Skip to content
All articles
StrategyPublished on Jul 7, 2026~6 min read

Law 25 and Cookie Consent: Comply Without Killing Your Ad Performance

Most Quebec sites still fire GA4 and the Meta Pixel without consent. What Law 25 actually requires, what you're risking, and how to comply without sacrificing your ad signal.

F
Founder
12 years in e-commerce growth
03

Most Quebec sites we audit load GA4 and the Meta Pixel before any consent. Law 25 has required the opposite since September 2023, with penalty ceilings running up to $25M. The real issue isn't legal, it's marketing: complying without destroying the signal that feeds your campaigns. Here's how to do both.

01

What we see in audits, week after week

We audit Quebec ad accounts every week. The pattern is constant: GA4 and the Meta Pixel fire on page load, before any consent. No banner, or a decorative banner that blocks nothing.

Across the SMB sites we review, that's the majority of cases. Not out of bad faith — most owners assume their Shopify theme or WordPress plugin "handles it." It handles nothing: the tag fires anyway, the cookie gets set anyway.

Law 25 has been in force on this point since September 2023. Nearly three years later, the gap between what the law requires and what sites actually do is still enormous. And it's verifiable in 30 seconds: open your site in a private window, pull up the Network tab in dev tools, search for "facebook" and "google-analytics." If requests fire before you've clicked anything, you're in the non-compliant group.

This isn't a question of whether anyone will notice. The Commission d'accès à l'information (CAI) takes complaints, and any competitor or unhappy customer can file one.

Consent first, cookies second: no non-essential tag fires before an explicit yes.
02

What Law 25 actually requires from a marketing site

We're marketing operators, not lawyers. What follows is field experience — not legal advice.

For an e-commerce or lead-gen site, the obligations come down to four blocks:

  • Consent before non-essential cookies. GA4, Meta Pixel, heatmap tools, TikTok tags: none of it loads before clear, active consent. Strictly necessary cookies (cart, session, security) are exempt.
  • A privacy policy published on the site, in French, written in plain language: what you collect, why, who you share it with, how long you keep it.
  • A designated privacy officer. By default, it's the person with the highest authority — meaning you, if you own the business. Their title and contact information must be published.
  • A breach process. Keep a register of confidentiality incidents, and notify the CAI and affected individuals when there's a risk of serious harm.

None of this requires a $400/hour law firm for a standard marketing site. The technical piece — blocking tags before consent — is where almost everyone fails, and it's what the rest of this article covers.

03

The penalties: read the ceilings, understand the target

The numbers making the rounds are real, but they're ceilings. Administrative monetary penalties: up to $10M or 2% of worldwide turnover, whichever is higher. Penal fines: up to $25M or 4% of worldwide turnover.

Nobody is going to hit a Shopify store in Trois-Rivières with $10M over a misconfigured pixel. The CAI targets negligence: businesses that know, that have been warned, and that do nothing. The factors written into the law include how long the violation lasted and what was done to fix it.

The real risk for an SMB is more mundane: a complaint from a customer or competitor, an investigation request, hours of management overhead, and being forced to fix everything under supervision — at the worst possible time. Add the commercial risk: B2B buyers and partners are starting to ask for proof of compliance before they sign.

Our operator's read: the cost of compliance for a standard marketing site is a few days of work and a CMP subscription under $100/month. The cost of non-compliance is unpredictable and grows over time. That kind of asymmetry doesn't deserve months of hesitation.

04

The real problem: the banner cuts your ad signal

Here's why so many marketers stall: a compliant banner drops your measured conversions. Some visitors decline, others ignore the banner — and every refusal is a conversion GA4 and Meta no longer see. Across the market, we commonly see sites lose a quarter to a third of their tracked conversions overnight.

The algorithm doesn't distinguish between "fewer sales" and "less signal." It optimizes with what it sees. Less data, blurrier targeting, rising acquisition costs. It's the same signal problem we documented in our piece on the Meta Pixel and CAPI — Law 25 just amplifies it.

The technical answer exists and it's mature:

  • Google Consent Mode v2: when a visitor declines, GA4 and Google Ads receive anonymized, cookieless pings, and Google models the missing conversions. You recover a meaningful part of the picture without touching personal information.
  • Meta Conversions API: events fire from your server, deduplicated against the pixel — and consent status is respected server-side too. CAPI is not a loophole for tracking people who said no; it's a way to make the signal from people who said yes reliable.

Compliance and performance aren't opposites. The properly instrumented accounts we manage keep a usable signal after the banner.

05

The 5-step compliance sequence

Order matters. Here's the sequence we run:

  1. Inventory. Open your site with Google Tag Assistant or the Network tab. List every tag that fires: analytics, pixels, heatmaps, chat. You'll find more than you expect.
  2. Pick a certified CMP. Choose a Google-certified consent management platform (Cookiebot, Axeptio, CookieYes, among others) with a French interface and native Consent Mode v2 integration.
  3. Wire up real blocking. In Google Tag Manager, make every non-essential tag conditional on consent. Test in a private window: zero requests to Meta or GA4 before the "Accept" click.
  4. Publish the legal layer. French privacy policy, name and email of your privacy officer, an incident register — even a simple internal document is enough to start.
  5. Restore the signal. Enable Consent Mode v2, deploy Meta CAPI with deduplication, then watch your conversions for 2-4 weeks to establish the new baseline.

Step 3 is where implementations fail: the banner shows up, but the tags fire anyway. That's exactly the kind of thing we check in our free audit — the tracking portion covers consent, Consent Mode, and CAPI. And if you're already at the implementation stage, talk to us.

Borgia Digital · About the author

Ready to put all this into practice on your brand?

Reading articles helps. Turning them into revenue is our job. Here are the two fastest ways to get started.

60% of prospects turned downWithin 24 business hoursNo pitch deck
F
About the author
Founder
12 years in e-commerce growth

The best of the field, once a month

Our monthly letter with our best field learnings. No spam, one-click unsubscribe.

Ready to talk growth?

Book 30 minutes with us, or send a message if you'd rather walk us through your project in writing.