Law 25: Disable Non-Essential Tracking Without Consent

🔍 Problem Statement

As a platform provider operating under Quebec’s Law 25, I need to ensure that Pelcro does not collect or store non-essential user data when consent is declined, because storing or transmitting such data without consent constitutes a violation, regardless of usage.

💡 User Story

As a user on Pelcro, I want non-essential tracking (analytics, marketing, personalization) to be disabled when I decline consent, so that my privacy rights are respected and Pelcro as a business remains compliant with Law 25.

🎯 Definition of Done (DoD)

A feature is done when:

✔️ If a user declines consent, Pelcro does not trigger, collect, or store any non-essential tracking events.

✔️ Only strictly necessary data for delivering core service functionality (e.g., authentication, payments, fraud prevention, security logs) continues to be collected.

✔️ Analytics/marketing events are conditionally fired only when explicit consent is granted.

✔️ If a user withdraws consent after granting it, all non-essential tracking is disabled immediately and future events are blocked.

✔️ All consent decisions are logged with timestamps for auditability.

📌 Notes / Considerations

1. Must distinguish between essential tracking (allowed without consent) vs. consent-based tracking (must be blocked).

2. Ensure this works consistently across web, API, and SDK integrations.

3. Provide a configurable toggle for clients so they can add/remove what they consider “essential” for their implementation.

4. Align with Law 25 requirements: clear, informed, revocable consent.