Verimont does not run a passive scan. A live browser loads your domain, intercepts what it transmits, interacts with your consent interface, and tests whether your site honors a user who says no. Every finding is documented with observed evidence before any analysis is written.
The scan runs in three phases before any report is generated. Each phase produces structured evidence. The report is written from that evidence, not from assumptions.
A live browser loads your domain from a clean state, no cookies, no prior consent signals, no browser history. Every network request is captured from the first byte. We record which scripts fire, when they fire, what third-party domains they contact, and whether any of that activity precedes a consent signal from the user.
This is not a simulated scan. It is a live intercept of your site as it actually behaves for a new visitor.
We interact with your consent interface the way a real user would. Three tests run in sequence.
First, we click Reject All and observe whether your site honors the rejection. Tracking scripts that continue transmitting data after a rejection signal are not a configuration gap. They are an active violation of Quebec Law 25 under the Act respecting the protection of personal information in the private sector, P-39.1, s.8.1.
Second, we measure how many clicks it takes to accept cookies, then how many clicks it takes to withdraw that consent. Quebec Law 25 (P-39.1) requires withdrawal to be as easy as consent. If acceptance takes one click and withdrawal takes four navigation steps, that disparity is a citable finding with a specific click count as evidence.
Third, we test for visual dark patterns in the rendered consent interface: whether reject options are visually deemphasized, whether consent is implied by continued use, whether the purpose of data collection is stated or absent.
We crawl every publicly accessible legal document on your domain. Privacy policy, cookie policy, cookie declaration, terms of service, contact page, help center pages related to data requests, and French versions of all of the above.
Each document is analyzed against a structured statutory checklist. Every pass, fail, and partial result is documented with a verbatim quote from your own document as evidence. Nothing is inferred. If it is not in your published documents, it is not credited.
Every finding maps to one of four vectors. No overlap between categories. No gaps in coverage. The result is a liability map that holds under regulatory scrutiny.
The front door. Every commercial website is a data collection machine. The question Quebec Law 25 (P-39.1) asks is simple: did you ask first, and did you honor it when someone said no?
This vector documents what your site transmits before consent, how your consent interface behaves under interaction, whether a rejection signal is honored, and whether withdrawal is operationally equivalent to acceptance.
The paperwork. Regulatory frameworks do not just mandate behavior. They mandate accountability structures and public disclosure of who is responsible.
This vector checks whether your organization has publicly designated a named Privacy Officer with a functional contact route, whether your privacy policy is available in French for Quebec-located subjects, whether it references the applicable legislation explicitly, and whether it has been updated since Quebec Law 25 (P-39.1) came into full force in September 2023.
The back end. Where data physically lives determines which government can compel its disclosure.
This vector traces your DNS records, resolves your server IP to a jurisdiction and datacenter operator, identifies your CDN provider via CNAME chain analysis, and enumerates subdomains through certificate transparency logs. If any component of your infrastructure runs on a US-headquartered provider, including AWS, Google Cloud, Azure, Cloudflare, or Fastly, your data may be reachable by US federal authorities under the CLOUD Act, regardless of where the data physically sits.
The exit. Knowing what data you hold is the minimum. Having operational infrastructure to delete it, export it, and respond to subject access requests within mandated timelines is the requirement.
This vector checks whether a functional subject access request pathway exists beyond a policy statement, whether a deletion mechanism is documented and reachable, whether data portability is supported, and whether breach notification procedures are published.
Bill 64, now Quebec Law 25 under the Act respecting the protection of personal information in the private sector, P-39.1, is in full force. The most demanding provincial privacy legislation in Canada. Applies to any organization processing personal information of Quebec residents, regardless of where the organization is based. Full enforcement has been active since September 2023.
PIPEDA, the Personal Information Protection and Electronic Documents Act, governs commercial organizations under federal jurisdiction. Bill C-27, the proposed Consumer Privacy Protection Act, is currently before Parliament and not yet in force — it would propose significant reforms including a statutory tort of privacy violation and fines up to $10M or 3% of global turnover. Verimont audits against current PIPEDA requirements and flags exposure that would constitute a violation under the proposed CPPA framework, clearly marked as proposed, not in force.
Not Canadian law, but directly relevant to Canadian data sovereignty. The CLOUD Act allows US federal agencies to compel US-domiciled cloud providers to disclose data stored anywhere in the world. If your infrastructure runs on a US-headquartered provider, your data may be reachable by US authorities without your knowledge or consent. Verimont identifies every component of your infrastructure subject to this exposure.
The full report is delivered to a secure page on the Verimont site and can be downloaded as a PDF. Every finding includes the observed evidence, the applicable statute cited by section number, and a direct link to the legislation. Nothing is asserted without documentation.
No credit card. No account. Confidential.
Confidential. No credit card. No account.