Quebec's Law 25: Website Compliance Checklist (2026)

YJ

Yousif Jabak

Founder, Web Nordique

June 30, 2026
8 min read

If your website has a contact form, a newsletter, or an analytics tool like Google Analytics, Quebec's Law 25 applies to you. It governs how Quebec businesses collect and protect personal information, and it covers every business, regardless of size. It has been fully in force since September 22, 2024.

The law itself is long. This guide gets to the point: here, in plain language, is what your website needs to be compliant, and how to avoid fines.

What Law 25 changes for your website

Law 25 (formerly Bill 64) modernizes Quebec's personal information rules. It rolled out in three stages between 2022 and 2024. The obligations that directly affect your website include consent, cookies, and privacy by default. They have been in force since September 22, 2023.

The key point for a business owner: there is no threshold. A clinic, a construction contractor, a restaurant with a booking page, a professional services firm, all are covered the moment they collect personal information. And personal information is broad: a name, an email, a phone number, an IP address. If a visitor can leave their contact information or be tracked by a measurement tool, your site is in scope.

Your website compliance checklist

Here is what a compliant site needs. Most of these are set once and need little upkeep afterward.

  • A privacy policy in clear terms. It explains what information you collect, why, how long you keep it, and who you share it with. In plain, simple language a regular person can understand, with no legal jargon.
  • Your privacy officer's title and contact details, published on the site. In Quebec this person is the RPRP (responsable de la protection des renseignements personnels), by default the person who runs the business. Their title and a way to reach them must be public, usually in the privacy policy.
  • Consent on your forms, with the reason. Every form that collects information states why you are asking. Consent must be clear and given for a specific purpose. A newsletter box pre-checked by default is not valid consent.
  • Privacy by default. Since September 2023, your tools must offer the highest level of protection without the user having to change a setting. In practice, nothing that tracks or profiles a visitor activates before they agree.
  • A clear way to request access, corrections, or consent withdrawal. A person can ask to see the information you hold on them, have it corrected, or withdraw consent. Your site needs a clear point of contact for these requests.

Cookies: the part everyone gets wrong

This is where most Quebec sites trip up. Not all cookies are equal, and the rule depends on what they do.

Cookie typeExamplesConsent required?
EssentialSession, cart, language, securityNo
Non-essentialAnalytics, advertising, social media, retargetingYes, before they load

An essential cookie runs the site: it keeps your session open, remembers your cart, stores your language. No consent required. A non-essential cookie measures, targets, or profiles: Google Analytics, a Meta pixel, a share button that tracks the user. That one needs explicit consent before it loads. Loading it the moment someone lands on the page, then asking permission afterward, is not compliant.

What makes a cookie banner valid (CAI)

A compliant banner gets five things right. The "Refuse" button is as visible and accessible as "Accept". Non-essential cookies do not load until the person consents. The banner is available in French and written in plain language. A link to your privacy policy sits on the banner itself. And the person can change their choice at any time.

The fines, and why compliance became the floor

Let's be honest about the numbers. Law 25 has two kinds of penalties. Administrative monetary penalties can reach $10 million or 2% of worldwide revenue. Penal fines, for the most serious cases, can climb to $25 million or 4%, whichever is higher. Those are ceilings, meant for serious failures, not the penalty waiting for a small business with a misconfigured banner.

The real issue is elsewhere. Basic compliance has become a standard your clients and partners take for granted. A site with no clear policy and no consent signals carelessness, at a time when people expect their data to be handled with care. Getting compliant costs little. Staying non-compliant gets noticed.

Where to start (and what it costs)

The work breaks into three steps. First, take stock of your site: which forms collect information, which tools set cookies, and whether your privacy policy is current. Next, add what is missing: the policy, the published RPRP, and a cookie banner if you load non-essential tools. Finally, confirm the banner actually blocks those tools until the visitor consents.

Type of siteBallpark costWhat it covers
Brochure site, few cookiesUnder $500Privacy policy, published RPRP, basic banner (often DIY)
Site with forms and analytics$500 to $1,500A banner that blocks non-essential cookies, consents reviewed
E-commerce, lots of data$1,500 and upConsent management, a register, sometimes a dedicated tool

Indicative prices, 2026.

A simple brochure site can often be updated in a few hours. An e-commerce site or a form-heavy one takes more care, mostly to handle consent cleanly. And no, you do not always need a paid cookie tool: for a small site with few trackers, a well-configured banner is enough.

If you want to know where your site stands before making changes, our digital audit reviews basic compliance alongside everything else. And if you are starting from scratch, our guide on how much a website costs in Quebec puts these costs in the context of a full website project.

Law 25 sounds bigger than it is

For most small business websites, the basics are manageable: a clear privacy policy, a published privacy officer, honest consent on forms, and a cookie banner that respects the visitor's choice. None of them is hard on its own.

If you are unsure of your site's state, start by checking it. For a specific or delicate situation, the Commission d'accès à l'information du Québec (CAI) is the official reference. This guide gives you the starting point, not legal advice.

The point is not to scare people. It is to make your website cleaner, clearer, and more trustworthy for the people who contact you. The 7 signs your website is losing you clients often share the same technical neglect as a compliance gap. Fixing one helps the other.

Ready to start your project?

Get a free, detailed quote in under 60 seconds. No commitment required.

Get a free quote in 60 seconds ↗

Frequently asked questions

01Does Law 25 apply to my small website?

Yes. Law 25 applies to every Quebec business that collects personal information, regardless of size. A site with a simple contact form, a newsletter, or an analytics tool like Google Analytics is covered. There is no revenue threshold or employee count below which you are exempt. Source: the Commission d'accès à l'information du Québec (CAI).

02Do I need a cookie banner?

Only if your site sets non-essential cookies, such as Google Analytics, advertising pixels, or social media buttons. Cookies strictly required to run the site (session, cart, language) need no consent. As soon as a cookie measures, targets, or profiles, it needs explicit consent before it loads, which means a compliant banner.

03What is a privacy officer (RPRP)?

It is the person responsible for protecting personal information in your business. In Quebec the role is known in French as the RPRP. By default it is the person with the highest authority, often the owner or director. You can delegate the role in writing. Law 25 requires that their title and contact details be published, usually in your privacy policy.

04What are the fines for non-compliance?

Law 25 has two tracks. Administrative monetary penalties can reach $10 million or 2% of worldwide revenue. Penal fines, for the most serious cases, can reach $25 million or 4%, whichever is higher. Those ceilings are meant for serious violations, not the typical penalty for a small business. The point is not to scare people. Basic compliance has become a simple standard to meet. For a specific situation, refer to the CAI.

05How much does it cost to make a website compliant?

For a simple brochure site, it is often a few hours of work: adding a privacy policy, publishing the RPRP, and a basic cookie banner if needed. Expect under $500 in many cases, and a good part is something you can handle yourself. An e-commerce site or one full of forms takes more work, mostly around consent management. A small site does not always need a paid cookie tool.