There is no specific legislation in Mexico that governs doing business over the internet. Mexico does not have a system of IT law, which means that the activities carried out on the internet are regulated in accordance with the general provisions of law (civil and commercial).

The Code of Commerce (Código de Comercio) (CoC) applies in any business transaction, regardless of the parties involved or whether it is carried out in person or online. The CoC includes a brief section dedicated to online business transactions, which mainly focuses on the requirements for authentication of the parties innvolved in the transaction. The Civil Code also applies to business transactions, in relation to the matters not covered by the CoC.

In addition, there is a specific chapter in the Federal Consumer Protection Law (Ley Federal de Protección al Consumidor) that regulates the rights of consumers in transactions carried out by electronic means.

The Consumer Protection Law establishes specific obligations for transactions on the internet:

During the second quarter of 2019, the Mexican Standard NMX-COE-001-SCFI-2018 for e-commerce (Normas Mexicanas) (NMX) was published. The NMX standard differs from the official Mexican Standard (Norma Oficial Mexicana) (NOM), as the NMX is not obligatory and only establishes best practices to be followed by e-commerce providers. Unlike an NOM standard, which is compulsory for all e-commerce transactions, the NMX standard so far does not have legal force under the Consumer Protection Law. This means that the e-commerce industry has considers compliance with the criteria under the NMX to be voluntary.

Some of the key concepts in the NMX include the introduction of the:

The NMX sets out general provisions on the following:

The NMX does not set out specific or strict rules in relation to the above matters.

The relevant regulatory authority responsible for telecommunications (telecoms) and broadcasting matters (including competition matters) is the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones) (IFT). The IFT is a constitutional independent entity, whose purpose is the efficient development of telecommunications and broadcasting services.

With regards to e-commerce, the Mexican Consumer Protection Agency (Procuraduría Federal del Consumidor) (PROFECO) which enforces the Consumer Protection Law.

For data protection, the Federal Institute for Access to Public Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos) (INAI) supervises the enforcement of the Mexican Data Protection Laws (either applicable to individuals or to government entities).

There are no specific requirements for setting up an online business. It is however recommended that online businesses are established by a company. If the entrepreneur has not already set up a company, they should follow the standard incorporation process.

The general steps for incorporating a company in Mexico by foreign nationals/entities (who will not appear before the Mexican notary public in Mexico) include:

If the company is to be incorporated in Mexico by Mexican nationals/entities, or where the foreign national/entity can appear before a Mexican notary public, the process is more straightforward. In this case, the only requirement is to request incorporation services from a Mexican notary public, who will be responsible for notarisation of the relevant company by-laws.

Before 2016, incorporation of a company had to be completed by two or more shareholders/partners. In 2016, the simplified joint stock company (Sociedad por Acciones Simplificada (SAS)) was introduced, which allows incorporation by a single shareholder. The single shareholder, should already have an e-signature with Mexican tax authorities and must not be a shareholder in any other company. To incorporate an SAS the following requirements must be met:

Other advantages of an SAS include the following:

Depending on the company's line of business, the parties involved can vary. However, in general terms, for a new online business, agreements must be executed with the domain provider and the host of the webpage.

Where the online business is set up in an app, an agreement must also be executed with any of the different app stores in the market.

An online business will also perform commercial relations with its suppliers, whether payment, services or goods suppliers, to carry out their business.

There is no specific law or guidance in the Mexican general framework that imposes requirements on the design of a website.

However, certain regulated sectors, such as the telecoms sector, have specific requirements for the webpage as well as specific design requirements to ensure that the website can be accessed by disabled people.

For example, a telecommunications service provider is required to publish.

For people with disabilities, the applicable telecommunications regulations, which only applies to Telecom service providers, establish that:

There are no specific procedures for developing or distributing an app. The generally applicable contractual rules apply to the app together with the general rules on copyright. However, it is common for the development of an app to be done through a work-for-hire agreement to ensure that the business retains copyright in the app development.

The CoC allows the use and validity of electronic signatures (whether simple electronic signature or advanced electronic signature) in any type of commercial or consumer transaction.

