Skip to content
TheBomb®
Get a quote
N° 09 Marketing File 09.067

Quebec Law 25 Website Compliance: The 2026 Guide for Canadian Businesses (Penalties Are Now Active)

Quebec Law 25 is now fully enforced. Penalties reach $25M or 4% of global turnover. Here is what your website must do to stay compliant in 2026, even outside Quebec.

Cody New
Cody New TheBomb® Editorial — Vernon, BC
01 Issue
067
02 Filed
2026-05-16
03 Length
15 min
04 Words
3,285
Modern precision compliance shield engraved with a minimalist fleur-de-lis sitting on matte black marble desk surrounded by floating padlock icons with a violet light beam crossing the foreground Fig. 01 — Issue 067
Modern precision compliance shield engraved with a minimalist fleur-de-lis sitting on matte black marble desk surrounded by floating padlock icons with a violet light beam crossing the foreground

In March 2026, the Commission d’accès à l’information du Québec - the CAI - issued a $1.2M administrative penalty against a Canadian retailer for non-consensual cookie tracking on their public website. The retailer is not based in Quebec. They have one warehouse outside Montreal. Twelve percent of their customers are Quebec residents. That was enough.

This is the new normal. Quebec Law 25 - the popular name for the Act respecting the protection of personal information in the private sector, as amended by Bill 64 - is no longer the polite future-looking regulation it was in 2022 and 2023. The enforcement teeth came in fully in late 2024, the CAI’s monitoring infrastructure matured throughout 2025, and 2026 is the year the fines started landing on businesses that thought “we don’t really do business in Quebec” was a defence.

If you operate any kind of public website in Canada and you have any Quebec residents in your customer base, you are in scope. This guide explains exactly what Law 25 requires of your website in 2026, where the penalty risk actually is, and the concrete steps to get compliant before the CAI decides to look at you.

We are not lawyers. None of this is legal advice. This is the practical web operator’s view from twelve years of building Canadian small business sites at TheBomb®.

What Is Quebec Law 25, Quickly

Quebec Law 25 is the rewrite of Quebec’s private sector privacy law that started rolling out in three phases between September 2022 and September 2024. As of 2026, all phases are in force. The law was originally tabled as Bill 64 before becoming the Act respecting the protection of personal information in the private sector, but “Law 25” is the name everyone uses.

It is structurally similar to the EU’s GDPR but with some Quebec-specific twists:

  • It applies to any organisation carrying on an enterprise in Quebec - regardless of where the organisation is headquartered.
  • The threshold for “carrying on an enterprise in Quebec” is low - selling to Quebec residents, employing Quebec residents, or hosting personal information about Quebec residents can all qualify.
  • It requires a designated Privacy Officer whose contact information must be public.
  • It mandates explicit, informed consent for collection, use, and disclosure of personal information - including cookies and tracking pixels.
  • It includes a right of data portability and a right to be forgotten.
  • It requires Privacy Impact Assessments before any new personal-information-handling project.

The penalties, per the BLG 2026 compliance guide:

  • Administrative monetary penalties: up to CAD $10 million or 2% of global turnover, whichever is higher.
  • Penal fines for severe violations: up to CAD $25 million or 4% of global turnover, whichever is higher.
  • Private right of action - individuals can sue for damages.

For a small Canadian business, even a 0.1% of global turnover penalty on a $5M revenue company is $5,000 plus legal fees plus reputational damage. The risk is real and asymmetric - the upside of compliance is much larger than its cost.

Who Is Actually In Scope (And Why Most Canadian Businesses Are)

This is the question that costs Canadian businesses the most. The CAI’s interpretation of “carrying on an enterprise in Quebec” is broad. You are likely in scope if any of the following apply:

  • You have customers in Quebec and your website accepts orders or signups from Quebec addresses.
  • You have employees, contractors, or partners residing in Quebec.
  • You host or process personal information about Quebec residents, even if collected elsewhere.
  • You market to Quebec residents - including running French-language ads or maintaining a /fr/ section of your site.
  • You allow Quebec residents to fill in any form that collects personal information.

The myth that Law 25 only applies to Quebec-headquartered businesses is the most expensive misunderstanding we encounter at TheBomb®. A Vancouver SaaS company that has 30 Quebec customers is in scope. A Calgary law firm that takes on a single Quebec client is in scope. A Toronto e-commerce store that ships to Trois-Rivières is in scope.

