CAI Complaint-Risk Checklist: E-commerce Cookie Banner

For: Newport Thomson client engagements assessing Law 25 cookie compliance on Quebec-facing e-commerce sites.

How to use it: Walk the site as a first-time visitor, in a private/incognito browser, from a Quebec IP if possible. Score each item Pass / Fail / Partial. Items are ranked by complaint risk, the higher the risk, the more likely a CAI complaint or audit will land on this. The “trap” notes are the things vendor checklists and consent-platform marketing pages routinely get wrong.

Tier 1 – High complaint risk

These are the items most likely to trigger a CAI complaint, an audit finding, or an administrative monetary penalty. Get these right first.

The cookie list is

1. Non-essential cookies do not fire before consent. Open the site in incognito, with a network inspector running. Before clicking anything on the banner, no analytics, advertising, social, or profiling cookies should load. Only strictly-necessary cookies (session, cart, security, language) are allowed pre-consent. Why this is Tier 1: this is the single most common Quebec compliance failure and the easiest for a complainant to document with a screenshot. It hits sections 8.1 and 14 of the Act directly, and the CAI’s December 2023 privacy policy guidelines (per Miller Thomson) say cookies that identify, locate, or profile must be “disabled by default” with an express-consent banner. Trap: Google Analytics 4 in default mode counts as profiling and must be off until consent. “Anonymized IP” is not a free pass.
2. Reject is as easy as Accept. Count the clicks. If “Accept All” is one click but “Reject All” requires going into a “Manage Preferences” screen and toggling things off, that’s a fail. Both buttons should be on the first banner, equal visual weight, equal click count. Why this is Tier 1: “free” consent under section 14 means the visitor isn’t pressured. A friction asymmetry between Accept and Reject is the textbook dark pattern, and it’s the first thing any complainant or auditor screenshots. Trap: a “Continue” or “X” button that closes the banner without rejecting is a fail as it doesn’t record a refusal, and silence isn’t consent under Law 25.
3. Consent is granular by category. The banner offers separate toggles for at least: analytics, advertising/marketing, functional/preferences, and (if used) social media. Bundling all non-essential cookies into one Accept/Reject pair is a fail. Why this is Tier 1: the CAI’s 2023 valid-consent guidelines require “granular” consent such that each purpose gets its own choice. Trap: “personalization” is not a category; it’s a marketing word. If your client’s banner says “personalization cookies” and that bucket includes both site preferences and ad targeting, that’s the kind of blurred category the skill warns about. Split it and use plain language to name each one.
4. The cookie list is…

Read The Full Article at Newport Thomson