Web privacy policy compliant with Law 25: the essentials

Your website is often the first contact with customers, and the first place the CAI or an unhappy client will look. The published policy must reflect what your digital marketing actually does: forms, newsletters, analytics, advertising.

Information to publish clearly

The policy and cookie banner must tell the same story. If you describe three purposes in the text but load ten after an "Accept" click, you create a documented gap that is easy to challenge.

Online forms and cookies

Each form should state its purpose and avoid unnecessary collection. For non-essential trackers, prior consent and a refusal path as simple as acceptance are expected: the CAI has repeated this several times (see cookie banner). Do not load Google Analytics or the Meta pixel before the user's choice if those tools are not strictly necessary.

Common web mistakes

  1. US or European template not adapted to Quebec (wrong laws, wrong authorities).
  2. Frozen text from three years ago while HubSpot, Meta, or your CRM has changed.
  3. Vague language: "partners" without naming them.
  4. Policy hard to find: missing footer link or unreadable PDF on mobile.
  5. Ignored cookie refusal: trackers deployed despite "Refuse".

For an overall SMB structure, see also Law 25 privacy policy template for SMBs.

In brief

On the web, compliance is visible: up-to-date policy, reachable privacy officer, lean forms, cookies under control. Update the policy whenever marketing tools change, not only when a customer complains.

Useful references

This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.

Check your website

This is exactly what our scan checks on the surface: policy, cookies, trackers, privacy officer contact. Run a free technical scan: it complements, but does not replace, your compliance program.