If you genuinely have zero Quebec touchpoints - no customers, no employees, no marketing - you may be out of scope for now. But the trend across all Canadian provinces is converging toward Law 25’s standards. Compliance is also future-proofing for Bill C-27 federally and equivalent provincial bills in BC, Ontario, and Alberta.

The Eight Website Requirements That Trigger Law 25 Compliance

Here is what your website must actually do. We have ordered these by how often we see Canadian small businesses get them wrong.

This is the #1 violation. Law 25 requires that non-essential cookies be blocked from firing until the user gives explicit, informed consent. “By using this site you consent to cookies” banners are not compliant. Auto-loading Google Analytics, Facebook Pixel, or any other tracking tool before consent is recorded is not compliant.

Editorial dark studio image of a minimalist violet glowing cookie consent banner floating above a matte black surface with a single fleur-de-lis seal etched in the lower corner, representing Quebec Law 25 compliant consent UI

Practically, your website needs:

  • A consent management platform (CMP) that controls which scripts can fire.
  • All non-essential scripts gated behind the consent state.
  • Granular consent categories: strictly necessary, functional, analytics, advertising.
  • The ability for users to refuse all non-essential cookies as easily as accepting all.
  • A way to withdraw or change consent at any time, accessible from every page.

Common compliant CMPs we have implemented for Canadian clients:

  • CookieYes - reasonable pricing, decent French localisation.
  • Iubenda - solid for multi-jurisdiction (Law 25 + GDPR + PIPEDA in one config).
  • Osano - heavier enterprise option but excellent at Quebec-specific edge cases.
  • A custom CMP built into your site’s frontend - we use this for clients on Astro and Next.js where third-party CMPs slow Core Web Vitals.

Critical detail: The “Reject All” button must be visually as prominent as “Accept All.” The CAI has been explicit about this. Burying “Reject” behind a “Customize” menu or making it smaller, less colourful, or visually de-emphasised is a violation.

2. Privacy Officer Information Published on the Website

Law 25 mandates that every organisation appoint a Privacy Officer (Responsable de la protection des renseignements personnels). If the CEO is the default Privacy Officer, you do not need to publish that - it is implied. But if someone else is named, their name, title, and contact information must be published on your website.

The minimum acceptable disclosure:

Pursuant to the Act respecting the protection of personal information in the private sector, the person responsible for the protection of personal information at [Company Name] is:

[Name] [Title] [Email] [Phone]

This typically lives on the privacy policy page and in the footer of every page. Some businesses also put it on a dedicated /privacy-officer route.

3. A Real Privacy Policy That Actually Reflects What You Do

Your privacy policy must explain, in plain language:

  • What personal information you collect.
  • How you collect it (forms, cookies, third-party integrations).
  • Why you collect it - the legal basis and the business purpose.
  • Where you store it - including cross-border transfers (a big deal under Law 25).
  • How long you keep it - and your retention/deletion policy.
  • Who you share it with - including subprocessors, advertisers, and analytics providers.
  • The user’s rights - access, correction, deletion, portability, withdrawal of consent.
  • How to contact the Privacy Officer and file a complaint with the CAI.

Copy-pasted GDPR-style templates that don’t actually match your business practices are worse than nothing. The CAI explicitly looks for misalignment between stated practices and observed behaviour. If your privacy policy says you don’t use third-party advertising cookies and your site loads Google Ads scripts, you have a much bigger problem than just non-compliance.

4. Cross-Border Data Transfer Disclosure

If any personal information of Quebec residents is stored or processed outside Quebec - including in the rest of Canada or the United States - you must:

  • Disclose this in your privacy policy.
  • Identify the country or province of storage/processing.
  • Conduct a Privacy Impact Assessment (PIA) before transferring.
  • Ensure the destination jurisdiction provides “equivalent” privacy protection (or implement contractual safeguards).

The US is a major issue here. Quebec does not consider the US to provide equivalent protection. If your CRM is on US-hosted Salesforce, your email is on US-hosted Mailchimp, your analytics is on US-hosted GA4 - all of these are cross-border transfers requiring PIAs and contractual protections.

This is where the Canadian-hosted angle gets interesting. We have been quietly shifting clients toward Canadian-resident services where the offering is comparable: Cloudflare’s Canadian PoPs for hosting, Hostpapa or Webnames for non-cloud workloads, and Constant Contact’s Canadian instance for email. The compliance burden is lower and the marketing story to Canadian customers is better.

Users must be able to withdraw consent for any non-essential processing as easily as they gave it. Practically:

  • A visible “Manage Cookie Preferences” link in your footer.
  • A working “Unsubscribe” link in every marketing email.
  • A working data deletion request form on your privacy page.
  • A response to deletion requests within 30 days (this is the maximum legal response window).

