Most Quebec websites still look the way they did in 2021. The law underneath them doesn't. Since Law 25 began its staged rollout in September 2022 — with the teeth-bearing privacy obligations landing in September 2023 — what counts as a compliant cookie banner, a compliant privacy policy, and a compliant data handling workflow has fundamentally changed.

And yet: walk through ten Montréal business websites this afternoon and you'll find eight of them running a cookie banner that was legal under PIPEDA but not under Law 25. Marketing tags that fire before consent. Privacy policies that reference “reasonable consent” as if that phrase still does the job. Contact forms that ship personal information to a US processor with no mention anywhere of cross-border transfer.

This post is the version of the Law 25 briefing I wish we'd had when our clients started asking about it. It's not legal advice — for that, you need a lawyer admitted to the Quebec Bar. But it is an operator's read of what the law actually requires of a Quebec business running a marketing website, where the enforcement risk is real, and the five-step compliance stack we ship for clients.

What Law 25 actually is

Law 25 — officially An Act to modernize legislative provisions as regards the protection of personal information, adopted as Bill 64 — is the most significant update to Quebec privacy law in twenty-five years. It amends the Act respecting the protection of personal information in the private sector (the “Private Sector Act”) and brings Quebec's framework much closer to the GDPR than to Canada's federal PIPEDA regime.

The rollout came in three phases:

  • September 22, 2022 — Every organization must appoint a person in charge of the protection of personal information. Mandatory breach notification becomes live.
  • September 22, 2023 — The substantive obligations kick in: transparency, consent, privacy by default, data subject rights, and the requirement to assess privacy impacts for sensitive projects.
  • September 22, 2024 — Data portability: individuals can demand their data in a structured, reusable format.

We are now past the second tranche, which is the one that matters most for anyone running a website. And the Commission d'accès à l'information — the CAI — now has the authority to levy administrative monetary penalties up to $10 million or 2% of worldwide turnover, whichever is higher. For criminal offences, the ceiling goes to $25 million or 4%.

Those are not theoretical numbers. They are the same order of magnitude as the GDPR. And the CAI is actively staffing up to use them. — On why this is not a “wait and see” moment

What changes for a business website

If you run a marketing website for a Quebec-based company, five things changed materially on September 22, 2023. A working compliance stack must address all five. Most don't.

1. Consent must be express, granular, and informed

The pre-Law 25 norm was what lawyers call implied or presumed consent: you ran a banner that said “by continuing to use this site, you agree to cookies,” the user scrolled, and you fired every marketing tag on the page. That is no longer enough. Under Law 25, consent must be free, informed, specific to each purpose, given for a limited time, and granular — users must be able to accept analytics cookies while rejecting advertising cookies, for example, and each purpose must be explained in clear terms before consent is collected.

A single “Accept all” button with no equivalent “Reject all” option is not compliant. Pre-ticked checkboxes are not compliant. Burying purposes three clicks deep in a privacy policy is not compliant.

2. No tag fires before consent

This is the one that trips up the most sites. Consent management is not a cosmetic banner — it's a technical contract with your tag manager. Until the user has made an explicit choice, the only cookies that should fire are the strictly necessary ones (session, CSRF, load balancing). Google Analytics, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, hotjar, heatmaps, chat widgets that drop a persistent ID — all of these must wait for consent.

In practice, this means your GTM triggers need to be gated behind a consent state variable, or (cleaner) you implement Google's Consent Mode v2 and configure every tag's consent requirements explicitly. “I installed the banner” is not the same as “my tags are gated.”

3. Privacy policy becomes a structured document

The old one-page “we value your privacy” template is retired. A Law 25-compliant privacy policy must include, at minimum:

  1. The categories of personal information collected, and for what purposes;
  2. The means by which personal information is collected;
  3. The rights of data subjects under Law 25 — access, correction, withdrawal of consent, portability, and the right to be de-indexed;
  4. The name and contact information of the person in charge of the protection of personal information;
  5. Whether personal information is communicated outside Quebec, and if so, to which jurisdictions and under what safeguards;
  6. The retention period, or the criteria used to determine it;
  7. Whether automated decision-making is used, and if so, how.

Most marketing sites we audit have, generously, three of those seven. The cross-border transfer disclosure (point 5) and the automated decision-making disclosure (point 7) are almost never present.

4. Cross-border transfers need a transfer impact assessment

Section 17 of the modernized Private Sector Act requires organizations to conduct a privacy impact assessment before communicating personal information outside Quebec. If your contact form ships leads to HubSpot's US data centers, your analytics ships pageviews to Google's US infrastructure, or your email platform runs out of AWS us-east-1 — all of these are cross-border transfers, and all of them require an assessment that balances the sensitivity of the data, the purpose, and the legal framework of the destination jurisdiction.

You do not need to publish the assessment. You do need to be able to produce it if the CAI asks.

