30-second summary

  • As soon as a site collects information (a contact or consultation form), it falls under Law 25.
  • A law firm is particularly concerned: the messages people send can describe a dispute and create a confidentiality expectation.
  • Two frameworks overlap: Law 25 (personal data) and your professional secrecy under the Barreau.
  • Points to cover: purpose, consent, privacy policy, security, cookies, retention — mostly adjustments, not a rebuild. Principles, not legal advice.
Important disclaimer NEXTIWEB is a web agency, not a law firm. This article explains general principles to help you ask the right questions. For your exact obligations, validate with a legal professional, the Barreau du Québec (for professional secrecy and ethics) and Quebec's Commission d'accès à l'information (the CAI, for Law 25).

Law 25 — the modernization of Quebec's private-sector privacy rules — worries many professionals, often because the topic feels vague. For a law firm, the stake is real but manageable: it isn't about reinventing your practice, but about covering a few specific points on your site. And one of those points is unique to your profession: the way Law 25 sits alongside the professional secrecy you already hold as a lawyer. Here it is, in plain language.

Why a law firm is particularly concerned

Any site that collects personal information is covered — even a simple contact form. But a law firm goes further. When someone reaches out through your site, they rarely write "I'd like an appointment." They often start telling their story: a conflict with an employer, a separation, a notice they just received, a dispute with a neighbour. That short message can already contain sensitive, litigation-related information — and the person sending it may reasonably believe they are confiding in a lawyer.

This creates a confidentiality expectation early, sometimes before any mandate exists. It doesn't mean your site is doing anything wrong. It means the care given to your forms, your wording and your data should match the sensitivity of what people will inevitably send you.

Two frameworks that overlap: Law 25 and professional secrecy

This is the part that is specific to lawyers, so it's worth being precise about it.

Law 25 governs how personal information is collected, used, protected and kept — for any organization. It applies to your site because your forms gather names, contact details and messages. For Law 25 questions, the reference body in Quebec is the Commission d'accès à l'information (the CAI).

Professional secrecy is a separate and, in many respects, stricter obligation that belongs specifically to lawyers. It flows from the Barreau du Québec's Code of ethics and protects confidential communications with your clients. It is not something a web agency configures — it's a professional duty you carry. For anything touching professional secrecy and conduct, the reference is the Barreau du Québec.

The practical takeaway: respecting Law 25 on the technical side (consent wording, secure transmission, a clear policy) is necessary, but it does not replace your professional secrecy obligations. A site can be well configured for Law 25 and still need professional judgment about what you invite people to disclose, and when.

One message can already trigger confidentiality A web form is not a neutral pipe. The moment a prospective client describes their situation to a lawyer, expectations of confidentiality may arise — even before you've accepted the mandate or run a conflicts check. That's why what you ask matters as much as how you protect it.

1 — Your forms: ask for less, on purpose

The first principle is minimization: a consultation form should ask only for what's genuinely necessary at this stage. For most firms, a name, a way to reach the person, and a short description of the request are enough to call them back. The less you collect, the less you have to protect.

For a law firm, minimization carries an extra reason that has nothing to do with technology: conflicts of interest. Before you've checked whether you can even act, inviting a visitor to pour out every detail of their case into an open web field can be counterproductive — for them and for you. A measured form ("tell us briefly what this is about, and we'll call you back to discuss") respects the person and keeps your firm in a cleaner position to run its checks before learning more.

The person must understand why you're asking for their information and consent to it. On a site, this means clear wording near the form and a link to your privacy policy. Consent should be informed — not extracted through pre-checked boxes or vague language. A simple, honest line such as "We'll use your details only to respond to your request" goes a long way, and it sits naturally next to a reassurance that early messages are treated with discretion.

Is your firm's site set up to handle sensitive enquiries properly? Let's look at your forms and your online presence together.

See our services for law firms →

3 — The privacy policy and the privacy officer

A clear, accessible privacy policy is central. It explains what information you collect, why, how it's used and protected, and how a person can exercise their rights — in particular access and rectification. Law 25 also provides for designating a person responsible for protecting personal information (a privacy officer). Our role as an agency is to make this information accessible and easy to find on the site; the exact legal content of the policy should be drafted or validated with a qualified professional, since it touches both Law 25 and the way your firm describes its confidentiality commitments.

4 — Security, hosting and retention

Collecting information means protecting it: secure form transmission (HTTPS), hosting and access that are controlled, and retention that doesn't drag on beyond what's needed. For a law firm, this matters twice over — once for Law 25, and once because the information may be tied to your duty of confidentiality. Keeping enquiries indefinitely "out of habit" adds risk with no benefit. The technical measures (encryption in transit, restricted access, sensible defaults) are set up on the site and hosting; the exact retention periods and internal procedures fall under your professional obligations and should be framed accordingly.

