
On July 16, 2025, the Decree reforming and adding various provisions to the General Law on Enforced Disappearance of Persons, Disappearance Committed by Private Individuals, and the National System for the Search for Persons, as well as the General Population Law, was published in the Evening Edition of the Official Gazette of the Federation. This comprehensive reform represents a joint effort to strengthen the search, location, and identification of missing persons, incorporating the creation of the biometric Unique Population Registry Code (CURP) and the creation of the Single Identity Platform as a comprehensive tool for consultation, validation, and management of the CURP.
The updated version of the CURP will retain its 18-character alphanumeric structure, consisting of the information already included in it, such as first and last names, date of birth, sex or gender, place of birth, and nationality. However, it will now incorporate biometric data such as fingerprints and photographs, establishing this document as the national identification document, universally accepted and mandatory throughout Mexican territory, available in physical and digital format.
What are biometric data and how important is their care?
Biometric data is personal information derived from the unique physical and physiological characteristics of individuals, obtained through specialized technological systems or procedures. This information represents one of the most sensitive types of personal data due to its immutable and irreplaceable nature.
The protection of this data is crucial because it constitutes highly sensitive, unique, and irreplaceable elements that reveal intimate aspects of the individual. Its misuse can lead to identity theft, sophisticated fraud schemes, and could facilitate extreme surveillance of individuals, potentially compromising fundamental rights to privacy and personal autonomy.
With the reform, the CURP will integrate biometric data, such as fingerprints and photographs. This sensitive information will be stored securely on the Single Identity Platform, while the Digital Transformation and Telecommunications Agency will be responsible for its distribution in digital format, ensuring that appropriate security protocols and access controls are maintained throughout the process.
The legislative reform establishes comprehensive safeguards for transactions carried out using the biometric CURP. It is important to note that this information will only be tracked when a person is reported missing, ensuring that the primary purpose of strengthening search and identification capabilities does not compromise the privacy rights of the general population under normal circumstances.
Implications for individuals and businesses
The Reform establishes that the CURP, as a national identity document that is valid and mandatory for all Mexican citizens or foreigners residing in the country, will be a necessary document for carrying out any type of procedure, transaction, or access to services, whether public or private. Therefore, it is essential that all individuals, including minors, apply for and obtain this document.
As for the implications for companies, organizations in all sectors must prepare for significant operational and technological adaptations:
- They must comprehensively update their identity validation systems, service access protocols, and authentication mechanisms to integrate the new biometric CURP as the primary method of identification, ensuring compatibility with physical and digital formats.
- They will have to adapt their databases and internal processes to accept and process CURP with biometrics, while establishing sophisticated mechanisms for reading and validating such information. This includes implementing appropriate technological infrastructure and ensuring staff training for the proper handling of these advanced identification features.
- In processes such as hiring personnel, financial or educational services, the biometric CURP will become the mandatory document, replacing previous verification methods and establishing new standards of security and reliability in identity verification.
- Finally, when storing and processing this type of sensitive data, companies become obligated to safeguard sensitive personal data. Therefore, they must comply with the Federal Law on Protection of Personal Data Held by Private Parties, implementing enhanced security measures, updating their privacy notices to reflect the handling of biometric data, and establishing rigorous protocols for the access, use, and protection of this critical information.
How much time they have to adapt
The fourth transitory article of the decree establishes that, within 90 calendar days from the entry into force of the Decree, all public and private entities will adopt the necessary measures to include the CURP as a requirement in all procedures.
This relatively short deadline underscores the urgency and importance that the government attaches to this transformation of the national identification system.
Organizations should use this grace period to conduct a thorough assessment of their current systems, identify the necessary modifications to their technological infrastructure, train their staff in the new procedures, and update all legal and operational documentation related to the handling of personal data and identification procedures.
How to obtain the biometric CURP
The implementation of the biometric CURP will follow a gradual and systematic approach, designed to ensure an orderly and efficient transition for the entire population.
It is estimated that it will be January 2026 before the process for obtaining it is open to the public at Civil Registry offices and other authorized offices throughout the country.
To obtain the new biometric CURP, individuals must go in person to the authorized centers with:
- Valid official identification
- An updated CURP in traditional format
- An email address so that the application process can be properly tracked
It is essential that citizens ensure that they only go to official and verified offices to avoid possible fraud or the improper handling of their sensitive biometric data.
Link to the General Law on the Protection of Personal Data Held by Obligated Subjects (LGPDPPSO)
The reform stipulates that the Ministry of the Interior will take the necessary steps to integrate individuals’ biometric data into the CURP, in strict compliance with regulations on the protection of personal data, both in the possession of obligated parties and private individuals.
