Quebec – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Quebec residents. Sectoral rules (health, finance, employment) are touched only where they intersect with the analytics layer. French-language obligations under the Charte de la langue française apply on top.

Applicable laws

The legal framework that governs personal data processing here.

NATIONAL · 2001-01-01

PIPEDA

PIPEDA (S.C. 2000, c. 5) — Canada

1 jurisdictions · max —

NATIONAL · 2022-09-22

Law 25

An Act to modernize legislative provisions as regards the protection of personal information (Quebec)

1 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Quebec Law 25

An Act to modernize legislative provisions as regards the protection of personal information (Bill 64)

Comprehensive overhaul of Quebec's Loi sur le secteur privé. Imposes GDPR-style obligations on any private-sector enterprise that collects, uses, or discloses personal information of Quebec residents — irrespective of where the enterprise is established. Stricter than PIPEDA on consent, transfers, breach reporting, and accountability.

§ 3.1 Privacy Officer (Personne responsable de la protection des renseignements personnels) — mandatory for ALL businesses, no headcount threshold (Phase 1, 2022)
§ 3.5 Confidentiality incident reporting — mandatory notification to CAI + affected individuals when risk of serious injury (Phase 1, 2022)
§ 3.2 Privacy policies — must be published in clear plain language; governance framework mandatory (Phase 2, 2023)
§ 3.3 Privacy Impact Assessment (Évaluation des facteurs relatifs à la vie privée, ÉFVP) — mandatory before any high-risk processing or new IT system (Phase 2, 2023)
§ 14 Consent — must be express, free, informed, and granular for each purpose; bundled consent prohibited (Phase 2, 2023)
§ 17 Cross-border transfer impact assessment — mandatory written analysis before transferring personal information outside Quebec (Phase 2, 2023)
§ 27 Right to data portability — structured, commonly used, technological format (Phase 3, 2024)
§ 8.1 Profiling and automated decision-making — mandatory disclosure + opt-out for individual decisions based solely on automated processing
§ 90.1 Administrative monetary penalties up to CAD $10M or 2% of worldwide turnover (whichever is higher)
§ 91 Penal fines up to CAD $25M or 4% of worldwide turnover (whichever is higher) — among the highest in North America

S.Q. 2021, c. 25 — assented 22 Sep 2021. Phased into force 22 Sep 2022 / 22 Sep 2023 / 22 Sep 2024.

Charte de la langue française

Charter of the French Language (Bill 96 reform, 2022)

French-language obligations apply on top of privacy law. Privacy notices, cookie banners, consent flows, and privacy policies must be available in French — and French must be the default and at least equally prominent as any other language. OQLF (Office québécois de la langue française) enforces independently of the CAI.

§ 51-52.1 Inscriptions on a product, signage, commercial publications, websites — must be in French; other languages permitted only if French is at least as prominent
§ 52.1 Websites and social media — French version mandatory for any business doing business in Quebec
§ 205-208 Penalties — fines up to CAD $30,000 per offense for legal persons; doubled on repeat

CQLR c. C-11; major overhaul by Bill 96 (S.Q. 2022, c. 14), phased into force 1 Jun 2022 onward

Loi sur le secteur privé

An Act respecting the protection of personal information in the private sector

The pre-existing private-sector privacy statute, now substantially rewritten by Law 25. References to 'Quebec privacy law' and 'Law 25' in practice point to the same modernized text. Continues to govern collection, use, retention, and disclosure of personal information by private enterprises.