5 — Cookies and tracking

Analytics and advertising tools (cookies, pixels) raise questions of transparency and consent. A site that uses them must inform visitors and, depending on the case, obtain consent and offer control — often via a cookie-management banner and a mention in the privacy policy. This is independent of the content of your forms, but it's part of the same overall picture: a visitor should understand what happens to their data on your site, full stop. The configuration depends on the tools in place; we put the mechanisms in place, and the precise obligations are validated with a professional.

6 — Access, rectification and the visitor's rights

Law 25 gives people rights over their information, including the right to access what you hold about them and to ask for it to be corrected. On the website side, the practical job is to make these requests easy to address: a clear contact point (often your privacy officer) and a policy that tells people how to reach out. You don't need a complex portal — you need a visible, honest path. As always, the precise scope of these rights for your firm should be confirmed with the CAI or a legal professional.

Compliance plan (website side)

StepAction
Step 1Review forms: keep only necessary fields; avoid inviting full case details before a conflicts check.
Step 2Add clear purpose wording + consent near the form.
Step 3Publish an accessible privacy policy and designate a privacy officer.
Step 4Secure transmission (HTTPS), controlled hosting, and a sensible retention period.
Step 5Set up cookie management (banner + mention in the policy).
Step 6Make access and rectification requests easy to address.
Shared responsibility Final responsibility belongs to you, the lawyer — custodian of your clients' information and holder of professional secrecy. The agency implements the website-side mechanisms; the Barreau du Québec frames your secrecy and conduct obligations, and the Commission d'accès à l'information validates your exact Law 25 obligations.

One more distinction worth keeping clear: this article is about data and confidentiality. The separate question of what you're allowed to say when you advertise and present your firm — solicitation, comparisons, claims — is governed by the Barreau's advertising rules, and we cover that in a compliant law firm website and the advertising rules. Two different angles, both worth getting right.

Frequently asked questions — Law 25 and confidentiality on a lawyer's site

As soon as your site collects personal information — even a simple contact or consultation form — it falls under Law 25. A law firm is particularly concerned, because the messages people send can describe a dispute or a sensitive situation. This doesn't mean your site is non-compliant: it means there are specific points to cover (purpose, consent, security, privacy policy). This article describes those points in general terms; for your exact obligations, validate with a legal professional or Quebec's Commission d'accès à l'information.

They are two distinct frameworks that overlap. Law 25 governs how personal information is collected, used and protected. Professional secrecy is a separate, stricter obligation that belongs to lawyers under the Barreau du Québec's Code of ethics and protects confidential client communications. A message sent through your site can already create a confidentiality expectation, even before a mandate exists. Respecting Law 25 on the technical side does not relieve you of your professional secrecy obligations, which you should review with the Barreau.

As little as possible at the first stage. A compliant form follows the minimization principle: name, contact details and a short description of the request are usually enough to call the person back. Inviting visitors to describe the full details of their case in an open web form raises both a security question and a conflict-of-interest question — before checking for conflicts, a firm generally prefers to limit what it receives. The precise wording should be validated with a professional.

A clear, accessible privacy policy is a central element of a Law 25-compliant online presence. It explains what information you collect, why, how it's used and protected, and how a person can exercise their rights of access and rectification. Law 25 also provides for designating a person responsible for protecting personal information. Our role as an agency is to make this information accessible on the site; the exact legal content of the policy should be established with a qualified professional.

Yes. Analytics and advertising tools raise questions of transparency and consent. A site that uses them must inform visitors and, depending on the case, obtain consent and offer control — often through a cookie-management banner and a mention in the privacy policy. The exact configuration depends on the tools used; we put the mechanisms in place, and the precise obligations are validated with a professional.

Final responsibility belongs to you, the lawyer, as the custodian of your clients' information and as the holder of professional secrecy under the Barreau. A serious web agency builds a site that facilitates compliance (lean forms, secure transmission, accessible policy, cookie management), but it doesn't replace legal advice. The right approach is teamwork: the agency for technical implementation, and the Barreau and the Commission d'accès à l'information for your exact obligations.

Go further

Confidentiality and compliance go hand in hand with a site that converts and inspires trust:

Rather have it handled for you? That's exactly what NEXTIWEB does. We build law firm sites that facilitate compliance — lean forms, secure transmission, an accessible policy, cookie management — in Montreal, on the South Shore and the North Shore, alongside your legal advice and your obligations to the Barreau. Explore our services for law firms →

A site that inspires trust, starting with the form. Get a free audit of your online presence and your forms — delivered as a personalized PDF report within 24 h.

Get My Free Audit →