The Mexican Football Federation is fined for irregularities in data management for the FAN ID
The FAN ID system was used during the 2026 World Cup, a tournament that began on July 11 in Mexico City
The Mexican Football Federation (FMF) received a fine of 42.8 million pesos, equivalent to approximately $2.3 million dollars, after the Government of Mexico concluded that it failed to comply with current legislation regarding the protection of personal data during the operation of the FAN ID system, used to control fan access to stadiums.
The sanction was announced this Sunday by the Anti-Corruption and Good Government Secretariat, which determined the existence of irregularities related to the processing of users' biometric information.
The FAN ID system was used in Mexican venues during the 2026 World Cup, a tournament that began on July 11 in Mexico City and will end on July 19 in New York.
According to the official resolution, the Federation did not comply with legal obligations when collecting and processing data considered sensitive, in addition to not obtaining the type of authorization required by Mexican regulations for that type of information.
The authority detected two violations in the processing of biometric data
The investigation concluded that the FMF violated the principles of legality and responsibility provided for in the legislation on the protection of personal data.
According to the Anti-Corruption and Good Government Secretariat, the first irregularity consisted of not informing users that the photographs collected to generate the FAN ID constituted sensitive personal data.
“This omission prevented the holders from knowing the real scope of the processing of their personal information and from being able to decide in an informed manner about its use,” the agency explained.
The second breach was related to the mechanism used to obtain authorization from fans.
The authority noted that the Federation obtained consent through an acceptance box on a website, a procedure that it considered insufficient when it comes to biometric data.
“To process sensitive data, the law requires the express written consent of the owner, which must be unequivocal, that is, there must be elements that unquestionably demonstrate its granting,” indicated the Secretariat.
Based on these findings, the agency determined the imposition of the financial penalty.
The amount was calculated considering different factors, including the severity of the infractions detected, the sensitive nature of the information processed and the economic capacity of the FMF, taking its annual tax return corresponding to 2024 as a reference.
The agency also recalled that the Mexican Soccer Federation has the legal mechanisms provided to challenge the resolution if it so considers.
The FAN ID was originally implemented by the FMF after various episodes of violence recorded in Mexican soccer stadiums, with the objective of identifying those attending sporting events. Subsequently, the system was used to control public entry to stadiums located in Mexico during the 2026 World Cup.
The resolution represents one of the most relevant sanctions related to the handling of personal data during the organization of the tournament and focuses on the processing of biometric information of fans in large-scale sporting events.