The Federal Civil Code (Civil Code) also establishes that if an express consent is required, this can be expressed by electronic means or by any other technology. Therefore, electronic signatures are allowed in contracts between private parties.

Under Article 97 of the CoC, when the law requires a signature or when the parties agree the use of a signature in connection with a data message, this requirement is met by an electronic signature if such signature is appropriate for the purposes for which the data message was generated or communicated.

By virtue of the above provisions, the general rule for electronic signatures in Mexico is that they can replace handwritten signatures. An electronic document can be executed by the use of any of the two following types of electronic signatures:

Question 12 provides additional information on this.

The use of the simple electronic signature may not be advisable in all types of acts, agreements or contracts, as it may be difficult to enforce, although contractually it can be accepted.

Click-through and click-wrap agreements are considered to constitute standard agreements. For the execution of such agreements, the signatory typically only needs to agree them in an express or tacit form, without amending or negotiating any of their terms and conditions. However, in case of any dispute regarding these types of agreement, the party seeking enforcement will most likely face the problem of attributing such consent to its counterparty. To overcome this obstacle, businesses should ensure that:

In commercial transactions in the private sector, the use of simple or advanced electronic signatures can be freely agreed between the parties, as the law allows the consent to be expressed through electronic, optical or other technological means. However, there are certain requirements for electronic signatures to be enforceable. The simple electronic signature must be attributable to the parties and accessible for further review. Because of these requirements, the use of this type of electronic signature is not advisable as the attributability requirement is difficult to prove before a judge.

Certain documents must be executed before a notary public with a handwritten/wet signature ncluding some M&A documents and those that transfer real estate, which cannot be signed electronically. There may also be provisions in companies' by-laws that prohibit expressing consent by electronic signature or by electronic means.

In the banking sector, banking institutions have the authorisation to issue digital certificates when entering into electronic transactions with users of financial services, as well as to carry out certification service activities, such as registry and distribution of digital certificates. Electronic contracts are commonly used in this sector.

In public procurement, the use of electronic signatures depends on the type of procurement. Documents related to electronic procurement can be signed electronically. In electronic procurement, the web system Compranet is used to publish the call, present the offer and announce the award. In the presentation of the offer the bidder can execute it electronically by means of an advanced e-signature or by a simple e-signature (depending on the call). In mixed procurement, both Compranet and physical documents are used. In physical procurement all documents provided by the bidder must be delivered personally in writing to the relevant authority.

As mentioned in Question 1, as with any other type of business, the CoC applies to all business transactions. There are no specific laws only applicable to online transactions.

Some online platforms in Mexico implement terms and conditions in which the applicable law is from a non-Mecian jurisdiction. The strategy to be followed in such matters should be reviewed on a case-by-case basis, as they may result in user claims requesting the involvement of the Consumer Protection Authority.

Depending on of the specific type of business, other regulatory provisions may need to be observed. See Question 1 for more information.

There are no specific rules applicable to online B2C transactionsand the general rules on consumer protection will apply.

Under the general rule in the CoC, documents or data messages that contain rights and obligations must be retained for ten years.

There is no obligation for companies to make hardcopy backups of the electronic messages which will be retained, nor to make electronic backups of the hardcopy documents.

Personal data cannot be stored indefinitely, unless a legal provision so requires. The amount of time for which personal data can be stored depends on the purposes of such processing.

Personal data must be blocked and deleted when the purposes of the processing have been reached or after a legal retention period is over.

Currently the Mexican Intern+et Association (Asociación de Internet.mx) provides trust stamps (Sello de Confianza). After an evaluation process, the online business can insert this stamp on its webpage, and the Internet Association will redirect any person who clicks on this stamp to the information on the webpage owners.

To obtain the stamp, the website owners must submit an application and pay the corresponding fees. More information is available on https://sellosdeconfianza.org.mx/.

The Consumer Protection Authority launched an official "recognition", which is granted to those e-commerce sites that provide clear and complete information, security, transparency, confidentiality, and promote trust and legal certainty to the consumer in Mexico.