This approach ensures that the modernization of the identification system does not compromise citizens’ fundamental rights to privacy and data protection.
Given that the collection, storage, and processing of sensitive data such as biometric data will be carried out by a public entity, it is required to comply with the General Law on the Protection of Personal Data Held by Obligated Subjects (LGPDPPSO), which establishes rigorous standards for the handling of personal information by government institutions.
In order to collect such data, it is necessary to have the express consent of the data subject for its processing and storage.
This consent must be informed, specific, and revocable, ensuring that individuals fully understand the scope of the use of their biometric data and maintain control over their personal information.
The principles of lawfulness, purpose, proportionality, and security must be applied, as well as the necessary measures that must be reinforced for the protection of such data.
As an example of these advanced security measures, the storage of this data must be encrypted, with control over the people who have access to it and keeping a detailed record of such access and documenting how the biometric data has been used for auditing and transparency purposes.
This reform regulates the transfer of biometric data between public institutions for the prevention and investigationof persons reported as missing.
It is mandatory for all subjects who have such sensitive data to notify the competent authorities of its use, creating a system of traceability and accountability that strengthens both the effectiveness of the system and the protection of individual rights.
Therefore, companies that store or verify CURP with biometrics must comply with this law in their processing, implementation of appropriate security measures, and adequate safeguarding of information, establishing internal protocols that guarantee the responsible and secure handling of this highly sensitive data.
General Recommendations
In light of this new scenario, we have developed a series of practical recommendations based on our experience and on international best practices observed in jurisdictions with more developed regulatory frameworks for biometric data protection:
Recommendations for individuals:
Make sure you request your CURP at official offices.
To obtain your biometric CURP, make sure you are completing the process at authorized offices or institutionsand that they are following the necessary information storage security protocols.
Treat your CURP as a confidential document.
One of the main recommendations we can make is that you do not share your CURP with anyone, either by email or on social media.
Only use copies for official procedures and with verified institutions.
Avoid falling victim to scams and prevent unauthorized persons from obtaining your sensitive data.
Find out who can process your data.
Always make sure you are aware of the privacy notices of public and private institutions, and ensure you are well informed about how your personal data will be processed, how long it will be stored, and whether it may be shared with third parties.
You should inform about the process for exercising your ARCO rights.
Remember that you have the right to access, rectify, cancel, or oppose the processing of your personal data, except in cases where there are legal exceptions.
Therefore, if you identify that your data is being used for purposes other than those authorized, be sure to assert your rights.
Recommendations for companies:
Update your internal systems and processes.
Adapt your identity verification systems to accept and process the biometric CURP as an official identification document, ensuring that all your processes are aligned with the new provisions.
Evaluate the implications of processing biometric data.
If your company will store or receive the biometric CURP, you will be responsible for processing highly sensitive data, so you must verify that your Privacy Notice is in line with the provisions applicable to the processing and safeguarding of such information.
Begin to apply enhanced security measures.
When storing biometric data, you must implement technologies to protect this data, such as encryption, restricted access, access traceability, and internal audits.
Also, be sure to designate a person or area within your company responsible for protecting such data.
Train your staff.
Make sure to raise awareness among your staff about the proper handling of biometric CURP, establish protocols for responding to security incidents or information leaks, as well as penalties for staff who commit offenses regarding the processing of biometric data.
Keep evidence of compliance.
Each time biometric data is collected and processed, be sure to keep a record of the express consent given by individuals, confirmation that they have read and accepted the corresponding Privacy Notice, and the follow-upyou are conducting to ensure that the necessary protective measures are in place for the proper handling of such data.
The entry into force of the reform represents a significant change in the way official identification of individuals is managed.
This new instrument will incorporate highly sensitive and risky data if it falls into the wrong hands or is misused, requiring extraordinarily careful and responsible handling by all parties involved.
While this measure seeks to strengthen security and certainty in identification, it also poses significant challenges in terms of personal data protection.
Individuals must be cautious about the use and disclosure of their new CURP, while companies and entities will have to adapt their validation processes, hiring procedures, computer systems, and privacy notices based on the principles and obligations established in laws such as the LFPDPPP and the LGPDPPSO.
At Baker Tilly, we understand that the intersection of technology and personal data protection represents one of the most complex challenges in contemporary law.
Our approach combines the technical rigor necessary to navigate these complexities with the practical clarity our clients require to make informed decisions in this new regulatory environment.
Feel free to contact our Personal Data Protection specialists.
Our goal is to transform legal uncertainty into strategic opportunities, helping our clients innovate responsibly while protecting personal data.
