Canada is Regulating the Internet: What Bill C-34 Means for Your Business

Overview

Canada has worked to regulate online harms for years. On June 10, 2026, the federal government introduced a Bill C-34, the Safe Social Media Act ("Bill C-34"), putting social media companies, providers of artificial intelligence ("AI") chatbots, and a range of online service providers operating within Canada on notice. Bill C-34 proposes Canada's most sweeping and comprehensive statutory framework for regulating online safety to date.

Bill C-34 is still in its infancy stages, having only cleared the first reading in the House of Commons. The potential implications of Bill C-34 demand that affected businesses start paying attention now as Bill C-34 will fundamentally change compliance obligations. If passed, Bill C-34 would enact two new statutes: the Digital Safety Act ("DSA") and the Digital Safety Commission of Canada Act ("DSCCA"). Together, DSA and the DSCCA create a framework of binding duties, new enforcement mechanisms and significant financial penalties for non-compliance.

This is not Canada's first attempt at regulating the internet: it is a revamped version of Bill C-63, the Online Harms Act, which was introduced in 2024 but never became law.

What is changing? And who will be impacted?

While Bill C-34 is titled the Safe Social Media Act, that does not paint the full picture.

The DSA would apply to the operation of three categories of regulated services accessible in Canada, namely social media services, AI chatbot services, and online services (the "Regulated Services"). Despite its apparent breadth, the third category is subject to regulation only where the government is satisfied that an online service poses a significant risk of harm to children.

The DSA will primarily target seven types of harmful content, specifically the following:

• Intimate content communicated without consent (including deepfakes);
• Content that sexually victimizes a child or revictimizes a survivor;
• Content that induces a child to harm themselves;
• Content used to bully a child;
• Content that foments hatred;
• Content that incites violence; and
• Terrorism or violent extremism content.

Below we have outlined the obligations on Canadian service providers that are contemplated in the newly proposed Bill C-34.

(1) A duty to protect children: For providers of all Regulated Services

Every operator of a Regulated Service must implement design features to ensure a safer experience for minors, apply age verification or age-estimation to limit children's exposure to pornographic content and keep records of their legislative compliance. Social media companies face the most stringent requirement: setting a minimum account age of 16, unless an exemption is granted based on sufficient child safeguards.

(2) A duty to act responsibly: For social media and AI chatbot service providers

Social media platforms must actively work to reduce the exposure of risk of harmful content to the user. These platforms must apply labels to synthetically generated material, including AI-generated audio or video that could be mistaken for real recordings, as well as give users tools to flag content and block users.

AI chatbots must mitigate the risk of communicating harmful content and are prohibited from four specific behaviours: pretending to be human, impersonating licensed professionals, using manipulative techniques to foster unhealthy emotional dependencies and encouraging self-harm or suicide.

(3) A duty to make certain content inaccessible: For social media service providers

Social media platforms must remove two categories of content: child sexual abuse material and intimate images shared without consent (this includes AI-generated deepfakes). Once either is flagged by the user or identified by the platform, the content must become inaccessible within 24 hours of being flagged.

(4) Transparency: For all Regulated Services

All Regulated Services must publish a digital safety plan outlining their commitment and deliverables on these new obligations. This acts as a public-facing disclosure that will be assessed by the applicable regulator. Any non-compliance with the requirement to have a publicly accessible digital safety plan may invite enforcement scrutiny and penalties.

The regulator

The DSA will be administered and enforced by the newly created Digital Safety Commission of Canada ("Commission"). If Bill C-34 is passed, the Commission would be empowered to set standards and issue guidance; conduct audits of digital safety plans; hold hearings, compel testimony and document production; issue compliance orders enforceable as Federal Court judgments; and receive and administer user complaints regarding inaccessible content when the platform's internal mechanisms are insufficient.

The Commission also carries significant and broad regulatory authority with more than 30 heads of power. The operational details will be set out after its establishment, but the regulations will be pre-published in the Canada Gazette, providing a prior opportunity for public commentary.

Key takeaways for Canadian businesses

• This is not exclusively a social media issue. If your business operates an online service through which Canadians interact, share or create content, it may fall within its scope of the newly proposed Bill C-34.
• AI chatbot operators should be on alert: Canadian law has rarely regulated AI chatbots head-on, and the DSA would be among the first pieces of legislation to place binding safety duties directly on AI chatbot operators if enacted.
• The fines are serious and global. If passed, Bill C-34 will introduce significant penalties in the event of non-compliance. Maximum offence fines on conviction are the greater of $20 million or 5% of gross global revenue. Maximum administrative monetary penalties handed out by the Commission are the greater of $10 million or 3% of gross global revenue.
• Don't wait for Royal Assent. While there are multiple parliamentary steps before Bill C-34 becomes governable law, the framework and the government's intentions are sufficiently clear. Businesses facing potential exposure should begin scoping their obligations now: a compliance gap analysis today is far easier than a regulatory scramble later.
• The details are still being written. Key specifics, like age-verification standards, user thresholds and design feature requirements, will be set by the Commission through future regulations.
• Be engaged. Bill C-34 contemplates meaningful public consultation prior to regulations being finalized. As a business who may bear the burden of compliance, it is important to participate in the process as both a right and strategic opportunity.

For more information about how to prepare for and comply with Canada's newly proposed privacy legislation, please contact Roland Hung or Laura Crimi of Torkin Manes' Technology and Privacy & Data Management Groups.

The authors would like to acknowledge Torkin Manes' Summer Student William Tiwana for his invaluable contribution in drafting this bulletin.