Providers can register in the List of Responsible Suppliers in E-Commerce

The same remedies applicable to any type of contract can apply to electronic contracts. These remedies include any of the following:

Although consumers benefit from consumer protection rights, there are no specific judicial remedies which only apply to consumers. In general terms, businesses and consumers have the same remedies available to them during any judicial procedure.

Under Article 89 bis of the CoC, the information contained in a data message must be valid and enforceable. Any electronic signature is considered as data included and incorporated in a data message.

Under Article 93 of the CoC, electronic documents are considered legal and equivalent to a handwritten signature, and therefore data messages can be validly executed under any law that requires an agreement to be executed in a written form.

However, the information contained must be kept integral and accessible for further consultation. Further, if any law requires a handwritten signature, the CoC provides that such requirement will be met if the data message where the electronic signature is contained is attributable to the signatory party.

Based on the above, written signatures can generally be replaced by a data message with an electronic signature if the following conditions are met:

The equivalence of handwritten signatures with electronic signatures applies to all civil matters (including commercial matters), under Article 1834 bis of the Civil Code.

Advanced electronic signatures are regulated by the CoC (see below, Format of E-Signatures/Digital Signatures). In addition to the requirements set out in Article 97 of the CoC, the issuance of an advanced electronic signature is subject to certain requirements and authorisations. These include, for example, the need for a digital certificate and a private key, which are issued by a Certification Service Provider. The regulations cover in detail the use of the advanced electronic signature, and related services.

Certification Service Providers must be recognised as such by the Ministry of Economy (Secretaría de Economía) and must comply with various rules and obligations for their operation and for the issuance of the digital certificates.

The use of simple or advanced electronic signatures can be freely agreed by the parties, as the law allows the consent to be expressed through electronic, optical or other technological means. Therefore, under Mexican law, agreements executed by the exchange of data messages containing electronic signatures (whether simple or advanced) are subject to the same rules as agreements executed by written signatures.

The following federal laws are relevant to the use of E-Signatures and apply throughout Mexico in all commercial matters:

Under Article 89 of the CoC, an electronic signature is electronically delivered data that is delivered through a data message, or data attached or logically associated to a data message through any technology. Such data is used to identify the signatory in relation to the data message and to indicate that the signatory approves the information contained on the data message, and produces the same legal effects as an original (physical) signature and is admissible as evidence in any trial.

The CoC distinguishes:

Under Article 97 of the CoC, simple electronic signatures are considered advanced electronic signatures if they meet the following requirements:

If the electronic signature meets the above requirements, it is deemed as advanced and provides a legal presumption that the electronic signature is reliable and attributable to the signatory.

Although there are express prohibitions on the use of electronic signatures for specific acts, there can also be express requirements concerning the form required to express consent for certain acts, agreements or contracts to make them valid and enforceable. Specifically:

Despite the fact that the CoC and the Federal Civil Code establish that public notaries and public brokers (Corredores Públicos) can authorise agreements in which electronic signatures have been used, in the practice this ability has not been developed as there is a lack of technological infrastructure that would attribute such electronic signatures to the signatory parties by the public notaries and public brokers.

The enforceability of simple electronic signatures can be questioned in a legal proceeding as the attributability requirement will not be entirely fulfilled. Considering the above, the more evidence gathered to attribute a simple electronic signature to a specific signatory, the more chance there will be to prove its reliability and attributability in court.

The protection of personal data is established in the Mexican Constitution (Constitución Política de los Estados Unidos Mexicanos) as a constitutional right, and the matter is regulated in specifically by the:

The Mexican data protection laws define personal data as any information concerning an identified or identifiable individual. The law differentiates personal data from sensitive personal data. Sensitive personal data refers to the most intimate aspects of the data subject's life or that may imply a risk of discrimination for them. The law deems information relating to any of the following as sensitive personal data:

Biometric data is not expressly established by the law as sensitive personal data, but can be considered as such by the DPA, when the information can disclose certain aspects, such as a person's racial or ethnic background, present and future medical condition, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual preference.

