What Law 25 actually requires in a privacy policy, a skeleton you can adapt, and why a GDPR template copied from France fails in Quebec.

Search for "privacy policy template" and you will find dozens of free models to copy and paste. Most were written for the European GDPR, often for French websites. Dropped as-is onto a Quebec SMB's site, they produce a document that looks compliant and isn't. As our summary of Law 25 obligations for SMBs shows, Quebec's law follows its own logic, and the privacy policy is where that shows most visibly.
Since September 22, 2023, publishing a privacy policy has been a legal obligation the moment your business collects personal information through technological means. A contact form qualifies. So does a customer service email address.
This article walks through what the law requires you to disclose, offers a skeleton you can adapt, and clarifies the distinction most SMBs miss: the policy published on your site is not the only document the law demands.
Since September 22, 2023, any business that collects personal information through technological means (a website, a form, an email address) must publish a privacy policy written in simple and clear terms: that is section 8.2 of Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25. The policy must cover what section 8 requires you to disclose: the purposes of collection, the means used, the rights of access and rectification, the right to withdraw consent, the third parties who receive the information, and the possibility that it may be communicated outside Quebec. Add the title and contact information of your person in charge of the protection of personal information (section 3.1) and, if the site uses identification, geolocation or profiling technologies, the disclosures required by section 8.1, with those functions turned off by default. This public document is distinct from the internal governance policies required by section 3.2.
The requirement comes from section 8.2 of the Act: anyone collecting personal information through technological means must publish a privacy policy on their website, written "in simple and clear terms", and give notice of every change to it. The explanatory guide from Quebec's privacy regulator, the Commission d'accès à l'information (CAI), published in December 2023, lists a website, an app, or simply an email address as qualifying technological means.
The penalty ceilings are oversized for an SMB: up to $10 million or 2% of worldwide turnover in administrative monetary penalties (section 90.12), up to $25 million or 4% under the penal regime (section 91). Nobody will levy those amounts on a twelve-person company. But failing to inform people as section 8 requires is explicitly on the list of sanctionable defaults (section 90.1), and it is the easiest one to spot: a regulator only has to visit your site.
The law actually requires two distinct things, and nearly every free template conflates them.
The first, in section 3.2, is the "governance policies and practices": an internal framework covering the rules for retaining and destroying personal information, the roles and responsibilities of your staff throughout the information's life cycle, and a process for handling complaints. This framework must be approved by your privacy officer, be proportionate to your activities, and detailed information about it must also be published on your website.
The second, in section 8.2, is the privacy policy itself: the public document that tells your visitors what you collect and why.
The CAI's guide devotes a full section to keeping these apart. The privacy policy speaks to your visitors; the governance policies frame your internal practices, including what your employees do with personal information, right down to the AI tools they sometimes use without telling you. A template that merges the two, or ignores the second, satisfies neither obligation properly.
Section 8 sets the list: the purposes of collection, the means used, the rights of access and rectification, the right to withdraw consent and, where applicable, the third parties for whom the information is collected or to whom it is communicated, and the possibility that it may be communicated outside Quebec.
On that last point, a very Quebec-specific detail: "outside Quebec" includes the rest of Canada. A cloud provider with servers in Ontario triggers section 17, which requires a privacy impact assessment before the information leaves the province.
Section 8 has a second list, to be provided "on request": the personal information collected, the categories of people who have access to it within the business, how long it is kept, and the privacy officer's contact information. The CAI's guide suggests including these up front, and the math is simple: answering those requests one at a time costs more than publishing once.
Section 3.1 has also required, since September 2022, that the title and contact information of your person in charge of the protection of personal information appear on your website. By default, that person is the highest authority in the business: in an SMB, the president, unless the role is delegated in writing.
Finally, if one of your tools makes decisions based exclusively on automated processing (a credit score, resume screening, some AI agents), section 12.1 obliges you to inform the person no later than the moment of the decision; the policy is the natural place to announce it.
Section 8.1 targets technologies with functions that can identify a person, locate them, or profile them. If your site uses any, you must inform people beforehand, along with the means available to activate those functions. The CAI's guide is explicit: they must be deactivated by default.
Quebec's logic is therefore not the European cookie banner's. The GDPR reasons in terms of prior consent to placing cookies; the Quebec law reasons in terms of activation: profiling functions stay off until the person turns them on. A curious detail: section 9.1, which imposes maximum privacy by default on technological products, expressly excludes cookies; section 8.1 does not. The practical consequence: an analytics tool that identifies or profiles visitors needs an activation mechanism and a clear mention in the policy. A tool that identifies, locates and profiles no one falls outside section 8.1. That is a serious argument for cookieless analytics, which is what we install by default for our clients.
Even a well-drafted GDPR template fails in Quebec on at least four specific points.
Legitimate interest does not exist here. European templates justify half their processing with that GDPR legal basis, which has no equivalent in the Quebec statute: the regime rests on consent plus narrow statutory exceptions. Every paragraph invoking legitimate interest describes processing whose legal basis remains to be established.
The geography is wrong. "Outside the EU" corresponds to nothing in section 17; the Quebec threshold is crossed at the Ottawa River, Toronto included.
The DPO is not the privacy officer. The GDPR requires a data protection officer only in specific cases; the Quebec law designates the business's highest authority by default and requires their title and contact information to be published.
The recourse is not the CNIL. A compliant policy points to your internal complaint process, the one section 3.2 obliges you to have, and to the Commission d'accès à l'information, not to a French authority.
Add data portability, in force in Quebec since September 22, 2024 and limited to information collected from the person (not information created or inferred about them), and the conclusion is hard to avoid: seriously adapting a GDPR template is more work than writing a Quebec policy from the right structure.
Here is the structure we use, aligned with section 8 and the CAI's guide.
1. Who we are. Business name, the policy's effective date, the date of the last update.
2. How we collect your information. Forms, email, newsletter, cookies; third parties collecting on your behalf (payments, newsletter provider).
3. What we collect, and why. Categories of information and the matching purposes; the options for refusing certain collection and their consequences.
4. Tracking technologies. Cookies and analytics tools; profiling functions if any, off by default, with how to activate them.
5. Who has access. Internal categories of staff; third-party recipients; whether information may be communicated outside Quebec.
6. Retention and security. Retention periods; a brief description of security measures.
7. Your rights. Access, rectification, withdrawal of consent, portability, complaints through your internal process, with the CAI as recourse.
8. Privacy officer. Title and contact information.
9. Changes. How updates will be announced, the notice being required by section 8.2.
It is a structure, not text to copy: each section must describe your actual practices. A policy that promises practices you don't have is worse than no policy at all, because it documents the gap.
The work comes down to three steps: inventory what your site actually collects (every form, every third-party tool, every cookie), write the policy from the skeleton above, then put your internal governance policies in writing so the complaint process you announce actually exists. For a simple site, that is a few days of work, not a few months.
If you would rather hand off the inventory, it is something we do regularly for our clients, alongside redesigning or maintaining their site.
This article explains legal obligations in plain language to help an SMB ask the right questions; it is not legal advice. The text of the Act respecting the protection of personal information in the private sector and the positions of the Commission d'accès à l'information prevail: for a specific situation, consult a lawyer.
Written by