their data (secure it and use it fairly), and respect the law (which in many ways codifies courtesy and transparency). Companies that internalize these values will find it not too difficult to operate within Mexico's framework and can avoid the pitfalls of fines or reputational damage. Remember that regulators like PROFECO and the data authority have the public's backing to crack down on bad actors – by being a good actor, you not only avoid their ire, you may even earn customer goodwill for being one of the "good guys" in an industry often associated with annoyances. Compliance can thus be a competitive advantage, showcasing your company as trustworthy and responsible.