Generally, the processing of personal data is subject to the data subject's consent. However, the consent of the data subject for the processing of their personal data is not required when:

The type of personal data to be processed determines the type of consent the data controller must obtain from the data subject. The processing of financial and economic data requires the data subject's express consent. The processing of sensitive personal data requires the data subject's express and written consent.

Collection of personal data can only be considered when a relevant privacy notice is made available before the data is collected and if it contains, at least, the following information related to the collection:

Regarding the use of cloud-based services, the Regulations to the Data Protection Law establish certain specific requirements when processing personal data by cloud computing services. The cloud-based service provider must comply with the following requirements for the data controller to be able to use such services:

Further, the cloud computing service provider must have mechanisms to:

Under the Constitution, only a judge through a court order can request disclosure of personal data. The court order must be issued by a competent authority, and it must be justified and have a legal basis.

When the data controller uses remote, electronic, optical or other technological mechanisms to automatically and simultaneously collect personal data (such as cookies the data controller must simultaneously inform the data subject:

In general, data controllers and data processors must implement appropriate security measures to protect personal data within their responsibility. The Regulations to the Data Protection Law and the guidelines provide certain measures and mechanisms to ensure the protection of data.

To guarantee the proper processing of personal data, giving priority to the interests of the data subject and the reasonable expectation for privacy, the data controller can implement the following mechanisms:

The data controller must maintain personal data as confidential information, even when the relationship with the data subject has concluded.

There are no specific rules regarding which types of measures must be adopted by companies or internet service providers (ISPs) to guarantee the security of internet transactions. The general rule is that the service provider must use technical elements to ensure the safety and confidentiality of the information that the consumer provides (see Question 19).

The banking sector has specific rules on encryption and security for banking transactions.

The Law on the Regulation of Financial Technology Institutions was issued on 8 March 2018. It sets out the applicable regulation of financial services provided by those institutions, their operation, and financial services offered through innovative means in Mexico, which are subject to special rules.

Any institution that wishes to carry out the activities set out in the Law on the Regulation of Financial Technology Institutions under Article 25 of that law must be granted authorisation by the National Banking and Securities Commission (Comisión Nacional Bancaria y de Valores) (CNBV). The activities regulated by the law include:

Additionally, in accordance with the applicable regulations, a "payment aggregator" is defined as the "network participant that, under a service provision contract entered into with an acquirer, offers payment receivers, the card payment acceptance service and, where appropriate, provides the infrastructure of point of sale terminals connected to said networks". Payment aggregators must be incorporated in accordance with the general mercantile laws. There is no need to have a specific vehicle to perform these services in Mexico.

It is not necessary for the payment aggregators to request any specific authorisation before any regulatory authority in order to operate in Mexico. However, they must carry out a registration procedure before the CNBV, which is the authority in charge of their regulation and supervision.

Under the Law for the Protection of the Rights of Children and Adolescents (Ley para la Protección de los Derechos de Niñas, Niños y Adolescentes), federal authorities can verify that the mass media avoid the dissemination and publication of content prejudicial to education, promoting violence or justifying crime and the lack of values, during the hours established as suitable for all age groups. There are no specific provisions regarding the posting of content online.

In addition, the Federal Law to Prevent and Eliminate Discrimination (Ley Federal para Prevenir y Eliminar la Discriminación) grants the federal authorities the authority to verify that the mass media does not engage in discriminatory practices for any reason, including those relating to ethnic origin or nationality, sex, age, disability, social or economic status, health conditions, pregnancy, language, religion and sexual orientation.

There are no specific provisions regarding the protection of children on the internet. The general rules are applicable.

There are no specific regulations regarding the reselling or marketing of online digital content, though the general rules on copyright will be applicable.

If the content is related to articles, images and comments associated with current events or news, the authorisation of the content owner is not required unless the owner expressly prohibits the use. However, the following requirements must be met:

Commercial purpose will be understood as any direct economic benefit as a result of the use of the specific content (such as commercialising the content to other parties). However, if the content is used as an additional advantage of the main or principal activity of the user, this use will be allowed under the scope of Mexican copyright law (such as online advertising).

