It’s a question that comes up often.

The short answer is yes, in most cases.

Cookie — Photo by A S on Unsplash

When Do You Need a Banner?

As soon as a website collects personal information from Quebec visitors, Bill 25 applies. Regardless of site size or where the company is located. Where there is collection, there are obligations.

The consent banner serves to obtain consent before collecting personal information.

As soon as a site uses non-essential cookies, analytics tools, marketing tools, or certain forms, consent must be clear and given before collection. It cannot be implicit or presumed.

The Basic Rule to Remember

Without an explicit response from the user, the answer is no. Silence equals refusal.

In practice, tools must not activate until the person has consented — not after a few seconds or while the banner is displayed.

In many cases, that is exactly where the problem lies. A banner is visible, but cookies are still deposited on the first visit or after a refusal.

What About Essential Cookies?

Essential cookies are an exception when they are strictly necessary for the site to function.

They can be used without consent, but they must be clearly explained in the privacy policy.

For example: a session cookie to keep the user logged in, a security cookie to prevent CSRF attacks, a load-balancing cookie, or a cookie for the chosen language.

These cookies are not used to analyze behaviour or for marketing — only to ensure the technical operation of the site.

What a Compliant Banner Looks Like

A compliant banner is not limited to an “Accept all” button. It must offer a real choice at the first level of interaction.

A banner that only offers “Accept all” with a “Customize” option that forces the user to click several times to refuse is generally not considered equivalent to a real refusal.

Refusal must be as simple and accessible as acceptance.

The user should not have to navigate multiple screens or manually uncheck each category to exercise their right to refuse.

The choice should also be changeable at any time via a link, usually in the footer.

I like the page at design.quebec.ca on this topic.

Concrete Examples to Understand

Example 1: “Contact Me” Form Without Tracking

The site is informational. No non-essential cookies. No analytics tools. No marketing pixels.

The form asks for a name, email address, and message. When the user fills it in, their consent to collection is implied by the fact that they are providing their information themselves.

In this case, a banner is not mandatory — but the form still collects personal information.

It is recommended to include consent directly in the form, with a note such as: “Your email address is used only to respond to your request. See our Privacy Policy.”

Example 2: Form With Google Analytics Active

The form is identical. However, an analytics tool is active on the site.

Here, collection begins before any user action. Consent can no longer be given only in the form.

In this scenario, a consent banner becomes mandatory so the user can accept or refuse collection before tools activate.

Example 3: Truly Anonymous Form

The site allows submitting a comment without a name, email, account, or IP address retention. No tracking tools are present.

In this specific case, no personal information is collected. No consent is required and no banner is necessary.

Example 4: Event Logs and IP Addresses

The site does no marketing. No non-essential cookies. No external analytics tools.

However, the site retains technical event logs containing visitors’ IP addresses — for example, for security, error detection, or abuse prevention.

An IP address is personal information. There is collection.

In this case, a consent banner is generally not required if collection is strictly necessary for operation, security, or site integrity.

However, this collection must be clearly explained in the privacy policy: purpose of the logs, retention period, and protection measures. Even without a banner, you must:

  • clearly explain in the policy that IPs are logged
  • specify why
  • indicate how long they are retained
  • limit their use strictly to that purpose

If these logs are used for analysis, profiling, or correlation with other data, the site falls outside this framework. The banner then becomes necessary.

When the Banner Becomes Inevitable

As soon as an analytics tool, marketing pixel, or non-essential cookies are added, the site leaves this scenario. The banner then becomes necessary.

What to Remember

In practice, compliance does not rest on a sentence in a policy. It rests on concrete mechanisms that actually work for forms, the banner, the privacy policy, and the configuration of technical tools.

If you are not sure what your site collects, when it collects, and how consent is obtained, there is a good chance the problem is not legal — it is operational.

I invite you to click “Follow” to keep learning about information security and privacy topics, and to check your website for free at loi25.certi360.com