Law 25 privacy policy template for SMBs
Looking for a Law 25 privacy policy template for a Quebec SMB? There is no single "CAI-certified" text to download. However, your customers and the CAI expect a clear structure, published on your website, that reflects what you actually do.
Role of the policy on the web
The policy explains what data you collect, why, with whom you share it, how long you keep it, and how to exercise rights. It complements your cookie banner and forms.
If no one understands it, it does not help. An SMB template must stay readable. Avoid a 40-page legal copy-paste that even your staff will not open.
Recommended sections (SMB checklist)
- Privacy officer (PRP) identity and contact (privacy officer designation).
- Categories of personal information (customers, employees, web visitors, browsing cookies).
- Purposes by category (sales, support, marketing, security, analytics).
- Legal bases (consent, legitimate interest where applicable, legal obligation).
- Third parties and processors (host, CRM, advertising, measurement tools).
- Transfers outside Quebec where applicable.
- Retention periods and destruction criteria (data lifecycle).
- Individual rights (access, rectification, withdrawal of consent, complaint to the CAI): see customer rights.
- Privacy incidents: how you inform affected individuals.
- Visible update date.
Common SMB mistakes
- Generic SaaS policy not adapted to Quebec (GDPR copy-paste, wrong authorities).
- Broken link or unreadable PDF on mobile: the policy must be findable in two clicks.
- Ghost privacy officer contact: a generic email no one reads.
- Policy vs reality gap: described trackers or purposes do not match the site (see web essentials).
Template: work in steps
Here is the order we see work for SMBs:
- Inventory your actual processing (CRM, website, HR).
- Draft or have validated the text with a lawyer. The template structures; it does not replace legal advice.
- Publish a dated version on the web.
- Verify technical accessibility and alignment of cookies and forms.
For high-risk projects, plan a PIA.
In brief
Your policy is your transparency contract with the public. Complete sections, clear language, visible date: and above all, consistency with what your site does today, not three years ago.
Useful references
- CAI, Protection of personal information: expectations and guides for organizations.
- Web privacy policy essentials: marketing, forms, cookies.
- Governance and policies: internal employee policy as a complement.
This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.
Check your website
A poorly linked policy or one disconnected from real trackers shows up quickly in a scan. Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.