Share
Written By :
Published on April 28, 2025
To ensure your organization complies with Law 25, you must take several elements including cookie management into account.
It should be mentioned that Law 25 modernizes certain existing laws including the Act respecting the protection of personal information in the private sector which applies to private organizations of all sizes that operate in Québec and collect the personal information of their clients, employees and partners. For example, this applies to:
- online boutiques and stores that collect client names, addresses and payment information;
- professional firms (law, accounting, consultancy) that retain files containing relevant information;
- technology and marketing companies that use cookies and tracking tools on their websites;
- service providers (even those that primarily deal with other companies’ information) that must protect their employees’ personal information, where applicable.
Summary of a business’s obligations
Since the introduction of Law 25, Québec companies must ensure that visitors to their website can, among other things:
Inform users that your website uses tracking tools
All organizations that use identifying, locating and profiling tools on their website or application must inform users before collecting any information.
The company must:
- mention that tracking tools are used (profiling cookies, marketing tracking pixels and behaviour analysis tools, for example);
- indicate the means available to activate these functions.
For example, if your website uses Google Analytics to track visitor behaviour, a consent banner must clearly specify that this technology facilitates the analysis of browsing behaviour and users can activate this function.
Manage cookies
Your website and application users must accept a certain number of cookies related to their personal information. A cookie management solution allows users to make informed decisions. This tool must offer the following six elements.
- Cookies disabled by default. All profiling, identifying and locating cookies must be deactivated by default. Generally speaking, only strictly necessary cookie categories may be activated by default.
- Accurate and specific information. The purpose of each cookie (targeted advertising or traffic analysis, for example) must be clearly described and how long it remains on the user’s browser must be clarified.
- User choice regarding cookie purposes. Users must be able to select and accept or refuse certain types of cookies (accept traffic analysis cookies and refuse targeted advertising cookies, for example).
- Equally simple cookie refusal and acceptance. A “Refuse all” button must be as accessible and visible as an “Accept all” button.
- Choosing third parties. If information is shared with third parties (Google and Facebook, for example), users must be able to consent to transmitting their information.
- Revoke consent at any time. Users must be able to change their cookie preferences at any time and not only during their first website visit.
Allow users to access their information
Users may request:
- a copy of their collected information;
- an explanation regarding how their data is used.
If the data is inaccurate, they may request its correction.
FAQ | Frequently asked questions regarding cookie management
-
Yes, but only where users have given explicit consent.
-
Yes, and it must be as visible as the “Accept all” button.
-
You can use a cookie consent management tool that logs visitor preferences.
-
Failure to comply with this law may result in sizeable financial sanctions. Organizations could face fines ranging from $15,000 to $25,000,000 or an amount corresponding to up to 4% of worldwide turnover for the preceding fiscal year (whichever is greater).
The following recommendations will help you to avoid sanctions:
- Clearly inform users regarding tracking tools;
- Use a cookie management solution that meets the criteria outlined above and allows you to view user preferences;
- Include your Privacy Officer’s contact information in your privacy policy to allow users to submit information access and correction requests;
- Publish your Privacy Officer’s contact information on your website.
By using a compliant cookie management solution and drafting a clear privacy policy, you can reduce your legal risk while respecting the privacy of your website users.
Do you need help? Contact us and one of our protection of personal information experts will assess whether your website is compliant.
This was written in collaboration with Sabrina Roy, Senior Consultant in Information Governance and Privacy at Raymond Chabot Grant Thornton.
-
InsightsLaw 25 | What Main Obligations do SMEs Have?
Contrary to what many believe, Law 25 in respect of personal information also applies to SMEs. What are your obligations?
Risk management consultingLaw 25 | What Main Obligations do SMEs Have?… Read more -
InsightsLaw 25: the Issue of Automated Decisions
Does your organization make decisions based exclusively on automated information processing? Law 25 provides advice and guidelines regarding these practices.
Risk management consultingLaw 25: the Issue of Automated Decisions… Read more -
InsightsLaw 25 | How Does it Impact Your Organization?
Updated on May 31, 2024 Your organization is required to comply with Law 25 and implement an information governance program. What exactly(…)
Risk management consultingLaw 25 | How Does it Impact Your Organization?… Read more