§ 4-9 Collection — purpose limitation, minimization, transparency
§ 10-13 Use and disclosure — secondary-purpose restrictions; commercial-prospecting limits
§ 18-22 Retention, accuracy, and destruction obligations

CQLR c. P-39.1 — modernized in its entirety by Law 25

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

CAI · Commission d'accès à l'information du Québec

Sole privacy regulator for Quebec — supervises both the public sector (Loi sur l'accès) and the private sector (Loi sur le secteur privé / Law 25). Adjudicative + oversight + investigative + sanctioning powers all consolidated.

https://www.cai.gouv.qc.ca/

Coordination body

CAI + OPC · Coordination between Commission d'accès à l'information du Québec and the federal Office of the Privacy Commissioner of Canada

Quebec-resident processing falls primarily under Law 25 (CAI). PIPEDA still applies to inter-provincial and international transfers, and to federally regulated industries (banking, telecom, transport). The CAI and OPC coordinate via memoranda of understanding for cross-jurisdictional cases.

2023-09-22 · Phase 2 transition — CAI published guidance on consent granularity, governance frameworks, and ÉFVP (PIA) methodology — aligned closely with EDPB guidelines on GDPR Art 7 and 35.
2024-06 · Cross-border transfers — CAI guidance on § 17 transfer impact assessments — written analysis required regardless of destination, including transfers to other Canadian provinces.
2025-08 · First Notice of Non-Compliance published — CAI issued its first publicly named Notice of Non-Compliance under Law 25 enforcement powers — signals end of the educational grace period.

https://www.priv.gc.ca/en/about-the-opc/what-we-do/agreements/

Notable enforcement

The CAI ramped up enforcement gradually after Phase 1 (2022). The first major Law 25 inquiries opened in 2023 once Phase 2 substantive obligations applied. Phase 3 readiness checks dominated 2024 communications. The first publicly named Notice of Non-Compliance was issued in August 2025 — the CAI signalled that the educational grace period is over. Penalty exposure is substantial on paper (CAD $10M / 2% admin; CAD $25M / 4% penal — comparable to GDPR), but headline fines remain rare; the CAI's pattern so far is corrective orders, public naming, and follow-up audits rather than maximum monetary sanctions.

GA4 status

GA4 is usable in Quebec only with prior, express, granular consent under Law 25 § 14. The CAI has not issued a GA4-specific decision but its guidance on consent + § 17 cross-border transfer assessment aligns closely with the GDPR baseline applied to Google Analytics in the EU. Privacy notice + consent banner must be available in French per the Charter of the French Language. Server-side hosting in Canada and IP-anonymization are recommended supplementary measures.

DPA	Stance
CAI	No GA4-specific ruling. Generic guidance: explicit consent for non-essential analytics, § 17 transfer impact assessment for US-hosted processing, privacy policy must list categories of recipients including Google. French-language disclosure mandatory.

Cross-border transfers + Schrems II

Quebec Law 25 § 17 imposes a unique cross-border transfer impact assessment on any transfer of personal information outside Quebec — including to other Canadian provinces, not only to non-adequate jurisdictions. The controller must conduct and document a written analysis weighing the sensitivity of the data, the purposes, the protection measures, and the legal regime in the destination jurisdiction. CAI guidance (Jun 2024) clarifies the methodology. The EU-US Data Privacy Framework is not directly relevant — Quebec applies its own assessment regardless of US adequacy status under EU law.

No mandatory contractual template. CAI accepts contractual safeguards drafted to reflect the § 17 assessment. Many enterprises use IAPP / OPC model clauses adapted with Quebec-specific addenda (Privacy Officer designation, French-language data-subject communication, breach notification to CAI within prescribed time).

Topic: International transfers

Employee data

Key thresholds

DPO mandatory at

≥1 employees

Child consent age

14 years

Article 27 representative

Required

Marketing consent

Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red

Vendor	Status	Rationale
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

Quebec vs Canada (rest of)

COMPARE

Quebec vs France

Common questions

How is Quebec Law 25 different from PIPEDA?

PIPEDA is the federal Canadian private-sector privacy law; Quebec Law 25 is provincial and applies on top whenever personal information of Quebec residents is processed. Law 25 is substantively stricter — explicit granular consent (no implied consent for non-essential purposes), mandatory Privacy Officer for ALL businesses, mandatory ÉFVP (PIA), § 17 cross-border transfer impact assessment, profiling disclosure, and penalties up to CAD $25M / 4% of worldwide turnover. PIPEDA continues to apply to inter-provincial and international transfers and to federally regulated industries.

