For a Quebec online retailer, Law 25 is not limited to a privacy policy posted somewhere on the site. Every customer interaction generates personal information: browsing, purchases, accounts, order history, communications. And every tool integrated into your store, whether it is an email marketing platform, a tracking pixel, or a payment solution, is potentially a partner in processing that information.
Cookies and Tracking Pixels
This is one of the most visible points for customers, and often the least well managed. Law 25 requires you to obtain visitors' consent before placing non-essential cookies, such as advertising tracking or behavioral analytics.
What this means in practice:
- A cookie consent banner that clearly distinguishes essential cookies (site functionality) from optional ones (advertising, analytics)
- The ability for visitors to accept or refuse each category separately
- No pre-checking optional boxes
- A mechanism to withdraw consent as easily as it was given
Social media tracking pixels (Meta Pixel, TikTok Pixel, etc.) fall into the advertising cookie category and therefore require prior consent. Activating them before the user has consented constitutes unauthorized collection.
Customer Account Data
When a customer creates an account on your store, you collect personal information: name, email address, shipping address, order history. This information is collected for a specific purpose (making future purchases easier, managing returns), and you cannot use it for other purposes without consent.
Questions to ask yourself:
- Did you clearly indicate at account creation what information you collect and why?
- How long do you retain this data after the last transaction?
- If a customer requests account deletion, what happens to their data?
Payment Data
Credit card data is primarily governed by the PCI DSS standard, managed by your payment processors (Stripe, PayPal, Shopify Payments, etc.). In practice, you probably do not store card numbers directly. But you may retain transaction information that, combined with other data, can identify a person. This information is covered by Law 25.
Loyalty Programs
Loyalty programs often collect more information than necessary: detailed purchase history, visit frequency, preferences, behavioral data. Each of these elements must be justified by a clear purpose, declared at the time of enrollment.
If you use this data for personalization or advertising targeting, this must be explicitly mentioned in your privacy policy, and consent must be obtained for these secondary uses.
Email Marketing Consent
Sending marketing emails to customers in Quebec is governed by both Law 25 and Canada's Anti-Spam Legislation (CASL). Express consent is required for sending commercial electronic messages. This consent must be:
- Free (not pre-checked by default)
- Informed (the person understands what they are signing up for)
- Documented (you must be able to prove that consent was given)
Automatically adding all customers who placed an order to your mailing list does not meet these requirements, unless you obtained express consent at the time of the order.
Third-Party Integrations
Your online store is probably connected to several tools: email marketing platform (Klaviyo, Mailchimp), analytics tools (Google Analytics), CRM, chat applications, returns management solutions. Each of these providers acts as a subcontractor in the processing of personal information.
Law 25 requires you to have contracts with these subcontractors that reflect your obligations. The general terms of service of a SaaS tool are not always sufficient. Verify that your main providers offer a Data Processing Agreement and sign it.
Data Transferred Outside Quebec
Many SaaS tools used by Quebec retailers host their data in the United States or elsewhere. Under Law 25, communicating personal information outside Quebec requires that you have assessed whether the level of protection offered in the destination country is equivalent to that of Quebec.
This assessment must be documented. If you use common American tools (Shopify, Klaviyo, Google Analytics), these providers generally have contractual mechanisms in place, but it is up to you to ensure they are adequate.
A Checklist for Online Stores
- Compliant cookie consent banner with granular options
- Up-to-date privacy policy mentioning all tools used
- Process for handling access and deletion requests
- Data processing agreements signed with main providers
- Documented express consent for email marketing
- Defined retention periods for customer data
- Incident response plan in place
Observantia supports online retailers in putting these foundations in place, with tools adapted to the realities of digital operations.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.