We have audited Canadian sites where the “Unsubscribe” link 404’d. That is a slam-dunk Law 25 violation. Test your unsubscribe flow monthly.

6. Right of Access and Correction

Users have the right to ask what personal information you hold about them, and to ask you to correct it if it is inaccurate. Your website needs a clear, working path for these requests - ideally a form, not just an email address.

Response timeline: 30 days from request. Free of charge for the first request per year.

7. Right to Data Portability

Users can ask you to provide their personal information in a “structured, commonly used and technological format.” Practically that means a JSON or CSV export of what you have on them. If your tools cannot do this, you need to build the capability.

This is more relevant for SaaS and platform businesses than for traditional small businesses, but if you store any meaningful customer data in a CRM or database, you need an export workflow.

8. Breach Notification and Incident Log

If you suffer a privacy breach affecting Quebec residents, you must notify:

  • The CAI - if there is “serious risk of harm.”
  • Affected individuals - same threshold.
  • Other organisations whose personal information is involved.

You must also maintain an internal incident log of all confidentiality incidents, including the ones that did not rise to notification threshold. The CAI can ask to see this log during an investigation.

For most small businesses, this means having an incident response plan written down, even if it is two pages. The CAI is more lenient with organisations that show evidence of structured incident handling.

How Enforcement Actually Works in 2026

The CAI has three enforcement tools, in escalating order:

Editorial dark studio image of a precision balance scale on a black marble pedestal weighing a stack of compliance documents on one side and a violet glowing envelope of penalty notices on the other, representing CAI enforcement and Law 25 penalty exposure

1. Compliance Reviews and Information Requests

The CAI can demand documentation - PIAs, privacy policies, consent records, breach logs. This is the most common starting point. They have 100+ ongoing reviews active at any time.

2. Administrative Monetary Penalties

These are CAI-issued fines, not court-imposed. The CAI’s enforcement decisions page publishes these. The fines we have seen in 2025-2026 cluster in the $25K-$500K range for small to mid-sized businesses, but the maximum is $10M or 2% of global turnover.

3. Penal Proceedings

For severe or repeated violations, the CAI can refer to the courts. Penal fines can reach $25M or 4% of global turnover. The first prosecution under the new penal provisions landed in late 2025; a handful more are in progress.

Who Gets Targeted

The CAI’s published enforcement priorities for 2025-2026 focus on:

  • Cookie consent violations on public websites.
  • Non-disclosed cross-border data transfers (especially to the US).
  • Marketing and advertising profiling without consent.
  • Breaches affecting more than 100 Quebec residents.
  • Repeat offenders who ignored earlier warnings.

If you are a small Canadian business, you are unlikely to be the CAI’s first call. But you are very likely to be the second or third call once one of your competitors or industry peers gets hit and the CAI starts working through the sector. Compliance now is dramatically cheaper than reactive compliance after a notice arrives.

The Law 25 + AI Wrinkle

In 2025, the CAI started issuing guidance on Law 25 as it applies to AI systems - particularly AI training data, AI-powered profiling, and generative AI features in customer-facing products. Per the Augure AI compliance guide, the key 2026 requirements are:

  • Disclose AI processing: if you use AI to make decisions about users (loan approvals, lead scoring, personalised offers), disclose it.
  • Right to human review: users can demand a human review of any automated decision affecting them.
  • AI training data consent: you cannot train AI models on personal information without consent.
  • AI vendor disclosure: if you use an AI vendor that processes Quebec resident data, that vendor’s location and safeguards must be disclosed.

For small businesses using ChatGPT for customer support drafts or AI personalisation in marketing emails, the practical implication: your privacy policy needs to acknowledge AI usage explicitly, and you need to ensure your AI vendors have signed appropriate data processing agreements.

What If You Are Not in Quebec? Should You Comply Anyway?

Short answer: yes, mostly.

Here is the strategic case for adopting Law 25-equivalent practices even if you currently have zero Quebec footprint:

  1. Federal Bill C-27 is converging toward Law 25 standards. The Consumer Privacy Protection Act (CPPA) that is making its way through Parliament adopts much of Law 25’s structure. Once enacted, your work is mostly done.
  2. Ontario, BC, and Alberta are following. Provincial privacy modernisations in 2025-2026 are clearly modelled on Law 25.
  3. The CASL + PIPEDA baseline is already lower than Law 25. If you are compliant with Law 25, you are over-compliant with current federal rules - which is exactly where you want to be heading into 2027.
  4. B2B sales increasingly expect privacy maturity. Large Canadian customers - banks, telcos, government - now ask in RFPs whether you are Law 25 compliant. “Not in scope” is a worse answer than “Yes.”
  5. The marketing story is real. Canadian consumers genuinely care about data residency and privacy. A clear, plain-English privacy story is a differentiator.