Conversely, if the content owner expressly prohibits the use of its content for such purposes, a written and temporary authorisation will be required. Failure to comply with this requirement by the user can be subject to a copyright infringement action under the administrative, civil and criminal laws.

Consequently, providing content by redirecting and online linking/framing from a third-party website without authorisation from the content holders falls within the exception provided in the Copyright Law, only if the above requirements are met and the content holder has not expressly prohibited the use of the relevant content by any third party.

There are no specific provisions that establish limitations on the use of metatags or advertising keywords in Mexico.

In addition to a private domain name assignment agreement that must be executed between the parties, certain procedures before the relevant registrar must be carried out to notify the registry of the domain name and formally assign/transfer the domain name. Procedures can vary from registrar to registrar. There are no specific rules in Mexico apart from formal registration.

NIC México (Network Information Centre Mexico) or NIC.MX is the non-profit organisation for registrations of the .mx country code top-level domain (ccTLD). Websites such as Akky and registry.mx can be used to access services related to the registar of an .mx domain name.

Domain names do not confer additional rights apart from the right to use that domain name. However, they can be used as evidence to establish the use of a trade mark or an IP right.

A permit must be obtained from the Ministry of Economy to confirm both:

This is done through an online procedure using the electronic signature of the person requesting the corporate name.

The following domestic and international laws are relevant@

There are no specific distinctions on the rules applicable to consumers and business customers. Any relationship between a consumer (either an individual or a business) and a service provider is regulated under the Consumer Protection Law.

If an online business operator establishes a contractual domicile or contact point in Mexico to receive any type of claims or solve questions or comments, PROFECO can impose the Mexican legal framework on the operations of the business in connection with its overall services.

In addition, there is no specific regulation applicable to online transactions in Mexico, therefore, the provision of services through the internet and the jurisdiction to be applied may also be ruled by Mexican civil and commercial laws.

On issues concerning a conflict of laws in Mexico, the Civil Code provides that Mexican substantive law will apply:

The Civil Code also provides that:

Under the CoC, agreements executed through electronic means are deemed to have entered into full force and effect on the receipt of the acceptance of the offer. Considering that in electronic commerce transactions, the consent of the parties is declared through data messages, the execution of an agreement carried out through electronic means is deemed completed on receipt of the acceptance sent through a data message.

In addition, unless otherwise agreed:

As with any other agreement in Mexico, the parties can submit themselves to dispute resolution through alternative methods, such as arbitration. Variousl arbitration rules can be used. If parties wish to remain subject to Mexican law, they can submit themselves to arbitration following the rules of the Mexican Arbitration Centre (Centro de Arbitraje de México (CAM)). However, parties can also submit themselves to other rules and other venues for these purposes.

When a consumer is involved in any business transaction, especially if the business transaction corresponds to a regulated service, such as telecommunications, PROFECO is the applicable venue for dispute resolution. In such a case, and based on the number of complaints submitted by the users to PROFECO, companies can request access to CONCILIANET, a non-mandatory online dispute resolution option provided and supervised by PROFECO. The provider must inform its consumers that PROFECO will be informed about any dispute that arises between them. However, there is no obligation to inform consumers of the possibility of resolving such disputes on CONCILIANET.

Any legal relationship formalised through an agreement or the application of terms and conditions can establish the applicable rules regarding jurisdiction and the applicable laws. In this sense, such agreements or terms and conditions can establish ADR/ODR options to resolve disputes between the parties.

No specific remedies are available for ADR/ODR, and the general civil and commerce remedies will be available.

Certain specific obligations and/or restrictions regarding the advertisement of products or services are included in specific laws, such as:

The information or advertising related to goods, products or services disclosed by any means or form must be accurate and verifiable. Such advertisements must also be free of texts, sounds, images, brands, designations of origin or other descriptions leading to error or confusion, and cannot be deceitful or abusive.

Deceitful or abusive advertising includes information referring to characteristics or data related to any goods, product or service that, regardless whether it is true or not, leads consumers to error or confusion in relation to the inaccurate, false, exaggerated, or biased manner in which it was presented.

