Digital advertising and privacy: what cookies reveal (and the law still doesn't fully regulate)
The new frontier of digital marketing
The evolution of the digital ecosystem is redefining the way businesses personalise the user experience.
The phasing out of third-party cookies - already implemented by browsers such as Safari and Firefox, and initiated by Google Chrome through its Privacy Sandbox project - marks a turning point in digital advertising.
Although the process has faced adjustments and delays, the global trend is clear: to reduce cross-site tracking and promote more privacy-friendly advertising models.
This transition responds both to regulatory and social pressures and to growing user demand for more control over their personal data.
What data do cookies reveal
Far from being simple technical files, cookies allow users to be identified or profiled. Among the data they commonly collect are:
- Unique identifiers: Cookie ID, Device ID, Advertising ID
- IP address and geolocation
- Browsing history and language preferences
- Session or authentication information
- Inferred data: interests, consumption habits or connection time.
Taken together, these elements allow behavioural patterns to be traced and may therefore constitute personal data under Mexican law and international standards.
The Mexican legal framework: limited, but in force
While Mexico lacks specific guidelines on cookies, there are provisions applicable to tracking technologies.
The current framework is based on three main sources:
In summary: Mexican legislation recognises the phenomenon, but does not regulate in detail its technical implications.
Source | Essential content | Scope |
LFPDPPP Regulation (art. 14, last paragraph) | Obligation to inform about automatic technologies that collect personal data and how to disable them. | General duty of transparency. |
Privacy Notice Guidelines (Thirty-First Guideline) | Reiterates the obligation to disclose the use of automatic technologies, although it does not expressly mention "cookies". | Complements the duty of the Regulation. |
NACI Consultation DGNC/131/2024 | Confirms that cookies may constitute personal data if they can directly or indirectly identify the user. | Reinforces the applicability of the LFPDPPP. |
International best practices
In the absence of updated local criteria, the Guide on the use of cookies (AEPD, 2023) provides useful self-regulatory references for the Mexican market.
Although they are not mandatory, they reflect consolidated standards on consent and transparency.
Best practices include:
- Active consent: "continue browsing" does not equate to acceptance.
- Layered information: a first visible layer (Accept, Decline, Configure) and a second layer with the full cookie policy.
- Distinction between technical and advertising cookies.
- Management panel (CMP): allows you to accept or reject cookies by purpose.
- Periodic review: update of cookies and warnings at least every 12 months.
These measures are compatible with the principles of information, consent and data quality provided for in the Mexican Regulation.
Risks and challenges
Inappropriate use of cookies can lead to:
- Session hijacking or impersonation.
- Cross-site tracking without consent.
- Re-identification through combinations of identifiers.
The risk comes not from the cookie itself, but from the processing ecosystem that surrounds it: the way data is collected, shared and stored.
Towards a cookieless environment: privacy and opportunity
The move to a model without third-party cookies does not eliminate the need for transparency: it reinforces it.
Businesses will need to adapt to approaches based on:
- First-party data
- Contextual segmentation and local (on-device) analytics
- Traceable and granular consent
Proactive compliance will become a competitive advantage, not just a legal requirement.
Conclusion
At ECIJA Mexico, from the Compliance and Personal Data Protection Area, we promote an approach that combines innovation, ethics and legal responsibility. The challenge is not only to comply with the law, but to anticipate regulation, adopting standards that strengthen digital trust and corporate reputation.
Article written by Berenice Sagaón Falcón, in collaboration with Andrea Chávez.
