Web privacy policy compliant with Law 25: the essentials
Your website is often the first contact with customers, and the first place the CAI or an unhappy client will look. The published policy must reflect what your digital marketing actually does: forms, newsletters, analytics, advertising.
Information to publish clearly
- Types of personal information collected (forms, customer accounts, session cookies, live chat).
- Purposes by category (sales, support, audience measurement, remarketing).
- Legal basis and consent requirements where applicable (consent).
- Third parties and processors (CRM, host, social networks, analytics tools).
- Individual rights and how to exercise them (timeline, format, privacy officer contact).
- Privacy officer (PRP) contact details: a monitored email, not a black hole.
- Visible last-updated date.
The policy and cookie banner must tell the same story. If you describe three purposes in the text but load ten after an "Accept" click, you create a documented gap that is easy to challenge.
Online forms and cookies
Each form should state its purpose and avoid unnecessary collection. For non-essential trackers, prior consent and a refusal path as simple as acceptance are expected: the CAI has repeated this several times (see cookie banner). Do not load Google Analytics or the Meta pixel before the user's choice if those tools are not strictly necessary.
Common web mistakes
- US or European template not adapted to Quebec (wrong laws, wrong authorities).
- Frozen text from three years ago while HubSpot, Meta, or your CRM has changed.
- Vague language: "partners" without naming them.
- Policy hard to find: missing footer link or unreadable PDF on mobile.
- Ignored cookie refusal: trackers deployed despite "Refuse".
For an overall SMB structure, see also Law 25 privacy policy template for SMBs.
In brief
On the web, compliance is visible: up-to-date policy, reachable privacy officer, lean forms, cookies under control. Update the policy whenever marketing tools change, not only when a customer complains.
Useful references
- CAI, Digital context: expectations for websites, cookies, and technologies.
- Cookie banner and CAI: consent and equivalent refusal.
- Express checklist: self-assessment including policy and cookies.
This text is informational and does not constitute legal advice. For a decision binding your organization, consult the CAI and a legal professional.
Check your website
This is exactly what our scan checks on the surface: policy, cookies, trackers, privacy officer contact. Run a free technical scan: it complements, but does not replace, your compliance program.