For the cost of a reasonable CMP, a refreshed privacy policy, and a half-day of consultant time, you get a multi-year head start on the regulatory direction the entire country is moving in.

TheBomb®‘s Practical Compliance Sprint (Two Weeks)

If you are starting from a typical small Canadian business website with a generic privacy policy and no consent management, here is how we would sequence the work.

Week 1 - Audit and Baseline

Day 1-2: Inventory every script, cookie, tag, and tracking pixel on your site. Use a tool like Real Cookie Banner Scanner or Cookiepedia to scan automatically. Map each cookie to a category: necessary, functional, analytics, advertising.

Day 3: Map your data flows. Where does personal information come in (forms, signups, comments)? Where does it go (CRM, email, analytics, advertising)? Which vendors are outside Canada?

Day 4-5: Designate or update your Privacy Officer. If not the CEO, draft the disclosure block. Update your privacy policy draft with actual data flows, retention periods, and vendor lists.

Week 2 - Implement

Day 6-7: Install and configure a Consent Management Platform. Set all non-essential scripts to fire only after consent. Test that “Reject All” actually rejects everything except strictly necessary cookies.

Day 8: Publish the updated privacy policy. Add the Privacy Officer disclosure to the footer and privacy page.

Day 9: Build or link a working “Manage Cookie Preferences” mechanism, accessible from every page footer. Verify it actually changes the consent state and re-fires or blocks scripts accordingly.

Day 10: Build or link a working data access / deletion / portability request flow. Even a simple form that triggers a manual back-office process is fine - the workflow matters more than the automation.

Day 11: Write a one-page incident response plan and an internal breach log template.

Day 12-14: Test, test, test. Run the consent flow on iPhone Safari, Android Chrome, and desktop. Make sure the “Reject All” path produces zero non-essential cookies. Verify the privacy policy matches actual practice. Run a mock data deletion request and confirm you can fulfil it within 30 days.

After two weeks of focused work, a small Canadian business goes from “obvious target” to “structurally compliant” status. That is the gap most of your competitors haven’t closed yet.

What Not to Do

A handful of patterns to specifically avoid:

  • Don’t rely on dark-pattern consent banners. “Continue browsing means accepting cookies” is not consent. “Accept All” with no equivalent “Reject All” is not compliant.
  • Don’t copy a competitor’s privacy policy. It probably doesn’t match your business and may carry your competitor’s contradictions and out-of-date references.
  • Don’t ignore your subprocessors. Mailchimp, Stripe, HubSpot, Calendly, Loom - all process personal information. Your privacy policy must reflect them.
  • Don’t put compliance work on hold pending Bill C-27. Quebec Law 25 is in force now. C-27 will arrive on top of it, not replace it.
  • Don’t outsource compliance to legal alone. Lawyers can draft the policy; only your web team can wire the cookie blocking, the consent UI, and the deletion workflows. You need both functions working together.

The Bottom Line

Quebec Law 25 is the most consequential Canadian privacy regulation since PIPEDA in 2000 - and unlike PIPEDA, it is being enforced aggressively. The CAI has the resources, the political backing, and the legislative authority to fine non-compliant businesses into real pain. The 2026 enforcement data shows they are using it.

For Canadian small businesses, the choice is simple: invest two weeks of focused work now to become structurally compliant, or wait until a complaint, a breach, or a competitor’s fine puts you in the CAI’s queue. The cost of proactive compliance is a fraction of the cost of reactive.

At TheBomb®, Law 25 alignment is now part of every site we ship - the consent UI, the privacy policy, the data flow documentation, the Privacy Officer disclosure. We have helped more than 30 BC and Ontario businesses get their Quebec exposure cleaned up over the past two years, and the playbook has gotten tight. If you want a partner who treats this as table stakes rather than a panicked retrofit, we are here.

Get in touch and let’s talk about your Law 25 readiness →

For broader Canadian privacy context, see our companion guides on CASL, PIPEDA, and federal marketing regulations and bilingual website architecture for Canadian markets.

N° 09b The Continuum — Keep reading

Next up on the shelf.

Back to library