Quebec Law 25 (Bill 64): The Complete Cookie Consent and Privacy Guide for Publishers in 2026
Most North American privacy conversations start and end with California. That framing is outdated. Quebec's Law 25, formerly known as Bill 64, now imposes penalties that eclipse the CCPA, CPRA, and every US state law — up to CAD $25 million or 4% of worldwide turnover, whichever is higher. The final phase of Law 25 took effect on September 22, 2024, introducing a full data portability right, and enforcement has sharpened through 2025 and into 2026. Any publisher, SaaS platform, or adtech vendor with Quebec traffic now faces GDPR-grade obligations — often more demanding than the GDPR itself in specific areas like cross-border transfers and automated decision-making notices.
What Quebec Law 25 actually requires
Law 25 amends Quebec's existing private-sector privacy law (the Act Respecting the Protection of Personal Information in the Private Sector) and brings it closer to the European GDPR while keeping distinctly Canadian features. The core requirements that affect publishers and digital operators are:
- Explicit, granular consent before collecting or using personal information for any purpose beyond the one originally disclosed.
- A designated Privacy Officer (the highest-ranking executive by default, unless formally delegated) whose name and contact must be published on the website.
- Mandatory Privacy Impact Assessments (PIAs) before launching any project involving personal information, especially cross-border transfers or new technology.
- Breach notification to the Commission d'accès à l'information (CAI) and to affected individuals when the breach presents a risk of serious injury.
- Individual rights including access, rectification, deletion, portability, and — uniquely — the right to be informed about automated decision-making and to request human review.
The enforcement body is the Commission d'accès à l'information du Québec (CAI), which has issued formal investigation notices to multiple international publishers and platforms throughout 2025. Unlike some regulators, the CAI has shown willingness to pursue non-Canadian entities serving Quebec residents.
Cookie consent specifics: stricter than GDPR in key areas
Law 25 does not use the word "cookie" directly, but its definition of technology that identifies, locates, or profiles an individual captures cookies, pixels, fingerprinting, and SDK-based mobile identifiers. Section 8.1 is the critical provision: any such technology that is activated by default must be disabled by default and require active consent to turn on.
No pre-ticked boxes, no implied consent
This language is stricter than the GDPR's ePrivacy framework in one specific way: not only must consent be opt-in, but the underlying technology must be technically disabled until consent is granted. A cookie banner that loads analytics before the user clicks accept violates Law 25 even if the banner itself is technically correct. Publishers must implement genuine consent-gated script loading, similar to Google Consent Mode v2 in advanced mode — basic mode is generally insufficient.
Profile-based personalization requires separate consent
If you use cookies to build a user profile for personalized advertising, Law 25 treats that as a distinct purpose requiring its own consent layer, on top of the baseline consent for cookie placement. A single "accept all" button that bundles storage, analytics, and personalization is at risk — Quebec's regulator has signalled a preference for granular per-purpose toggles.
Cross-border transfers: the PIA requirement
Quebec is the only Canadian province that requires a formal Privacy Impact Assessment before transferring personal information outside Quebec — including to the rest of Canada, to the United States, and to European data centers. The PIA must evaluate:
- The sensitivity of the data involved.
- The purpose and necessity of the transfer.
- The legal framework of the destination jurisdiction.
- The contractual and technical safeguards in place.
For publishers, this most commonly affects analytics, tag management, CDN logs, and ad server data flowing to US infrastructure. A Quebec-adequacy PIA does not block these transfers, but it requires documented assessment and — critically — written confirmation from the receiving party that the data will be protected under equivalent principles. Standard US-hosted SaaS contracts rarely include this language by default and must be amended.
Automated decision-making notices
Section 12.1 of Law 25 is unique in North American law: if a business uses personal information to make a decision based exclusively on automated processing, it must:
- Inform the individual at or before the decision is made.
- On request, explain the personal information used, the reasons, and the principal factors that led to the decision.
- Provide the opportunity to submit observations to a human reviewer.
For adtech, this captures programmatic decisioning on bid requests, dynamic pricing, fraud scoring, and any AI-assisted content ranking. Publishers rarely control these algorithms directly — they rely on SSPs and DSPs — but Law 25 treats the publisher as a joint responsible party when the decision uses data the publisher collected. Adding a short automated-decision disclosure to your privacy notice is the minimum viable compliance step.
Practical compliance checklist for 2026
Step 1: Map Quebec traffic and data flows
Use IP geolocation in your analytics to estimate Quebec visitor volume. Even if Quebec is less than 5% of your audience, the 4%-of-turnover penalty makes it disproportionately risky to ignore. Map every cookie, pixel, and SDK that fires for Quebec users and where its data lands.
Step 2: Deploy a consent-gated CMP
Your CMP must support true script-level blocking, not cosmetic banner dismissal. FlexyConsent and other Google-certified CMPs offer Quebec-specific geo rules that pair Law 25 logic with broader Consent Mode v2 and GPP US-national signals. Pre-configured Quebec mode should default all non-essential categories to off.
Step 3: Appoint and publish a Privacy Officer
If your organization has no Canadian presence, your CEO or equivalent is the Privacy Officer by default unless you formally delegate in writing. Publish the name and email in your privacy notice — the CAI checks this on first inspection.
Step 4: Complete a PIA before new projects
Every new vendor, every new cross-border transfer, every new tracking technology requires a documented PIA. Template PIAs from the CAI are accepted; you do not need a custom legal opinion for routine analytics or CDN contracts.
Step 5: Update your privacy notice
Quebec requires specific disclosures: the Privacy Officer's contact, the categories of personal information collected, retention periods, third-party recipients, cross-border transfer destinations, and automated-decision practices. A generic GDPR notice almost never satisfies Law 25 without material additions.
How Quebec Law 25 interacts with PIPEDA and Law 25 futures
PIPEDA, Canada's federal privacy law, applies to commercial activity across Canada — but Quebec's Law 25 takes precedence within Quebec because the province has been declared substantially similar for private-sector privacy purposes. In practice this means Quebec operations default to Law 25 and PIPEDA only applies to activities that cross provincial lines.
Canada is also modernizing PIPEDA through the proposed Consumer Privacy Protection Act (CPPA). If CPPA passes in its current form, it will bring the rest of Canada closer to Quebec's model — explicit consent, meaningful penalties, a federal Privacy Commissioner with order-making power, and automated-decision transparency. Publishers who build their stack around Quebec Law 25 today will be well positioned for federal changes tomorrow.
The short version: Quebec Law 25 is not a provincial curiosity. It is the template for where Canadian privacy is going and the most aggressive privacy regime in the Americas. Publishers, advertisers, and SaaS vendors serving Canadian traffic should treat Law 25 compliance as a 2026 priority, not a future project.