← Back to Insights
Quebec Business12 min readJuly 3, 2026

Law 25 Compliance for Quebec Websites: A Plain-Language Checklist

Sophie Beauchamp
Sophie BeauchampDigital Marketing Strategist @ MTL Digital Lab

Quebec's Law 25 — officially An Act to modernize legislative provisions as regards the protection of personal information — is Quebec's answer to GDPR. It came into force in phases between 2022 and 2023 and applies to virtually every Quebec business that collects personal information through a website. If your site has a contact form, uses Google Analytics, or has a checkout flow, Law 25 applies to you.

This guide explains what the law requires in plain language, what you need to add to your website, and what to prioritize if you have not started yet.

What Is Law 25 and Who Does It Apply To?

Law 25 amends Quebec's Act respecting the protection of personal information in the private sector (which dates to 1994) and brings it in line with modern privacy standards. It applies to any organization — company, non-profit, or individual — that collects, uses, communicates, or retains personal information about natural persons in the course of carrying on an enterprise.

In practical terms: if your website has a contact form, newsletter signup, client login, booking system, e-commerce checkout, or even just analytics cookies that identify visitor behaviour, Law 25 applies to your organization.

The law applies to Quebec businesses regardless of where your data is stored or processed. It also applies to non-Quebec businesses that collect information from Quebec residents.

Key Phases and What Is Now in Effect

Law 25 was implemented in three phases:

**September 22, 2022 (Phase 1):** Organizations must appoint a privacy officer (can be the business owner for small businesses), report data breaches to the Commission d'accès à l'information (CAI) and affected individuals, and implement a governance framework for personal information management.

**September 22, 2023 (Phase 2):** Privacy policies must be published and accessible. Individuals have the right to access their personal data, request corrections, and request deletion. Data collected for one purpose cannot be reused for unrelated purposes. Consent for non-essential data collection must be explicit and granular. Automated decision-making using personal data must be disclosed.

**September 22, 2024 (Phase 3 — fully in effect):** Technology products and services must be configured with the highest level of privacy protection by default (Privacy by Design). Businesses must disclose the use of third-party data processing. Cookies and tracking pixels require explicit opt-in consent before being activated.

All three phases are now in effect as of 2026.

The Plain-Language Website Checklist

1. Publish a Privacy Policy (Required)

Every Quebec website that collects personal information must have a publicly accessible privacy policy. It must include:

  • What personal information you collect (name, email, phone, payment information, IP address, etc.)
  • Why you collect it (to respond to inquiries, to process orders, to send newsletters, etc.)
  • How long you retain it
  • Who you share it with (third-party services like Google Analytics, Mailchimp, payment processors)
  • How individuals can request access to or deletion of their information
  • Contact information for your privacy officer
  • The date the policy was last updated

A generic terms-and-conditions page does not satisfy this requirement. The privacy policy must be specific to your actual data practices.

2. Cookie Consent Banner (Required)

As of September 2024, non-essential cookies and tracking technologies require explicit opt-in consent before they are activated. This means:

  • A cookie consent banner or popup must appear before any non-essential cookies are set
  • The banner must offer a clear choice to accept or decline
  • Pre-ticked consent boxes are not permitted — consent must be affirmative
  • Users must be able to withdraw consent as easily as they gave it
  • Cookie categories must be explained (functional, analytics, advertising)

Google Analytics, Meta Pixel, Google Ads conversion tracking, HotJar and similar tools are all non-essential cookies that require explicit opt-in. Simply adding a "we use cookies" notice without offering a genuine choice is not compliant.

**Practical implementation:** Use a Consent Management Platform (CMP) such as Cookiebot, CookieYes, or Complianz. These plugins integrate with WordPress and block all non-essential scripts until user consent is obtained. Many are free for small sites.

3. Contact Forms and Lead Capture Forms

Every form that collects personal information must:

  • State what the information will be used for at the point of collection (not just in the privacy policy)
  • Not collect more information than necessary for the stated purpose
  • Obtain consent for any secondary uses (such as adding the person to a marketing list)
  • Include a link to your privacy policy

A contact form that says "Subscribe me to your newsletter" as a pre-ticked checkbox is non-compliant. Newsletter subscription must be a separate, optional, unticked consent.

4. Appoint a Privacy Officer

Even if you are a sole proprietor, Law 25 requires that someone be responsible for personal information governance. For most small businesses, this means:

  • Designating yourself or a specific employee as the privacy officer
  • Publishing their name and contact information on your website (can be a role-based email like [email protected] rather than a personal email)
  • Being prepared to respond to data access and deletion requests within 30 days

5. Data Breach Protocol

If your website is breached and personal information is accessed without authorization, you must:

  • Assess the seriousness of the breach
  • Report serious breaches to the CAI within 72 hours of becoming aware of the breach
  • Notify affected individuals if the breach presents a risk of serious injury
  • Keep a register of all privacy incidents (even those not reported)

Most WordPress security plugins (Wordfence, Sucuri) will alert you to breaches. Having a maintenance plan that monitors for unauthorized access is the practical way to meet this requirement.

6. Third-Party Service Disclosures

If you use any third-party service that processes personal data — Google Analytics, Mailchimp, Stripe, HubSpot, Facebook Pixel — you must disclose this in your privacy policy and ensure adequate data processing agreements are in place. For most standard SaaS tools, the data processing agreement is built into the service's terms of use.

What to Fix First: Priority Order

If you are not yet compliant, here is where to focus in order of urgency and impact:

1. **Cookie consent banner** — This is the most visible and most complained-about non-compliance. Install a CMP plugin this week. 2. **Privacy policy** — Write or update your policy to reflect actual data practices. Date it. 3. **Form notices** — Add brief purpose statements to your contact and lead capture forms. 4. **Privacy officer designation** — Decide who handles requests and publish their contact. 5. **Third-party disclosures** — List every external service that receives visitor data in your privacy policy.

Penalties for Non-Compliance

The Commission d'accès à l'information (CAI) oversees enforcement. Penalties under Law 25 include:

  • Administrative monetary penalties of up to 10 million dollars CAD or 2% of worldwide revenue (whichever is higher) for organizations
  • Penal fines of up to 25 million dollars or 4% of worldwide revenue for the most serious violations

For small businesses, the realistic risk is a formal compliance order and the reputational damage of a public finding. The CAI has stated its enforcement priority is educating businesses and obtaining compliance rather than immediately imposing maximum penalties on small businesses acting in good faith. However, ignoring formal compliance orders does result in escalating penalties.

Frequently Asked Questions

Does Law 25 apply if my website is hosted outside Quebec?

Yes. If you collect personal information from Quebec residents, Law 25 applies regardless of where your website is hosted or where your company is incorporated.

What counts as personal information under Law 25?

Any information that can identify or is used to identify a natural person: name, email address, phone number, postal address, IP address, cookie identifiers, location data, purchase history, and any combination of data points that together identify someone.

Do I need a cookie banner if I only use essential cookies?

No. Cookies that are strictly necessary for the website to function (session cookies that keep users logged in, shopping cart cookies) do not require consent. Only non-essential cookies — analytics, advertising, performance tracking — require explicit opt-in.

How do I respond to a data deletion request?

Within 30 days of receiving a written request, you must delete or anonymize the personal information of the requesting individual, confirm the deletion in writing, and document the request in your privacy incident register. If you cannot delete the information for legal or contractual reasons, you must explain why.

Want to optimize your site speed and SEO?

Let our Lead Architects run a comprehensive page diagnostic. Secure and completely free.