Law 25 and Websites in Quebec: Are You Compliant?

Since September 22, 2023, all provisions of Law 25 (officially the “Act to modernize legislative provisions as regards the protection of personal information”) are fully in effect in Quebec. This law imposes strict obligations on any organization that collects, uses, or discloses personal information — and this includes virtually every website that uses cookies, forms, or analytics tools.

However, according to a recent study, more than 60% of Quebec websites are still not compliant with Law 25. Penalties can reach up to 25 million dollars or 4% of global turnover. This comprehensive guide explains everything you need to know and do to make your site compliant.

What is Law 25?

Law 25, adopted on September 21, 2021, by the National Assembly of Quebec, is a major modernization of Quebec's legislative framework for personal information protection. It primarily amends two existing laws:

• The Act respecting the protection of personal information in the private sector
• The Act respecting access to documents held by public bodies and the protection of personal information

Law 25 is often compared to the European GDPR (General Data Protection Regulation), although it has its own particularities. Its goal is to give Quebecers better control over their personal data and to impose increased responsibilities on organizations that collect them.

Gradual Implementation

The law was implemented in three phases:

• September 22, 2022 : designation of a data protection officer, reporting of privacy incidents
• September 22, 2023 : privacy policy, explicit consent, right to portability, privacy impact assessments (PIAs)
• September 22, 2024 : full enforcement of data portability rights

By 2026, all provisions are active, and the Commission d'accès à l'information (CAI) conducts audits and imposes penalties.

What are the obligations for your website?

1. Privacy Policy

Your website must have a clear, accessible privacy policy written in simple language. This policy should be directly available on your site (usually in the footer) and must include:

• The types of personal information collected (name, email, IP address, browsing data, etc.)
• The purposes for which this information is collected
• The means of collection used (forms, cookies, tracking pixels, etc.)
• The rights of the concerned individuals (access, rectification, deletion, portability)
• The contact details of the person responsible for personal information protection
• The third parties to whom the data is communicated (Google Analytics, Facebook Pixel, newsletter provider, etc.)
• The transfer outside Quebec : if data is transferred outside Quebec (servers in the United States, for example)
• The retention period of the information

Common mistake : using a generic template copied from the Internet. Your policy must accurately reflect the practices of YOUR website and YOUR business.

2. Consent for Cookies and Tracking Technologies

This is probably the most visible obligation for your site's visitors. Law 25 requires explicit, free, informed, and specific consent before placing non-essential cookies on the user's device.

What is considered a “non-essential” cookie:

• Google Analytics and other traffic analysis tools
• Facebook Pixel, LinkedIn Insight Tag, and other advertising tracking pixels
• Remarketing and targeting cookies
• Personalization cookies (unless strictly necessary for operation)
• Social media widgets that track users

What is considered an “essential” cookie (exempt from consent):

• Session cookies (maintaining login)
• Shopping cart cookies on an e-commerce site
• Security cookies (CSRF, fraud protection)
• Language preference cookies
• Cookies necessary for the technical functioning of the site

3. Cookie Consent Banner

To comply with Law 25, your cookie banner must meet several criteria:

• Explicit opt-in : non-essential cookies must NOT be activated by default. The visitor must actively accept.
• Clear options : the visitor must be able to accept, refuse, or customize their choices. The “Refuse” button must be as visible as the “Accept” button.
• Sufficient information : the banner must explain what types of cookies are used and why.
• No “dark patterns” : prohibition of making refusal more difficult than acceptance (different colors, hidden buttons, additional clicks).
• Withdrawal of consent : the visitor must be able to change their mind at any time via an accessible link (often in the footer).
• Proof retention : you must be able to prove that consent was obtained.

Important : a simple information banner (“This site uses cookies. By continuing, you accept.”) is NOT compliant with Law 25. Implicit consent is not valid.

4. Personal Information Protection Officer

Every organization must designate a personal information protection officer. By default, this is the person with the highest authority (the CEO). However, this responsibility can be delegated in writing to another person.

The title and contact details of this person must be published on your website (usually in the privacy policy and/or on a dedicated page).

5. Privacy Impact Assessment (PIA)

Before implementing a new project involving personal information, you must conduct a PIA. For a website, this includes:

• Adding a new tracking tool (new pixel, new analytics platform)
• Redesigning the site involving new forms or collection processes
• Integrating a new provider that will access visitor data
• Transferring data to a service hosted outside Quebec

6. Privacy Incident Management

In the event of a data breach or privacy incident involving a risk of serious harm, you must:

1. Notify the Commission d'accès à l'information (CAI) as soon as possible
2. Notify the affected individuals
3. Maintain a record of incidents (even those without a risk of serious harm)

For a website, an incident could be: a security breach exposing user data, unauthorized access to your customer database, or accidentally sending data to the wrong recipient.

Penalties for Non-Compliance

Law 25 provides for severe penalties:

• Administrative monetary penalties : up to 10 million dollars or 2% of global turnover
• Criminal penalties : up to 25 million dollars or 4% of global turnover
• Private right of action : individuals whose data has been misused can sue the company and claim punitive damages of at least $1,000 per person

In 2025-2026, the CAI began issuing its first penalties. Although SMEs are not the first targets, the trend is clear: tolerance is decreasing, and audits are increasing.

