SEO Audit (price of a coffee)Starting at $1 →
Web Design

Law 25 Consent Form: Template and Compliance Guide

March 22, 202610 min read
Consent document and compliance form for Law 25 in Quebec

The Law 25 (formerly Bill 64) has transformed the landscape of personal data protection in Quebec. Since its gradual implementation between 2022 and 2024, all businesses collecting personal data via their website must comply with strict consent requirements.

If you're wondering how to create a Law 25 compliant consent form, which cookie banner to implement, or how to draft your privacy policy, this guide walks you through each step. We provide concrete templates, examples by site type, and tools to simplify your compliance.

What is Law 25 and why does it matter to you?

Law 25 modernizes personal data protection in Quebec. It applies to any business that collects, uses, or discloses personal information of Quebec citizens, whether based in Quebec or elsewhere.

In practice, if your website uses a contact form, newsletter signup, tracking cookies (Google Analytics, Facebook Pixel), an e-commerce system, or any other mechanism that collects personal data, you are affected.

The main obligations include:

  • Informed consent : obtain clear and explicit user consent before collecting their personal data.
  • Privacy policy : publish a detailed policy describing what data is collected, why, how it is used, and with whom it is shared.
  • Data protection officer : appoint a person responsible for compliance within your organization.
  • Right to withdraw : allow users to easily withdraw their consent at any time.
  • Breach notification : report any personal data breaches to the Commission d'accès à l'information du Québec (CAI).
  • Privacy impact assessment (PIA) : conduct a PIA for any project involving personal data.

For a complete guide on all Law 25 obligations for websites, check out our dedicated article on Law 25 and your website.

Implicit vs Explicit Consent: What's the Difference?

Law 25 distinguishes between two types of consent, and it's crucial to understand when to use each.

Implicit Consent

Implicit consent applies when data collection is necessary for the provision of a service that the user has explicitly requested. For example:

  • A contact form that collects name and email to respond to a request.
  • An order form that collects the delivery address to ship a product.
  • Cookies strictly necessary for site functionality (shopping cart, login session).

In these cases, consent is considered implicit by the very act of filling out the form or using the service. However, you must still inform the user of the collection via your privacy policy.

Explicit Consent

Explicit consent is required for any data collection that exceeds what is strictly necessary. It must be free, informed, specific, and given by a clear affirmative act. For example:

  • Signing up for a marketing newsletter.
  • Tracking and analytics cookies (Google Analytics, Facebook Pixel, Hotjar).
  • Advertising and remarketing cookies.
  • Sharing data with third-party partners.
  • Collection of sensitive data (health data, political opinions, etc.).

Important: explicit consent cannot be assumed. Pre-checked boxes, page scrolling, or simply continuing to browse do not constitute valid consent under Law 25.

The Cookie Banner: Your First Compliance Point

The cookie banner (or consent banner) is the most visible element of your compliance with Law 25. It must appear on the first visit and allow the user to make an informed choice.

Mandatory Elements of a Compliant Banner

  • Clear information : explain in simple language what types of cookies are used and why.
  • Choice options : offer at least 'Accept all', 'Reject all', and 'Customize' (manage preferences by category).
  • Cookie categorization : distinguish necessary cookies (always active) from analytics, marketing, and functionality cookies.
  • Link to privacy policy : allow the user to easily access full details.
  • No dark patterns : the 'Reject' button must be as visible and accessible as the 'Accept' button. No misleading colors or manipulative texts.

Text Template for Your Banner

Here is a text template you can adapt for your cookie banner:

“We use cookies to enhance your experience on our site, analyze traffic, and personalize content. Necessary cookies are essential for site functionality. You can accept or reject optional cookies (analytics, marketing) at any time. See our privacy policy for more information.”

Consent Form Template by Site Type

The consent form must be adapted to the context of your website. Here are concrete examples for the most common situations.

E-commerce Site

For an online store, consent must cover several aspects:

  • Order form : implicit consent for transaction data (name, address, payment). Add a note: “By placing this order, you agree that we collect your personal information for the purpose of processing and delivering your order, in accordance with our privacy policy.”
  • Account creation : explicit consent for storing data beyond the transaction. Checkbox: “I agree to create an account to facilitate my future orders. I understand that I can request the deletion of my account at any time.”
  • Promotional newsletter : separate explicit consent. Unchecked checkbox: “I agree to receive promotional offers and news by email. I can unsubscribe at any time.”

Site with Contact Form

For a simple contact form, add below the submit button:

“By submitting this form, you consent to [Company Name] collecting and using the information provided solely to respond to your request. Your data will not be shared with third parties. See our privacy policy for your rights.”