5. Data subject rights must have a working pipeline

Users can now demand access to their personal information, correction of inaccurate data, withdrawal of consent, and — as of September 2024 — portability of their data in a structured format. In practice this means you need a monitored intake email (often privacy@ or the person in charge of the protection of personal information's address), a documented internal workflow for handling requests within the 30-day response window, and a way to actually execute deletions across your marketing stack: CRM, email platform, ad platforms, analytics, support tool.

Operator read

The gap between “we have a privacy email address” and “we can actually delete a person's record across fourteen tools inside thirty days” is where most organizations will discover, the hard way, that compliance is an operations problem, not a legal one.

The five-step compliance stack we ship

When a client asks us to get them to Law 25 compliance — not to the perfect theoretical ideal, but to a defensible, documented posture — this is the working order we follow. Every one of these is in scope for a marketing department, not a legal team.

Step 1 — Audit every tag that fires

Before anything else: run a tag audit. Open the site with cookies cleared, visit three or four representative pages, and enumerate every cookie, every local storage entry, every third-party request. Classify each one as strictly necessary, functional, analytics, or advertising. This is the inventory that feeds everything else. Without it, your consent banner is theater.

Step 2 — Install a consent management platform that actually gates tags

Not every CMP is equal. The ones we ship for clients — Cookiebot, Osano, OneTrust at enterprise scale — integrate with Google Tag Manager via Consent Mode v2 and actually prevent tags from firing until consent is given. The mistake we see most often: a CMP is installed for the banner UX, but the GTM triggers are not gated, so every tag fires anyway. Test this. Load your site with DevTools open and watch the network tab before you click anything.

Step 3 — Rewrite the privacy policy against the seven-point checklist

Against the seven-point list above, write a privacy policy that answers each one in plain language. Name the person in charge. List the subprocessors by jurisdiction. Declare the retention schedule. This is not a template exercise — it's a documentation exercise, and the document should reflect what your stack actually does. If your policy says you don't transfer data outside Quebec but your CRM is Salesforce, you have a problem.

Step 4 — Stand up the data subject request workflow

Create a shared inbox. Write a one-page runbook describing what happens when a request arrives: who acknowledges it, who verifies identity, which tools are queried, who approves deletion, who documents the response. Run a drill — send yourself a fake request and clock how long the full workflow takes. Most first drills come in at six to eight hours of manual work per request. That is fine, as long as the workflow exists and runs inside 30 days.

Step 5 — Document the privacy impact assessment for your marketing stack

One document, four to six pages. For each category of personal information you collect, where does it go, what safeguards are in place (SCCs, GDPR adequacy, SOC 2 reports), and why is the transfer proportionate to the purpose? File it. Review it when you add a new tool to the stack. This is the document that, if the CAI ever knocks, proves you took the obligation seriously.

A compliance posture is not a binary. It is a set of documents, processes, and technical gates that, taken together, demonstrate that you took the law seriously. — How the CAI actually evaluates enforcement targets

Where the enforcement risk actually lives

The CAI has been explicit about its early enforcement priorities. They are not going after every small business with a stale cookie banner. The patterns that invite inspection are specific:

  • Breaches that get reported. Mandatory breach notification went live in 2022. If you suffer a breach and either report it or get reported for failing to report it, the CAI will audit your entire privacy posture — not just the breach vector.
  • Complaints. A single data subject complaint is a cheap trigger. If a user submits an access request and you can't produce their data in thirty days, they can complain to the CAI, and the CAI will look at everything.
  • Public-sector attention. Sectors handling sensitive information — healthcare, financial services, legal, education, real estate holding personal financial data — are at higher baseline risk.
  • Cross-border transfers without documentation. If a regulator starts looking and finds US transfers with no PIA on file, that's the document they'll cite.

What to do this quarter

If you've read this far and you're not sure where your business stands, here is the minimum work to do inside a single quarter:

  1. Run a tag audit of your primary domain. Document what fires and classify each by purpose.
  2. Appoint and publish your person in charge of the protection of personal information. This is a Law 25 requirement; it should be on your website's privacy policy and its contact page.
  3. Install or upgrade your CMP so that non-essential tags actually wait for consent. Test it.
  4. Rewrite your privacy policy against the seven-point checklist. Date-stamp it.
  5. Write a one-page runbook for data subject requests. Test it once.
  6. Draft a privacy impact assessment for your marketing stack. Store it where your person in charge can produce it.

None of that is exciting. All of it is tractable work inside an operations team, assuming someone owns it. The organizations that are going to get caught flat-footed by Law 25 are not the ones who read the law and chose not to comply — they are the ones who assumed somebody else was handling it and, six months from now, will discover that nobody was.

If you want a second read on where your business actually stands, that's the kind of work we do. The call is free; the punch list is usually short.