Quebec Law 25: what your website absolutely needs
Law 25 applies to any Quebec business that collects personal information — including via a website. Here's what's mandatory and what isn't.
Law 25 (officially the Act to modernize legislative provisions as regards the protection of personal information) came fully into force in September 2024. It applies to any private business in Quebec that collects, uses or communicates personal information. If your site has a contact form, a quote tool, or Google Analytics, you're covered.
This guide covers website-specific obligations — not your business's overall compliance.
Disclaimer
This article is a practical guide based on our experience building compliant sites for Quebec SMBs. For complex cases (e-commerce with profiling, sensitive data, transfers outside Quebec), consult a lawyer specialized in digital law.
The fines are real
The Commission d'accès à l'information (CAI) can impose administrative fines up to $10 million or 2% of worldwide revenue. For criminal penalties: up to $25 million or 4% of revenue. In practice for SMBs, fines observed since 2024 range from $5,000 to $50,000 depending on severity — still more than enough to hurt.
The mandatory website checklist
1. Accessible and clear privacy policy
Must be:
- Accessible from every page (footer link)
- Written in plain terms (not opaque legal jargon)
- Available in French (and other languages if you operate multilingually)
- Up-to-date with visible last-modified date
It must identify who is responsible, what information is collected, why, how long it's retained, and to whom it may be disclosed.
2. Identification of the privacy officer
You must appoint a person in charge of protection of personal information and publish their name and contact info (typically: name, email, phone) on the site. By default, it's the person with the highest authority in the company — often the owner for an SMB.
3. Explicit consent for non-essential collection
Critical distinction: collection necessary for the service (e.g., name and email in a contact form so you can reply) doesn't require separate explicit consent — the user consents by submitting. But non-essential collection (analytics, ad pixels, remarketing) requires explicit, prior, free and informed consent.
In practice this means: cookie consent banner before loading Google Analytics, Facebook Pixel, or any tracking tool.
4. Mechanism to exercise rights
Users have the right to:
- Access their information
- Have inaccurate information corrected
- Withdraw consent
- Request deletion
- Request portability (since September 2024)
Your site must offer a simple way to exercise these rights — typically a form or dedicated email. You have 30 days to respond.
5. Privacy Impact Assessment (PIA)
Mandatory for any new project involving personal information — including a website redesign that adds collection. It's an internal document, not displayed on the site, but you must be able to produce it if the CAI requests it.
6. Breach notification
If an incident exposes personal information (hack, leak, email sent to wrong recipient with sensitive data), you must notify the CAI and the affected persons without delay if the risk of harm is serious. Prepare a process in advance — not the moment to improvise.
Most common pitfalls we see with SMBs
- Google Analytics loaded before consent. 80% of Quebec SMB sites we audit have this issue.
- Privacy policy copied from a US template. Often in English only, with references to US laws that don't apply here.
- Contact form requesting unnecessary information (date of birth, full address) to answer a simple question.
- Hosting in the United States with no disclosure. Not illegal, but Law 25 requires you to inform users when information is transferred outside Quebec.
- No consent withdrawal mechanism. Having an opt-in without an equivalent opt-out is non-compliance.
How much does compliance cost?
For a typical SMB brochure site:
- Custom privacy policy drafting: $200 – $800
- Compliant cookie consent banner: $0 – $400 (depending on tool)
- "Your rights" page with request form: $150 – $400
- Compliance audit by a lawyer: $800 – $3,000 (recommended if you handle sensitive data)
At ClairWeb, we include base compliance in all our packages — custom privacy policy, cookie banner, rights mechanism, Canadian hosting. It's non-negotiable for a site launched in Quebec in 2026.
Going further
The official CAI website publishes up-to-date guides, including a Companion Guide for Businesses detailing obligations by organization size.
Ready to take action?
Get a quote for a clear, effective site shipped in 3 weeks.