Site with Newsletter Signup

Signing up for a newsletter requires separate explicit consent:

  • Mandatory unchecked checkbox.
  • Clear text: “I agree to receive the newsletter from [Company Name]. My email address will be used only for this purpose. I can unsubscribe at any time by clicking the unsubscribe link in each email.”
  • Link to the privacy policy.
  • Double opt-in confirmation recommended (confirmation email).

Site with Online Appointment Booking

For healthcare professionals, beauty salons, consultants, and other services with appointment booking:

“By booking this appointment, you consent to [Company Name] collecting and storing your contact details and appointment information. This data will be used to manage your appointment, send reminders, and ensure follow-up. See our privacy policy.”

Drafting Your Privacy Policy

The privacy policy is the central document of your compliance. It must be easily accessible from all pages of your site (usually in the footer) and contain the following elements:

  • Identity of the data controller : company name, contact details, and name of the data protection officer.
  • Types of data collected : exhaustive list of personal data you collect (name, email, IP address, browsing data, etc.).
  • Purposes of collection : why you collect each type of data (order processing, marketing communication, traffic analysis, etc.).
  • Legal basis for processing : consent, contract execution, or legitimate interest.
  • Data recipients : with whom the data is shared (subcontractors, partners, third-party service providers).
  • Retention period : how long you retain the data.
  • User rights : right of access, rectification, deletion, withdrawal of consent, and portability.
  • Transfers outside Quebec : if data is transferred outside Quebec (e.g., to US servers), this must be mentioned along with the protection measures in place.
  • Complaint process : how the user can file a complaint with the CAI.

Tools to Simplify Your Compliance

Several tools can help you quickly implement a Law 25 compliant consent solution on your website.

CookieYes

CookieYes is one of the most popular tools for managing cookie consent. It offers a customizable banner, automatic cookie categorization, a consent log, and compatibility with Law 25 and GDPR. The free plan suits small sites, while paid plans (starting at $10/month) offer advanced features.

Complianz

Complianz is a comprehensive WordPress plugin that manages both the cookie banner and privacy policy generation. It automatically scans your site's cookies, generates compliant documentation, and offers regular updates to keep up with legal changes. The premium plugin costs about $45 per year per site.

Other Solutions

  • Didomi : enterprise solution with advanced consent preference management. Ideal for large organizations.
  • OneTrust : comprehensive data governance platform, suitable for medium to large businesses.
  • Axeptio : French solution with a particularly refined user interface and a 'privacy by design' approach.
  • Google Consent Mode v2 : allows adjusting the behavior of Google Analytics and Google Ads based on user consent.

Penalties for Non-Compliance

Companies that do not comply with Law 25 face severe penalties:

  • Administrative penalties : the Commission d'accès à l'information du Québec can impose fines of up to $10 million or 2% of global turnover.
  • Criminal penalties : fines ranging from $15,000 to $25 million for the most serious offenses.
  • Private right of action : aggrieved individuals can sue the company for damages, with a minimum of $1,000 in punitive damages.
  • Reputational damage : beyond fines, a data breach or public non-compliance can cause significant damage to your brand image.

Don't take unnecessary risks. Compliance is a modest investment compared to potential fines and reputational damage.

Common Mistakes to Avoid

Here are the most common mistakes we observe among Quebec businesses:

  • Pre-checked boxes : consent boxes for newsletters or optional cookies should NEVER be pre-checked.
  • Cookie wall : blocking site access if the user refuses non-essential cookies is prohibited.
  • Bundled consent : asking for a single consent for multiple purposes (marketing + analytics + third-party sharing) is not compliant. Each purpose must have its own consent.
  • Lack of withdrawal mechanism : the user must be able to withdraw consent as easily as it was given.
  • Generic privacy policy : copy-pasting a policy found online without adapting it to your reality is not sufficient and can expose you.
  • Ignoring third-party cookies : even if you haven't directly installed cookies, third-party scripts (YouTube, Google Maps, social networks) do. You are responsible for all cookies on your site.

Conclusion: Take Action Now

Compliance with Law 25 is not optional — it's a legal obligation that protects both your clients and your business. Implementing an adequate consent form, a compliant cookie banner, and a complete privacy policy is a modest investment that protects you from potentially devastating penalties.

Don't wait for a client to file a complaint or for the CAI to come knocking. Act now to bring your website into compliance.

At H1Site, we assist Quebec businesses in achieving Law 25 compliance. From auditing your current site to fully implementing consent mechanisms, our team ensures your website meets all legal requirements. Contact us for a free compliance evaluation.

Also read

Publicite En Ligne Rentable

Read

Woocommerce Vs Shopify Comparatif

Read

Conception Site Web Laval

Read
H1

H1Site

Vaudreuil Web Agency

Back to Blog

Need help with Law 25 compliance?

Our team assists you in making your website compliant with Law 25. Cookie banner, consent forms, and privacy policy — we handle it all.

Request a Free Quote