Bill 25: is your privacy policy actually compliant?
Your firm handles tax returns, contracts, medical records, wills. Your clients trust you with their most sensitive information because they trust your professional rigor.
But does your website reflect that same rigor?
Since September 2023, Quebec's Bill 25 (An Act to modernize legislative provisions as regards the protection of personal information) imposes concrete obligations on every business that collects personal information in Quebec. That includes your website -- its contact form, its cookies, and its privacy policy.
The good news: compliance isn't that complicated. Here's what you need to know.
What Bill 25 actually requires
The law doesn't ask you to turn your website into a legal fortress. It asks for transparency and seriousness. Four elements are mandatory.
1. A privacy policy published on your website
Not a page buried in a footer that nobody reads. A clear policy, written in plain language, that explains what you do with your visitors' data.
2. A designated person responsible for privacy
Someone in your firm must be designated as the person responsible for the protection of personal information. By default, it's the head of the organization. Their name and contact information must be published on your website.
3. A consent mechanism for cookies
If your site uses Google Analytics, tracking pixels, or any third-party scripts, you must obtain the visitor's explicit consent before activating these technologies. A simple banner saying "we use cookies" is not enough.
4. A privacy incident response plan
In the event of a data breach or unauthorized access to personal information, you must have a process in place to notify the Commission d'acces a l'information du Quebec (CAI) and the affected individuals.
What your privacy policy must include
A privacy policy that complies with Bill 25 is not a generic legal text copied from an online generator. It must be specific to your firm and answer these questions:
- What information do you collect? Name, email, phone number through your contact form? Browsing data through cookies?
- Why do you collect it? To respond to an inquiry? For marketing? To improve your site?
- How is it stored? In which database? With which hosting provider?
- Who has access? Only you? A subcontractor? A US-based vendor?
- How long do you keep it? Indefinitely is not an acceptable answer.
- How can someone request deletion of their data? You must provide a clear way to do so.
- Who is the person responsible for privacy? Name and contact information.
If your policy doesn't clearly answer each of these questions, it's probably not compliant.
Cookie consent: what most sites get wrong
Quebec is the only jurisdiction in North America that requires explicit opt-in consent for tracking technologies -- an approach similar to Europe's GDPR, but distinct from Canada's federal law (PIPEDA), which operates on an opt-out basis.
In practice, that means:
- Tracking cookies must be disabled by default. Google Analytics should not load before the visitor clicks "Accept."
- The "Decline" button must be as visible as the "Accept" button. No dark patterns where refusal is hidden behind a discreet link.
- Visitors must be able to change their choice at any time. Not just on their first visit.
- Each type of cookie must be clearly explained. Its purpose, its lifespan, the third party that sets it.
If your site loads Google Analytics the moment the page opens without asking permission, you're not compliant.
The most common mistakes
When auditing professional firm websites in Quebec, we see the same issues come up again and again:
No privacy policy at all. This is more common than you'd think. The site was built a few years ago, nobody thought of it, and nobody has added one since.
A generic policy copied from a template. The text mentions services you don't offer, or fails to mention the tools you actually use (Google Analytics, Mailchimp, your CRM).
No named privacy officer. The law requires that the name and contact information of the responsible person be published. "Contact us" with a generic form doesn't cut it.
No data retention policy. You collect email addresses through your contact form, but for how long do you keep them? If you don't have an answer, you have a problem.
A cosmetic cookie banner. A banner that says "This site uses cookies. OK" with no option to decline, no details about which cookies are used, no way to change your preferences -- that's not enough.
No incident response plan. Nobody thinks about data breaches until they happen. Bill 25 requires a documented process.
Why professional firms should lead by example
CPAs, lawyers, engineers, and notaries are bound by strict codes of ethics regarding client confidentiality. A firm that handles tax returns or legal files shouldn't have a website that collects personal data without a clear policy.
It's a matter of consistency. Your clients expect you to handle their information with care. Your website should project that same professionalism.
And from a legal standpoint, the fines are not symbolic. The CAI can impose administrative penalties of up to $10 million or 2% of worldwide turnover. Criminal fines can reach $25 million or 4% of worldwide turnover. In cases of repeat offences, the amounts double.
Where to start
Bill 25 compliance is not a massive undertaking. For most professional firms, it comes down to:
- Write a privacy policy specific to your firm, in plain language, covering all the points listed above.
- Install a compliant consent mechanism for cookies, with opt-in by default.
- Name and publish the person responsible for the protection of personal information.
- Document a simple incident response plan: who does what if a breach occurs.
- Review your forms: every form that collects personal data should clearly state what you do with that data.
At Kenogami, our free website health check includes a Bill 25 compliance review. We identify what's missing, what's insufficient, and give you a clear picture of where you stand.