In Quebec, a Webflow site is no longer just a showcase once it contains a contact form, a newsletter, advertising pixels (small codes that track your visitors for advertising) or a connected CRM (software that centralizes your contacts). Each field filled by a person triggers a concrete responsibility to determine what is collected, why, where the data flows and what to do if an incident occurs.
The obligations from the Law 25 are being gradually revealed in Quebec between 2022 and 2024. Since September 22, 2024, all planned provisions are in force (Source: CAI). Many marketing teams learn about this late, sometimes the day before a redesign and often after a privacy incident.
Here is a technical framework to prepare a site under the Law 25 and Webflow. It includes the following sections: forms, cookies, integrations, sub-processors, transfers outside Quebec and incident register. This article does not replace legal advice, but it helps you eliminate the most common blind spots before launch.
What your site must make clear before collecting data
Compliance begins before final design. It starts when you list what the site must collect, transmit and retain.
A simple Webflow contact form often sends the name, email, phone, message and sometimes budget to Webflow, a CRM, a newsletter tool and an automation system (which transfers data from one tool to another). You have four destinations for a single submission. However, data is rarely documented.
The privacy policy becomes mandatory as soon as a digital platform collects personal information. It must name what is collected, why, who has access to it, which cookies are used and what are the rights of the person concerned.
Bill 25 also requires internal governance policies on the handling of confidential information that are separate from the policy published on the website. Similarly, the title and contact information of the personal information protection officer (PRP) must be edited on the website (Source: CAI).
Audit of Webflow forms: start with the simplest
Before discussing compliance, list all data collection points. The most common ones:
- contact form;
- demo or submission request;
- resource download;
- newsletter subscription;
- donation or membership for a non-profit;
- unsolicited application;
- internal or external survey;
- chat tool at the bottom of the page.
For each piece of information requested in a form, you must know precisely why you are collecting it. Without a clear reason, you cannot obtain valid consent and it is better not to ask for that information.
Cookies, pixels and analytics tools to inventory
These elements are added to the site in the form of small codes (tags and scripts), often without formal inventory:
- GA4 (Google Analytics, the audience measurement tool);
- Meta Pixel (Facebook and Instagram's advertising tracker);
- LinkedIn Insight Tag (the equivalent for LinkedIn);
- Hotjar (which records visitor navigation);
- HubSpot (a marketing platform and contact management tool);
- chat tools;
- personalization engines (which adapt content based on the visitor).
These technologies may contain identification, location, or profiling functions. They must therefore be inventoried, documented, and configured before going live.
What the policy must make clear
A person affected without legal training must be able to understand it and know the following elements:
- precise purposes of each collection;
- collection methods (forms, cookies, integrations);
- third parties and sub-processors involved;
- rights of access, rectification, withdrawal, and portability (recover your data);
- possible communication outside Quebec;
- retention period and data destruction;
- title and contact information of the personal information protection officer (PRP).
An unreadable policy contradicts the very principle of transparency.
Webflow Forms, consent and incidents: what to check before going live?
This section outlines the requirements of a concrete checklist that a marketing team can understand.
The consent must be clear, freely given, informed, provided for specific purposes and expressed in simple terms. A pre-checked box for marketing consent is not necessary.
In its study of data from 2026 to 2027, Quebec's Commission d'accès à l'information (CAI) reports receiving 526 declarations of privacy incidents from April 1, 2025 to February 28, 2026. These figures represent a 12.88% increase compared to the same period in 2024-2025. It's also worth noting that over five years, incident notices have increased by 478% (Source: CAI). This is therefore not a theoretical risk.
Obtaining consent that is useful to the individual
To process a request submitted via form, a short explanatory phrase — a microcopy — may be sufficient to explain the necessary use of the information. You don't need a checkbox for processing that is essential to the requested service.
Checkboxes should instead serve optional purposes:
- newsletter subscription;
- commercial offers;
- marketing follow-up distinct from the requested service.
These boxes must not be pre-checked. Here are a few examples of microcopy under the button: "We use this information to respond to your request", "To learn more, consult our privacy policy."
Responding to an incident affecting a form
These common scenarios should trigger a review:
- form sent by mistake to the wrong recipient;
- access maintained for a former employee;
- an exported data file (for example an Excel or CSV file) that is unsecured and shared as an attachment;
- misconfigured CRM integration;
- technical access key (API key) left visible if it provides access to personal information or allows unauthorized communication.
The CAI asks to ask three questions about the sensitivity of information, about possible consequences and about the probability of misuse. A register of incidents must be created even when the incident does not present a risk of serious harm. It serves as internal memory and proof (Source: CAI).