In additon to the aforementioned, on June 3, 2021 the “Law for Transparency, Prevention and Combating Improper Practices in Advertising Contracting” (“Ley para la Transparencia, Prevención y Combate de Prácticas Indebidas en Materia de Contratación de Publicidad”) was published in the Official Daily. The purpose of the law is to prevent certain commercial practices by publishers in which they made monetary considerations to the agencies (which are hired by an advertiser) in order for such publishers to gain more business with such agency (these are the legal reasons which were mentioned in order to enact the law) .

Any breach or sanction is imposed following an investigation procedure in accordance with the Economic Competition Law procedures and the investigation is also carried out by the Economic Competition Authority. In this sense, this law would be enforced taking into account economic competition procedures and principles.

Despite this law is in force, the law has been challenged by some private parties and ruled unconstitutional (but only for those who challenged it). Additionally, some governmental authorities challenged it for it to be considered illegal and unconstitutional for general purposes, and the ruling of the supreme court on this is expected to happen any time soon.

The Regulations to the General Health Law on Advertisement Matters (Reglamento de la Ley General de Salud en Materia de Publicidad) establishes certain restrictions on online advertisement. For example, tobacco adverts cannot be transmitted online, and through any other telecoms systems which are aimed at minors, or that have educational or recreational purposes.

The regulations have specific rules on pharmaceutical products and services, cosmetics, food, food supplements and non-alcoholic beverages, health supplies, medicines and herbal remedies, generic drugs, medical equipment, dental supplies, surgical and healing materials and hygiene products.

In general, there are no regulations directed to prevent or prohibit text messages or spam emails. However, specific regulations regarding telecoms services consumers' rights (NOM 184) establish that any telecoms services provider must obtain a consumer's explicit authorisation to contact that consumer for merchandising or advertising purposes. This explicit authorisation must be obtained even when services are provided under a sign-up contract (contrato de adhesion).

Consumers can also register their telephone numbers with the Public Registry to avoid publicity. Numbers that are registered cannot be subject to any form of advertising.

The website must be available in Spanish if Mexican laws are applicable. If the processing of personal data is subject to Mexican data protection laws, the privacy notice must also be drafted in Spanish.

In addition, for products subject to specific official standards, certain information may need to be made available in Spanish (for example, in the event of specific guarantees or labels).

All sales conducted within the Mexican territory are subject to VAT, which is currently charged at 16% (with some exceptions).

As of 1 June 2020 some tax reforms to the Value Added Tax Law (Ley al Impuesto al Valor Agregado) (VAT Law) became effective. These tax reforms include new rules regarding the VAT applicable to digital services when such services are provided by foreign companies to end users deemed to be located in Mexico.

The VAT Law provides that the following services, which are defined as "digital services", are subject to VAT:

Such services are subject to VAT if:

As Mexico does not have a specific law on technology or information services to determine when the services are deemed to be provided in Mexico, the VAT Law specifically regulates this issue. It establishes that services are provided in Mexico if the recipient/end user of the services is located in Mexico. The VAT Law establishes that an end user is located in Mexico when any of the following apply:

Where digital services which are subject to VAT are offered together with other services which are not subject to VAT, the VAT is only applicable to the portion of the services deemed to constitute digital services subject to VAT. For such purposes, the specific receipt/invoice should separate and individually identify the services subject to VAT and those that are exempt. If the services are not separated or individually identified in this manner, 70% of the bundled services will be subject to VAT.

Under the Value Added Tax Law, any person, whether natural or legal, is subject to VAT in Mexico if they perform any of the following activities within the Mexican territory:

As a result, any company which wishes to perform any of the above activities in Mexico must request a Federal Contributor's Registry number (RFC), from the Mexican Tax Administration Office to be able to perform such activities and provide invoices to their customers. A foreign entity providing regulated digital services will also be subject to VAT and must register in Mexico to pay the applicable VAT (see Question 35).

Restrictions on the use of copyrighted works are established in the Copyright Law, and the protections afforded vary depending on the type of work, but generally a licence should be granted by the copyright owner for the use of third-party content protected by copyright.