When did Law 25 enter into force?

Law 25 was assented on 22 Sep 2021 and phased in over three years. Phase 1 (22 Sep 2022): Privacy Officer designation + breach reporting to CAI and affected individuals. Phase 2 (22 Sep 2023): express granular consent, written privacy policy, ÉFVP for high-risk processing, § 17 transfer assessment, automated-decision disclosure. Phase 3 (22 Sep 2024): right to data portability in structured commonly-used technological format.

Do I need a French-language privacy notice?

Yes. The Charte de la langue française (strengthened by Bill 96 in 2022) requires that any business doing business in Quebec publish its website, privacy notice, cookie banner, and consent flow in French. French must be the default and at least equally prominent as any other language. The OQLF (Office québécois de la langue française) enforces this independently of the CAI, with fines up to CAD $30,000 per offense for legal persons.

Do I need a Privacy Officer if I'm a small business?

Yes. Law 25 § 3.1 imposes a mandatory Privacy Officer (Personne responsable de la protection des renseignements personnels) on every enterprise that collects, uses, or discloses personal information of Quebec residents — there is no headcount threshold. By default the role falls on the most senior person of the enterprise, but it can be delegated in writing. The Privacy Officer's contact details must be published on the enterprise's website.

What is the § 17 cross-border transfer impact assessment?

Law 25 § 17 requires a written assessment before transferring personal information outside Quebec — including to other Canadian provinces, not just to non-adequate jurisdictions. The assessment must consider sensitivity of the data, purposes, protection measures, and the legal regime of the destination. It must be documented and producible to the CAI on request. CAI guidance (Jun 2024) clarifies the methodology. There is no Quebec equivalent of EU adequacy decisions — every transfer requires its own assessment.

What is the consent age in Quebec?

14 years. Under Law 25, minors aged 14 and above can give valid consent for the processing of their personal information; below 14, parental or guardian consent is required. This is lower than GDPR's 16 (with member-state derogation) and lower than several other Canadian frameworks. Caution: services targeting children under 14 face additional restrictions under § 4.1.

What fines does the CAI impose?

Two parallel tracks. Administrative monetary penalties (§ 90.1): up to CAD $10 million or 2% of worldwide turnover (whichever is higher), imposed by the CAI directly. Penal fines (§ 91): up to CAD $25 million or 4% of worldwide turnover (whichever is higher), through the courts. These ceilings are among the highest in North America and comparable to GDPR Art 83. Headline maximums remain rare in practice — corrective orders and public naming are the more common outcomes so far.

Is consent under Law 25 the same as under GDPR?

Functionally very close. § 14 requires consent that is express (no implied consent for non-essential purposes), free, informed, granular (per purpose), and time-limited to the stated purpose. Bundled consent and pre-ticked boxes are prohibited. CAI guidance maps closely onto EDPB guidelines on GDPR Art 7. The practical difference: Law 25 emphasizes purpose-by-purpose granularity even more aggressively in compliance reviews.

Does Law 25 apply if my business is outside Quebec?

Yes, on the targeting test. Any private-sector enterprise that collects, uses, or discloses personal information of Quebec residents falls within Law 25 — irrespective of where the enterprise is established. Indicators include French-language website, .ca or .qc.ca domain, CAD pricing, advertising in Quebec, or shipping to Quebec addresses. Non-Quebec enterprises must designate a Privacy Officer who can be reached by Quebec residents.

What is an ÉFVP and when do I need one?

ÉFVP (Évaluation des facteurs relatifs à la vie privée) is the Quebec equivalent of a Privacy Impact Assessment. § 3.3 requires one before any project involving acquisition, development, or overhaul of an information system that processes personal information, and before any high-risk processing including profiling, large-scale processing of sensitive data, or use of automated decision-making. The ÉFVP must be documented, retained, and producible to the CAI on request.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Quebec's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.