Control dashboard to integrate into the Webflow project
| Verification point | Question to ask | Responsible party |
|---|---|---|
| Inventory of Webflow forms | Are all active forms listed and documented? | Marketing team |
| Purpose per form | Does each field serve a documented purpose? | Communications department |
| Consent microcopy | Is the message clear for an uninformed person? | Webflow agency |
| Cookies, pixels and tags | Have GA4, Meta, LinkedIn, chat been inventoried? | Webflow agency |
| Data flow mapping | Where does each submission go after sending? | Agency + internal team |
| DPO responsible | Is the title and contact information published on the website? | Management |
| Former employees access | Have Webflow, CRM and automation tool access been removed? | Internal responsible |
| Incident log | Does the log exist before launch? | Internal responsible |
| Privacy policy | Is it reviewed by a legal advisor? | Management + legal advisor |
Law 25 and Webflow site: what to check when data leaves Quebec?
The sensitive point is not Webflow alone. It refers to the connected ecosystem around the site.
According to its privacy policy, Webflow is based in the United States and may host, transfer and/or process personal information in the United States or to/in other countries (Source: Webflow). This simple fact can change the nature of your project.
In its Webflow approach it ensures theprivacy impact assessment (PIA) which concerns not only data outside Quebec. Two situations can trigger it:
- a redesign, acquisition or development affecting an information system or electronic service delivery involving personal information;
- the communication or processing of personal information outside Quebec.
The mapping of forms, CRM, automations and access must therefore be done before launch, not after.
Data outside Quebec is not limited to hosting
These different tools process data outside of Quebec:
- Webflow;
- AWS (Amazon's cloud hosting);
- Cloudflare (a site distribution and security service);
- Stripe (payment processing);
- Typeform (online forms);
- Zapier or Make (tools that automatically connect your applications);
- HubSpot, Pipedrive or other CRM;
- newsletter tools;
- outsourced customer service.
The right reflex to have is to map the data flows, to know where the form goes after submission, who accesses it and how long the data outside Quebec is retained. It's important to note that a Webflow site can transmit to six vendors without your internal team realizing it.
Webflow publishes a list of subcontractors and indicates they should be submitted to data processing agreements (Source: Webflow). This helps with mapping, but does not replace organizational analysis.
Questions to ask your Webflow agency before signing
Request the following points before signing:
- the list of third-party tools installed on the site;
- the planned integrations and their geographic location;
- access roles in Webflow and with subcontractors;
- the manual exports planned in your internal processes;
- active Zapier or Make automations;
- the documentation to leave with your team after delivery.
Also ask who is responsible for legal texts, who technically configures consents, and who maintains the mapping after launch. Without clear answers on these points, the project exposes you to risks.
Where does the agency end and legal advice begin?
A Webflow agency can help you inventory, configure, document and reduce technical blind spots. The legal advisor can validate obligations, texts, DPIA and communication choices outside Quebec.
Confusing these two roles can be harmful sooner or later.
FAQ: Bill 25 and Webflow Site
Does Bill 25 apply even if my Webflow site has few visitors?
Yes. The size of the site doesn't matter. As soon as a form or newsletter collects personal information from someone in Quebec, the obligations apply. The effectiveness of the law depends on the type of data, not traffic.
Is Webflow compliant with Bill 25?
Webflow is a tool. It is neither compliant nor non-compliant in itself. Your organization remains responsible for mapping data flows, consent, subcontractors and any incidents. Webflow fits into this ecosystem and hosts data outside Quebec.
Do I need a DPIA for a simple Webflow redesign?
Not necessarily. A DPIA is required as soon as a project affects an information system or electronic service provision involving personal information. This process is also requested when confidential data is communicated or processed outside Quebec. A redesign that modifies forms, the CRM, integrations or access generally falls into the first case.
Do I need a cookie banner like in Europe?
Bill 25 does not replicate the GDPR (the European data protection regulation). However, whenever identification, location or profiling functions are active, you must inform the person concerned. They can then voluntarily activate these functions, which do not operate automatically.
How long should I keep data collected by a form?
Data must be destroyed or anonymized once the purpose is achieved. A submission request does not justify keeping data for five years in a CRM. The process is documented by default.
Does the Webflow agency bear my legal responsibility?
No. The agency acts as a technical partner in terms of mapping, configuration and documentation. Your organization remains the data controller under Law 25. It should be noted that the designation of a personal information protection officer (PRP) is mandatory.
Note: This article shares technical guidance for Webflow, but does not replace legal advice. To validate your compliance with Law 25, consult a legal advisor.
Making compliance a reflex in Web projects
A Webflow site compliant with the spirit of Law 25 is clear to the person concerned. It is documented for your team and verifiable by the organization. This is not a fixed status. It's a reflex to develop from the outset, before an incident, complaint, or internal verification request.
Before your next Webflow redesign, Vekteur can help you map forms, scripts, data access and their integrations outside Quebec. These processes need to be validated with your legal advisor. Request a Law 25 and Webflow scoping audit.