Law 25 Compliance Checklist for Your Website

Use this checklist to verify the compliance of your website:

Privacy Policy

• ☐ The policy is accessible from all pages (link in the footer)
• ☐ It is written in clear and simple language
• ☐ It lists all types of data collected
• ☐ It explains the purposes of the collection
• ☐ It identifies third parties receiving data
• ☐ It mentions transfers outside Quebec
• ☐ It includes the contact details of the data protection officer
• ☐ It describes users' rights and how to exercise them
• ☐ It indicates the data retention period

Cookie Consent Banner

• ☐ Non-essential cookies are blocked BEFORE consent
• ☐ The visitor can accept, refuse, or customize
• ☐ The “Refuse” button is as visible as “Accept”
• ☐ The categories of cookies are clearly explained
• ☐ Consent is recorded and can be proven
• ☐ The visitor can change their choice at any time
• ☐ No “dark patterns” or manipulation

Forms and Data Collection

• ☐ Each form collects only necessary data (minimization)
• ☐ The purpose of the collection is indicated on the form
• ☐ Consent is obtained before newsletter subscription
• ☐ Data is transmitted securely (HTTPS)

Organization

• ☐ A data protection officer is designated
• ☐ Their contact details are published on the site
• ☐ An incident management process is in place
• ☐ An incident log is maintained
• ☐ PIAs are conducted before any new collection project

Concrete Examples of Compliance

Example 1: Professional Showcase Site

An accountant from Vaudreuil-Dorion has a WordPress site with a contact form, Google Analytics, and a Facebook widget. To comply with Law 25, he had to:

1. Install a consent banner that blocks Google Analytics and the Facebook widget until consent is given
2. Draft a privacy policy mentioning Google (USA) and Facebook (USA) as data recipients
3. Add a note under the contact form indicating the purpose of the collection
4. Designate himself as the data protection officer

Example 2: E-commerce Store

An online store on Shopify collects much more data: name, address, email, phone, purchase history, payment data. In addition to the showcase site measures, it had to:

1. Review its privacy policy to include transactional data
2. Ensure that third-party Shopify apps are compliant
3. Configure the banner to block remarketing pixels (Facebook, Google Ads) before consent
4. Implement a right to erasure process (allow customers to request deletion of their data)
5. Conduct a PIA for each new Shopify app installed

Example 3: Site with Newsletter

A restaurant in Montreal collects emails for its newsletter via Mailchimp. Additional obligations:

1. Double opt-in for newsletter subscription (email confirmation)
2. Mention that data is transferred to the USA (Mailchimp servers)
3. Functional unsubscribe link in every email
4. Retention of consent proof

Recommended Tools for Compliance

Several tools can help you make your website compliant with Law 25:

• CookieYes : affordable consent management platform (CMP), compliant with Law 25 and GDPR, easy to install on WordPress and Shopify
• Complianz : popular WordPress plugin with automatic cookie detection and privacy policy generation
• OneTrust : more comprehensive enterprise solution for large organizations
• Didomi : French CMP with bilingual support, popular in Quebec
• Google Tag Manager : in consent mode, allows blocking tags until consent is obtained via Google Consent Mode v2

Law 25 vs GDPR: What Differences?

If your website also targets European users, you must also comply with the GDPR. Here are the main differences:

• Geographical scope : Law 25 applies to Quebec organizations; GDPR applies to any company processing data of EU residents
• Data protection officer : mandatory under GDPR in certain cases, always required under Law 25
• Consent : similar in both cases (explicit, free, informed)
• Penalties : GDPR up to €20M or 4%; Law 25 up to $25M or 4%
• Right to be forgotten : more detailed in GDPR, but present in Law 25 via the right to de-indexing

In practice, if your site is GDPR compliant, it is generally compliant with Law 25 with a few minor adjustments. The reverse is not always true.

Frequently Asked Questions about Law 25

My site only collects emails via a form. Am I concerned?

Yes. An email is personal information. You must have a privacy policy, indicate the purpose of the collection, and obtain valid consent. If you also use Google Analytics or a Facebook pixel, a consent banner is necessary.

Are Google Analytics cookies considered essential?

No. Google Analytics is not necessary for the technical functioning of the site. It requires explicit consent. This means your Analytics data will underestimate your actual traffic (visitors who refuse cookies will not be tracked).

Can I use a “cookie wall” (block site access without acceptance)?

No. Consent must be free. Conditioning site access on cookie acceptance makes consent invalid under Law 25.

How long is consent valid?

Law 25 does not specify an exact duration, but the recommended practice is to re-request consent every 12 months. This is what most consent management platforms do.

Conclusion: Compliance with Law 25 is an Obligation, Not an Option

The Law 25 is not just a regulatory constraint — it is also an opportunity to build trust with your visitors and customers. In a world where privacy concerns are growing, a website that is transparent about its data collection practices stands out positively.

Compliance is not as complex or costly as one might think. For a standard showcase site, a few hours of work are sufficient. For an e-commerce site, expect a greater effort but one that is entirely manageable with the help of a professional.

At H1Site, we assist Quebec businesses in bringing their websites into compliance with Law 25. From the initial audit to the technical implementation of the consent banner and privacy policy, we handle the entire process. Contact us for a free compliance audit.