Skip to main content
Back to Guides
Compliance6 min read

Quebec's Law 25: Cookie Consent Rules for 2026

Federal PIPEDA is flexible about cookies. Quebec's Law 25 is not. Section 8.1 requires profiling and tracking technology to be switched off by default, and the CAI can levy penalties up to CAD $25 million. Here's the Quebec-specific model, layer by layer.

Canada actually runs two cookie regimes, and they don't agree. At the federal level, PIPEDA is principle-based and tolerant of implied consent for low-sensitivity tracking. In Quebec, Law 25 is stricter, closer to the GDPR, and built around a rule that most of Canada doesn't have: profiling and location technology has to be turned off by default.

If you serve Quebec residents, and most Canadian-facing sites do, the flexible federal reading isn't your ceiling. This guide covers what Law 25 actually requires for cookies, the section 8.1 default rule that trips people up, who enforces it, the penalty exposure, and how it differs from the PIPEDA baseline. For the federal picture, start with our PIPEDA and cookie consent guide; this one is the Quebec layer on top.

What Law 25 Is

Law 25 is the common name for the Act to modernize legislative provisions as regards the protection of personal information, originally introduced as Bill 64. It overhauled Quebec's private-sector privacy law and rolled out in three annual waves:

  • 22 September 2022: mandatory privacy officer, breach reporting to the regulator and affected individuals, and a register of breaches.
  • 22 September 2023: the substantive core. Consent standards, transparency obligations, privacy impact assessments, the section 8.1 default rule, and the CAI's penalty powers all took effect.
  • 22 September 2024: the data portability right, letting individuals get their computerised personal information in a structured, commonly used format.

All three waves are now live. In 2026 you're dealing with the fully-implemented law, penalties included.

Section 8.1: The Rule That Changes Everything

This is the provision that separates Quebec from the rest of Canada. Section 8.1 says that when an organisation uses technology that identifies, locates, or profiles an individual, it has to inform the person and give them the means to activate those functions. Read together with Law 25's privacy-by-default principle, the practical reading is that those functions must be deactivated by default. The user has to switch them on, not switch them off.

For cookies and trackers, that maps almost directly to opt-in. A tracking cookie that builds an advertising profile, a pixel that follows a user across sites, a geolocation script: these are exactly the identify, locate, and profile functions section 8.1 targets, and they should not be running until the visitor turns them on.

Be honest about the edges: the statute doesn't spell out cookie mechanics line by line, and law firms have noted genuine ambiguity about how far section 8.1 reaches into every tracking scenario. Quebec's privacy regulator has read it as a strong default-off requirement. A detailed practitioner analysis is worth reading; see McCarthy Tétrault on Law 25 and cookies. The defensible posture is simple: treat non-essential trackers as off until consent, the same as you would under the GDPR.

The Consent Standard

Law 25 raises the consent bar well above PIPEDA's sliding scale. Consent has to be clear, free, and informed, and given for specific purposes. It must be requested for each purpose separately, in clear and simple language, and, importantly, it has to be presented separately from any other information so it doesn't get buried in a wall of terms. For sensitive personal information, consent must be express.

Two consequences flow from that for a cookie banner. First, bundling analytics, advertising, and functional cookies into a single "I agree" doesn't meet the specific-purpose requirement; you need granular, per-purpose choices. Second, a pre-checked box or an "accept by continuing" pattern fails the free-and-informed test. The banner has to present a real, unbundled choice, and withdrawal has to be as easy as giving consent in the first place.

Who Enforces It, and What It Costs

Quebec's regulator is the Commission d'accès à l'information (CAI). It supervises compliance, handles complaints, and, since September 2023, wields real teeth. You can consult its guidance at the CAI's official site.

The penalty structure has two tracks:

  • Administrative monetary penalties imposed by the CAI: up to CAD $10 million or 2% of worldwide turnover, whichever is higher.
  • Penal fines through prosecution: up to CAD $25 million or 4% of worldwide turnover, whichever is higher, and these can double for a repeat offence.

On top of the regulator's powers, Law 25 created a private right of action. Individuals can sue for damages from an unlawful breach of their privacy rights, with a minimum of $1,000 in punitive damages available where the breach is intentional or grossly negligent. That's a materially different enforcement environment from the rest of Canada, where private litigation over cookies is rare.

Law 25 vs PIPEDA: The Deltas

  • Consent posture: PIPEDA accepts implied consent for lower-sensitivity processing; Law 25 pushes toward express, per-purpose opt-in for tracking.
  • Default state: PIPEDA has no equivalent of section 8.1. Quebec requires profiling and location functions off by default.
  • Penalties: Law 25's administrative and penal caps (up to $25M or 4%) dwarf PIPEDA's, and it adds a private right of action.
  • Transparency: Law 25 demands purpose-specific, separately presented consent requests, a higher clarity bar than PIPEDA's general standard.

The takeaway for a national Canadian site: build to the Quebec standard and apply it across the country. Calibrating your banner province by province is more work and more risk than holding everything to the strictest applicable bar. That's the same defensive logic that governs serving multiple international regions from one well-built flow, covered in our banner design best practices.

A Practical Law 25 Setup

  1. Scan and classify your trackers so you know exactly what identifies, locates, or profiles a visitor. That's the section 8.1 inventory.
  2. Default non-essential trackers to off. Nothing that profiles or locates fires before opt-in.
  3. Offer per-purpose consent in clear French (Quebec's language obligations matter) and English, presented separately from other terms.
  4. Make withdrawal one action, as easy as consenting.
  5. Log every decision with a timestamp and purpose, so you can demonstrate valid consent to the CAI. See consent logging requirements.
  6. Publish a plain-language privacy notice covering what you collect, why, and who it's shared with.

How CookieBeam Handles Quebec

CookieBeam ships a Quebec Law 25 framework preset that's distinct from its PIPEDA preset, and the distinction is exactly the one the law draws. The federal PIPEDA preset defaults to a notice-style banner for Canada generally. The Law 25 preset is scoped to country Canada plus the Quebec region and sets the banner to opt-in, with non-essential scripts blocked until the visitor consents, matching the section 8.1 default-off expectation.

Through the regional consent engine, a visitor detected in Quebec gets the opt-in experience while a visitor elsewhere in Canada gets the federal notice model, from the same banner. Consent decisions are logged with timestamps and purpose-level detail, which is the evidence you'd need if the CAI or a private litigant asks how consent was obtained. Verify the current CAI guidance before you finalise, and if you have any doubt about whether a specific tracker is caught by section 8.1, default it to off.

Related Guides

For the federal Canadian baseline, read PIPEDA and cookie consent. For the GDPR standard Law 25 mirrors, see the GDPR cookie compliance checklist. For the reject-and-withdraw mechanics, read one-click reject and dark-pattern laws. For serving different rules per location, see regional consent for global sites.

Quebec Law 25 Cookie Consent 2026: Section 8.1 & the CAI | CookieBeam | CookieBeam