Most Quebec sites we audit load GA4 and the Meta Pixel before any consent. Law 25 has required the opposite since September 2023, with penalty ceilings running up to $25M. The real issue isn't legal, it's marketing: complying without destroying the signal that feeds your campaigns. Here's how to do both.
What we see in audits, week after week
We audit Quebec ad accounts every week. The pattern is constant: GA4 and the Meta Pixel fire on page load, before any consent. No banner, or a decorative banner that blocks nothing.
Across the SMB sites we review, that's the majority of cases. Not out of bad faith — most owners assume their Shopify theme or WordPress plugin "handles it." It handles nothing: the tag fires anyway, the cookie gets set anyway.
Law 25 has been in force on this point since September 2023. Nearly three years later, the gap between what the law requires and what sites actually do is still enormous. And it's verifiable in 30 seconds: open your site in a private window, pull up the Network tab in dev tools, search for "facebook" and "google-analytics." If requests fire before you've clicked anything, you're in the non-compliant group.
This isn't a question of whether anyone will notice. The Commission d'accès à l'information (CAI) takes complaints, and any competitor or unhappy customer can file one.
“Consent first, cookies second: no non-essential tag fires before an explicit yes.”
What Law 25 actually requires from a marketing site
We're marketing operators, not lawyers. What follows is field experience — not legal advice.
For an e-commerce or lead-gen site, the obligations come down to four blocks:
- Consent before non-essential cookies. GA4, Meta Pixel, heatmap tools, TikTok tags: none of it loads before clear, active consent. Strictly necessary cookies (cart, session, security) are exempt.
- A privacy policy published on the site, in French, written in plain language: what you collect, why, who you share it with, how long you keep it.
- A designated privacy officer. By default, it's the person with the highest authority — meaning you, if you own the business. Their title and contact information must be published.
- A breach process. Keep a register of confidentiality incidents, and notify the CAI and affected individuals when there's a risk of serious harm.
None of this requires a $400/hour law firm for a standard marketing site. The technical piece — blocking tags before consent — is where almost everyone fails, and it's what the rest of this article covers.
The penalties: read the ceilings, understand the target
The numbers making the rounds are real, but they're ceilings. Administrative monetary penalties: up to $10M or 2% of worldwide turnover, whichever is higher. Penal fines: up to $25M or 4% of worldwide turnover.
Nobody is going to hit a Shopify store in Trois-Rivières with $10M over a misconfigured pixel. The CAI targets negligence: businesses that know, that have been warned, and that do nothing. The factors written into the law include how long the violation lasted and what was done to fix it.
The real risk for an SMB is more mundane: a complaint from a customer or competitor, an investigation request, hours of management overhead, and being forced to fix everything under supervision — at the worst possible time. Add the commercial risk: B2B buyers and partners are starting to ask for proof of compliance before they sign.
Our operator's read: the cost of compliance for a standard marketing site is a few days of work and a CMP subscription under $100/month. The cost of non-compliance is unpredictable and grows over time. That kind of asymmetry doesn't deserve months of hesitation.
The 5-step compliance sequence
Order matters. Here's the sequence we run:
- Inventory. Open your site with Google Tag Assistant or the Network tab. List every tag that fires: analytics, pixels, heatmaps, chat. You'll find more than you expect.
- Pick a certified CMP. Choose a Google-certified consent management platform (Cookiebot, Axeptio, CookieYes, among others) with a French interface and native Consent Mode v2 integration.
- Wire up real blocking. In Google Tag Manager, make every non-essential tag conditional on consent. Test in a private window: zero requests to Meta or GA4 before the "Accept" click.
- Publish the legal layer. French privacy policy, name and email of your privacy officer, an incident register — even a simple internal document is enough to start.
- Restore the signal. Enable Consent Mode v2, deploy Meta CAPI with deduplication, then watch your conversions for 2-4 weeks to establish the new baseline.
Step 3 is where implementations fail: the banner shows up, but the tags fire anyway. That's exactly the kind of thing we check in our free audit — the tracking portion covers consent, Consent Mode, and CAPI. And if you're already at the implementation stage, talk to us.