John Salloum and Maryna Polataiko from Osler, Hoskin & Harcourt LLP report that Canada is contemplating a social media ban for children under 16—among other measures—through a new online safety regime that takes aim at harmful material, platform accountability and synthetic content.
Bill C-34, the Safe Social Media Act, was introduced on June 10, 2026, and would create two new statutes: the Digital Safety Act (the “DSA” or the “Act”) and the Digital Safety Commission of Canada Act. If passed, Bill C-34 would establish a comprehensive legal framework intended to govern online safety, reduce harms from online content and establish transparency and accountability requirements for operators of regulated services such as social media sites, chatbots and other online services.
Regulated Social Media, Chatbot and Online Services
The Act's duties apply to three types of “regulated services.” A service is generally regulated when it falls within a defined service type and either meets a user number threshold set by regulation or is designated as regulated by the Governor in Council.
- Social Media Services. Social media services are websites or applications whose primary purpose is to facilitate communication among users by enabling them to access and share content. These include adult content and live streaming services. Duties under the Act do not apply to private messaging features on social media services.
- Chatbot Services. Chatbot services are AI systems that (i) communicate over the internet; (ii) are publicly accessible via websites or applications; (iii) use natural language interfaces to provide adaptive, human-like responses in a conversational format; (iv) can simulate sustained human-like relationships through multiple interactions or sessions; and (v) generate content or responses that are not fully predetermined by system developers or operators. These do not include AI systems that exclusively serve purposes specified in the regulations.
- Online Services. Online services are websites or applications other than social media or chatbot services that allow users to interact with them, excluding those whose primary purpose is the sale or advertisement of goods or services, or directories, search results, maps or navigation tools. Online services must first fall within a category established by the Governor in Council to be regulated. Duties under the Act do not apply to private messaging features on online services.
Telecommunications service providers offering basic internet connectivity would be exempt from duties under the Act.
The Act would not require operators to proactively search for harmful content, though regulations may require technological means to prevent child sexual abuse material (“CSAM”) from being uploaded.
Regulated Content
The Act would target seven categories of harmful content: Non‑consensual disclosure of intimate images (“NCDII”), CSAM, content that induces a child to harm themselves, content used to bully a child, content that foments hatred, content that incites violence, and terrorism or violent extremism content. It would also establish requirements specific to pornographic content and synthetic content.
Duties of Operators
The DSA would impose two baseline duties on all operators of regulated services: a duty to protect children, including safety-by-design features and — where an operator has “reasonable grounds” to suspect its service provides access to pornographic content —age verification or estimation measures to mitigate the risk of persons under 18 being exposed to such content, as well as a duty to be transparent through compliance record-keeping.
For social media operators, the child protection duty would also include age estimation or verification measures “designed to prevent" persons under 16 from holding accounts where specified by regulation, subject to a Commission exemption for “adequate safeguards.” The duty to be transparent would extend to include digital safety plans. Additionally, a duty to act responsibly would include measures against harmful content, user guidelines, blocking and reporting tools, bot-amplified and synthetic content labeling, an identifiable resource person, and preservation requirements following certain content take-downs. A duty to make content inaccessible would impose 24-hour take-downs of NCDII and CSAM, as well as notice and appeal processes.
For chatbot operators, the duty to be transparent would similarly contemplate digital safety plans. Further, the duty to act responsibly would include measures against harmful content, emergency intervention obligations, and measures against harmful behavior such as posing as a human or licensed professional, using manipulative engagement techniques, and encouraging self-harm.
For operators of online services, the baseline transparency duty would similarly be supplemented with digital safety plans.
Remedies and Enforcement
The Digital Safety Commission of Canada would administer and enforce the Act. Canadians could make submissions about harmful content, harmful behavior, or non-compliance with the Act, as well as complaints seeking take-down orders for NCDII or CSAM.
The Commission would have extensive enforcement powers, including investigating complaints, holding hearings, conducting inspections under warrant, and issuing compliance orders.
Subject to a due diligence defense, administrative monetary penalties would reach the greater of 10 million Canadian dollars or 3% of gross global revenue, and offenses could carry fines up to the greater of 20 million Canadian dollars or 5% on indictment and $15 million or 4% on summary conviction. For affiliated groups, “gross global revenue” would mean the group’s revenue.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron P. Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- Age Appropriate Design Code
- Age Verification
- Alabama
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence (AI)
- Attorney General
- Audit
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CalPrivacy
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Centre for Information Policy Leadership (CIPL)
- Chatbot
- Children’s Online Privacy Protection Act (COPPA)
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Consumer Rights
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cross-Border Data Transfer
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Breach
- Data Brokers
- Data Controller
- Data Localization
- Data Minimization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Protection Officer
- Data Security
- Data Transfer
- David Dumont
- David Vladeck
- Deceptive Trade Practices
- Delaware
- Denmark
- Department of Commerce
- Department of Defense
- