Newport Thomson

For: Newport Thomson client engagements assessing Law 25 cookie compliance on Quebec-facing e-commerce sites.

How to use it: Walk the site as a first-time visitor, in a private/incognito browser, from a Quebec IP if possible. Score each item Pass / Fail / Partial. Items are ranked by complaint risk, the higher the risk, the more likely a CAI complaint or audit will land on this. The “trap” notes are the things vendor checklists and consent-platform marketing pages routinely get wrong.

Tier 1 – High complaint risk

These are the items most likely to trigger a CAI complaint, an audit finding, or an administrative monetary penalty. Get these right first.

1. 1. Non-essential cookies do not fire before consent. Open the site in incognito, with a network inspector running. Before clicking anything on the banner, no analytics, advertising, social, or profiling cookies should load. Only strictly-necessary cookies (session, cart, security, language) are allowed pre-consent. Why this is Tier 1: this is the single most common Quebec compliance failure and the easiest for a complainant to document with a screenshot. It hits sections 8.1 and 14 of the Act directly, and the CAI’s December 2023 privacy policy guidelines (per Miller Thomson) say cookies that identify, locate, or profile must be “disabled by default” with an express-consent banner. Trap: Google Analytics 4 in default mode counts as profiling and must be off until consent. “Anonymized IP” is not a free pass.
   2. Reject is as easy as Accept. Count the clicks. If “Accept All” is one click but “Reject All” requires going into a “Manage Preferences” screen and toggling things off, that’s a fail. Both buttons should be on the first banner, equal visual weight, equal click count. Why this is Tier 1: “free” consent under section 14 means the visitor isn’t pressured. A friction asymmetry between Accept and Reject is the textbook dark pattern, and it’s the first thing any complainant or auditor screenshots. Trap: a “Continue” or “X” button that closes the banner without rejecting is a fail as it doesn’t record a refusal, and silence isn’t consent under Law 25.
   3. Consent is granular by category. The banner offers separate toggles for at least: analytics, advertising/marketing, functional/preferences, and (if used) social media. Bundling all non-essential cookies into one Accept/Reject pair is a fail. Why this is Tier 1: the CAI’s 2023 valid-consent guidelines require “granular” consent such that each purpose gets its own choice. Trap: “personalization” is not a category; it’s a marketing word. If your client’s banner says “personalization cookies” and that bucket includes both site preferences and ad targeting, that’s the kind of blurred category the skill warns about, Split it and use plain language to name each one.
   4. The cookie list is real, current, and accurate. Click into the preferences screen. Every cookie the site actually sets should be listed by name, purpose, duration, and whether it’s first-party or third-party. Do a network-tab audit and compare against the disclosed list. Missing cookies are a fail. Why this is Tier 1: sections 8 and 8.1 require informed disclosure at collection. A list that says “we use analytics cookies” without naming them is not informed. Trap: most consent platforms auto-scan and auto-populate, but they miss server-side tags, custom integrations, and anything fired through a tag manager that wasn’t in the scan. Audit manually.
   5. Cross-border data transfer is disclosed. If any cookie sends data outside Quebec (Google, Meta, TikTok, US-based ad networks, US-hosted analytics, almost always yes), the privacy policy and the banner’s “learn more” link must say so, and identify the destination. Why this is Tier 1: section 17 of the Act requires a Privacy Impact Assessment before transferring personal information outside Quebec, and section 8 requires the visitor be told this is happening. The CAI has been explicit that out-of-province transfer is a recurring pressure point. Trap: “We may transfer data to our service providers” is too vague. Country of destination matters.

Tier 2 – Medium complaint risk

Less likely to be the standalone reason for a complaint, but they show up in any serious audit and they compound the Tier 1 problems.

6. Withdraw consent is as easy as giving it. There’s a persistent way to change cookie choices. It is usually a footer link (“Cookie preferences” or similar) that re-opens the banner. A buried “contact our privacy officer to withdraw” workflow is a fail. Why: section 14 requires withdrawal to be possible. The CAI’s consent guidelines require it be as easy as the original consent. Trap: clearing browser cookies is not “withdrawal.” The site has to provide a UI mechanism.

7. The banner is in French (or French and English). Quebec’s Charter of the French language applies independently of Law 25. A French-only or French-and-English banner is fine; English-only on a site marketing to Quebec is not. Why: Charter compliance is enforced separately by the OQLF, but a CAI complainant will mention it, and “we couldn’t read the consent in French” is a free shot at the validity of the consent itself. Trap: auto-translation by the consent platform sometimes produces French that’s technically wrong (e.g. “biscuits” for cookies instead of “témoins”). Have a francophone review it.

8. Privacy policy is linked from the banner and written in clear, plain language. The banner includes a visible link to the full privacy/confidentiality policy. The policy itself is written in plain language, names the privacy officer, lists categories of cookies, third-party recipients, retention periods, and rights. Why: sections 8.2 and 3.2 require a published privacy policy in clear and simple language. The CAI’s December 2023 guidelines on privacy policies (Miller Thomson summary) are the operative checklist here. Trap: a 4,000-word legalese policy isn’t “clear and simple,” even if it covers everything.

9. Consent is logged with proof. Behind the scenes, the consent platform stores: who consented (anonymized identifier), when, what version of the banner they saw, what categories they chose, and the consent string. The client can produce this on demand. Why: the CAI valid-consent guidelines require consent be “demonstrable.” If a complainant says “I never consented,” the burden is on the business to prove otherwise. Trap: many cheap consent tools log only a Yes/No flag in localStorage, which gets cleared and proves nothing. Server-side logging is the standard.

10. Privacy officer’s name and contact info are findable in two clicks. From any page, two clicks to a name and email. Why: section 3.1 requires publication of the privacy officer’s title and contact. The CAI’s guidance specifically emphasizes find-ability. Trap: “Contact us” forms that don’t identify the privacy officer don’t satisfy this. There has to be a name (or at minimum a clearly designated role) and a direct contact channel.

Tier 3 – Lower complaint risk, but tells the story

These don’t usually trigger complaints on their own, but they’re tells. A CAI auditor seeing a Tier 1 failure plus three Tier 3 fails will assume systemic non-compliance.

11. No pre-ticked boxes anywhere on the site. Newsletter signup, account creation, anywhere consent is collected. Why: the CAI 2023 valid-consent guidelines explicitly reject pre-ticked boxes for any purpose. Section 14 again. Trap:“we’ll send you marketing emails” with a default-checked box at checkout is the most common e-commerce violation in Quebec.

12. Children-under-14 protection. If the e-commerce site is plausibly used by minors (toys, kid’s clothing, gaming, etc.), the banner and signup flows account for parental consent for under-14s. Why: Law 25 added explicit under-14 protections in September 2024. Trap: “by clicking accept you confirm you’re 14+” is not enough if the site is marketed to children – the CAI will look at the actual audience.

13. The privacy policy reflects the site as it actually is. Compare the policy’s list of cookies, third parties, and purposes against what the site is actually doing. Drift between the two is common after marketing teams add new tools. Why: a privacy policy that doesn’t match reality is a misrepresentation, which the CAI treats more harshly than a mere oversight. Trap: this drifts every quarter as the marketing team adds new pixels. Build a quarterly review into your Privacy & Data Protection Management Program, specifically for cookies and data collection webforms.

14. No “consent walls” or “cookie walls.” The site is usable, at minimum browseable for product info, even if the visitor rejects all non-essential cookies. Why: “free” consent under section 14 is undermined if the only way to use the site is to consent. The CAI hasn’t issued a specific cookie-wall ruling yet, but the European regulators (whose framework Quebec has tracked closely) have all rejected cookie walls. Trap: “Subscribe to access” is fine; “consent to cookies to access” is not.

15. The banner doesn’t reappear on every page after a choice is made. Once the visitor decides, the choice persists for a reasonable session/period. Re-prompting on every page nudges toward fatigue-acceptance, which compromises validity. Why: indirect, this falls under “free” consent again. Trap: a 30-day cookie that records the choice is reasonable; a session-only one that re-prompts every visit is borderline coercive.

What this checklist deliberately doesn’t do

• It doesn’t predict CAI enforcement. As of early 2026, there is no published CAI decision on a website cookie banner specifically. The Metro facial-recognition decision (April 2025) shows the CAI takes a broad, liberal interpretation of consent obligations and treats biometric/identifying information seriously, but nothing yet on cookies. Risk rankings here are based on the statute, the CAI’s published guidance, and analogous European enforcement, not on Quebec case law that doesn’t exist yet.
• It doesn’t replace a Privacy Impact Assessment (PIA). Anything involving cross-border transfer, sensitive data, or new tracking technology needs a Privacy Impact Assessment under section 3.3. This checklist tells you whether the banner is okay; it doesn’t tell you whether the underlying data flows are.
• It doesn’t replace counsel for high-stakes builds. Marketplace platforms, sites collecting health/financial/biometric data, sites with kids under 14, and anything where a CAI complaint has already landed – those need a Quebec privacy lawyer, not a checklist.

The checklist works because it’s specific, ranked, and tied to actual sources. It’s a quarterly audit tool.

Sources – written with the help of Claude Opus 4.7 using detailed privacy skills script and rigorous fact checking via our privacy professionals.

1. Act respecting the protection of personal information in the private sector, CQLR c P-39.1 (CanLII) – Tier 1: primary law –  https://www.canlii.org/en/qc/laws/stat/cqlr-c-p-39.1/latest/cqlr-c-p-39.1.html Why this source: Sections 3.1, 3.2, 3.3, 8, 8.1, 8.2, 9.1, 14, 17 are all in play across this checklist. The current consolidated text is the only place to verify what’s actually in force.
2. CAI – “Principaux changements apportés par la Loi 25” – Tier 2: regulator – https://www.cai.gouv.qc.ca/protection-renseignements-personnels/sujets-et-domaines-dinteret/principaux-changements-loi-25 Why this source: CAI’s own summary, including the explicit confirmation that the privacy-by-default rule does not apply to connection-cookie settings, the carve-out that makes the essential vs. non-essential cookie split workable.
3. Miller Thomson – “New guidelines on Québec privacy policies” – Tier 4: established law firm – https://www.millerthomson.com/en/insights/cybersecurity/new-guidelines-on-quebec-privacy-policies/ Why this source: Walks through the CAI’s December 2023 privacy policy guidelines (French only at source), including the regulator’s explicit statement that identifying/locating/profiling cookies must be disabled by default and require an express-consent pop-up or banner. This is the strongest non-statutory anchor for Tier 1 items 1–4.
4. ROBIC – “Cookies and Similar Technologies in the Province of Quebec” – Tier 4: established law firm – https://www.robic.ca/en/?publications=cookies-and-similar-technologies-in-the-province-of-quebec Why this source: Confirms the essential vs. non-essential cookie framing is the practical resolution of the section 8.1 / 9.1 tension, and explicitly notes there is no Quebec case law on cookies, which is important for honest risk-ranking.
5. Torys LLP – “Québec’s CAI adopts a broad and liberal interpretation… (Metro decision)” – Tier 4: established law firm analysis of a Tier 3 decision – https://www.torys.com/our-latest-thinking/publications/2025/04/cai-renseignements-biometriques Why this source: The Metro facial-recognition decision (April 2025) is the closest thing to a CAI enforcement signal on tracking technology. It shows the CAI’s interpretive posture, broad and liberal toward privacy protection, which is the lens any cookie-related complaint will be read through.