The implementation of digital identification technology in massive entertainment and sports events has suffered a severe regulatory setback in the Mexican market. The Secretariat of Anti-Corruption and Good Governance decided to impose an economic sanction of 42.8 million pesos on the Mexican Football Federation (FMF), after ruling that the organization incurred systematic and serious violations in the handling and storage of sensitive personal data collected through its technological platform known as Fan ID. This biometric registration system, developed by the technological firm Incode Technologies and launched to reinforce security in Liga MX venues after the violent events that occurred in Querétaro in 2022, operated outside the country's personal information protection regulations.
The government authority's resolution is based on two key legal omissions during the fans' registration phases. First, the FMF actively collected users' facial photographs (biometric data classified as sensitive personal data due to its high potential for unique identification) without explicitly warning about the extremely sensitive nature of this type of information within its official privacy notices. Second, the organization did not collect the express and written consent required by current legislation for the processing of these digital identities, unilaterally limiting itself to using a web checkbox system (a simple digital acceptance click), lacking holographic or electronic signatures that authentically attested to the user's express will.
This punitive procedure concluded that the football institution directly violated the constitutional principles of responsibility and legality in the era of massive data processing. Although the FMF retains its full legal rights to legally challenge the administrative determination through defense resources provided by the Mexican constitutional framework, the Secretariat of Anti-Corruption and Good Governance pointed out that it will firmly uphold the legality of its resolution. This case sets a strong precedent for the region's technology market, demonstrating that the need for advanced security systems using biometrics and artificial intelligence does not justify, in any operational scenario, the relaxation of ethical and legal standards regarding digital privacy.
From next+'s strategic perspective, the historic fine applied to the FMF is a critical wake-up call for corporations in all sectors that are accelerating their transition to digital solutions based on biometrics and artificial intelligence. For senior management and decision-makers, the lesson is clear: technology can never operate disconnected from a strict framework of governance and regulatory compliance. Collecting biometric data from customers under the argument of security or operational optimization (as often happens in retail, hospitality, and entertainment) represents an immense legal and reputational risk if robust transparency policies are not in place to actively protect user privacy. Organizations must understand that the true value of sustainable digital transformation lies in trust, which requires subjecting any implementation of sensitive technology to deep privacy audits from its technical design phase to prevent security assets from becoming the company's biggest liabilities.