In 2007, the crimes of defamation, libel and slander were eliminated from the Federal Criminal Code. Likewise, these crimes have also been removed from several local criminal codes. Despite this, some states still criminalise these offences, with sanctions ranging from fines and pecuniary compensation to imprisonment.

Under the amendments to the Copyright Law (which became effective on 2 July 2020), ISPs will not be liable for damage caused to the owners of any copyrights or any other intellectual property right, or for infringements of copyrights or related rights, that occur in their networks or online systems, provided that they do not control, initiate or direct the infringing conduct, even if that conduct takes place through systems or networks controlled or operated by them or on their behalf.

As a result, ISPs will not be liable for infringements or for the data, information, materials and contents that are transmitted or stored in the systems or networks controlled or operated by them (or on their behalf) provided that they both:

In addition, ISPs will not be liable for infringements or for data, information, materials and content stored on, or transmitted or communicated through, the systems or networks controlled or operated by them (or on their behalf) in cases that direct or link users to an online site, provided that they implement a "notice and take down" procedure, and that they obey any court order regarding the withdrawal of content.

If personal data is collected through a website, a privacy notice must be made available on the website. If e-commerce is carried out through such website, the relevant information about the provider must be made available on the website, including the name and address of the provider as well as contact details to issue and start complaints.

Other requirements may be necessary if a regulated activity is carried out (for example, in the event of transactions concerning banking, finance and market securities).

Under the United States-Mexico-Canada Agreement (USMCA) regulations, which was approved by the signatories in 2020, only the author of the content posted on a webpage is liable for it. Therefore, the owners of the webpage will not be held responsible for information displayed provided they do not have any "interest" in such content, meaning that they must have a direct relation to the content to be liable for it.

If any person deems that they own a trade mark or any information protected by intellectual property laws in Mexico used on a website, they can present a request before the Mexican Institute of Industrial Property for the website to be shut down or for the content to be removed from it. Other remedies can be sought by the owner of the content, including presenting criminal charges against the person who used content owned by them.

Under the recent reforms to the Copyright Law (effective as of 2 July 2020) a "notice and take down" procedure must now be made available. However, there is no liability for ISPs regarding data, information, materials or contents that are communicated or stored in their systems, and they have no legal obligation to monitor the illegal use of works or content provided on the internet or to provide any kind of notice to infringing users.

An ISP can shut down a website, remove content, or disable linking under the website's own terms and conditions. It is common for ISPs to establish in their terms and conditions that they will be able to remove content or disable links, even if they do not have permission of the content owner. Such terms and conditions are deemed a valid contractual relationship, therefore any agreement for such purposes is valid.

Additionally, under the reforms to the Copyright Law, ISPs must implement a "notice and take down" system. As a result, whilst ISPs are not liable for infringing content, they can be required to remove or disable content that may infringe copyrights where such content is in their systems or networks and they receive a notice from the copyright owner to remove/disable that content.

Finally, under the new VAT rules applicable to digital services, ISPs can disable a specific website when requested to do so by the tax authorities as a result of that website's non-compliance with the applicable tax obligations (namely, the non-payment of VAT applicable to the provision of digital services).

As with any other business transaction, the person who offers or sells the goods or services is liable to the consumer in relation to the goods or services provided and how they were offered. In some cases, depending on the type of products, certain guarantees may apply arising from the relevant NOMs.

As any other type of business, the types of insurance policies available to online businesses should be verified with insurance companies. There are no specific types of insurance policies for online businesses.

Mexican law does not explicitly regulate internet transactions completed online. Online business transactions have remained within the scope of the CoC, which applies to any other commercial activity. However, the current government is trying to impose regulations on social media, to guarantee and impose procedures related to freedom of speech.

A draft Bill is currently under consideration to give the Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones (IFT)) the authority to:

At the time of writing, it was not certain whether or not this Bill will be passed, principally because social media is currently an unregulated service in Mexico. The number of legal amendments (including changes to the Constitution) required for it to be recognised as a regulated service would be high, which is likely to hamper its progress.