Québec by Design: Building Loyalty That's Law 25 and Bill 96 Compliant from Day One
In Québec, compliance isn't a layer you add after launch. It's an architecture decision — and making it early costs a fraction of making it late.
Two laws now govern any loyalty program operated in Québec, and neither forgives improvisation. Law 25 governs personal data: explicit, granular, purpose-specific consent; privacy by default; a portability right effective since September 2024; and a disclosure obligation for any decision based exclusively on automated processing. The penalties aren't symbolic: up to CAD 10 million or 2% of worldwide turnover in administrative fines, and double that on the penal side. Bill 96, in turn, mandates French on every commercial communication, with a private right of action for the consumer who isn't properly served.
The mistake most teams make is treating both regimes as end-of-project checks — a legal review before launch. In Québec, that's an architecture error. Granular consent, de-identification, perfect language parity can't be bolted onto a program already built; they determine its data structure.
Consent as a data schema, not a checkbox
Under Law 25, consent must be free, informed, and specific to each purpose. Concretely, that forbids bundled consent: a customer can accept the loyalty program while refusing advertising profiling, and your system must honor that granularity at the record level. If your data model doesn't carry consent per purpose from the design phase, you'll have to rebuild it — and migrating a poorly consented base is an expensive nightmare. Add that profiling and tracking must be off by default, enabled only on express consent: the exact inverse of the opt-out logic many programs still run.
De-identification, anonymization, and the line that changes everything
The Anonymization Regulation, published in May 2024, sets a high bar: data is anonymized only if the person can no longer be re-identified, directly or indirectly. The distinction is operational. De-identified data is still personal data and keeps all its obligations; only truly anonymized data escapes them. For a retail media team looking to monetize segments, knowing precisely which side of that line each dataset lives on isn't a legal footnote — it's what determines what you're allowed to sell.
Bill 96 is not translation
The trap with Bill 96 is mistaking it for a translation project. It isn't one. French must be present, complete, and of at least equivalent quality on every surface: emails, terms, preference center, notifications, the program interface. Building English first and translating later invariably produces blind spots — a forgotten transactional notification, an English-only consent label — and each one is an offense exposed to action. Parity has to be a design constraint, not an end-of-cycle task.
Build in the right order
Sequence is the whole game. Model consent per purpose before you write the first activation rule. Decide the de-identification/anonymization line before you promise anything to retail media. Treat French parity as a day-one requirement, not a last-minute deliverable. Done in that order, the compliance overhead is marginal. Done backward — compliance after launch — it becomes a rebuild. In Québec, "compliant by design" isn't a governance slogan: it's the difference between a program you ship and a program you redo.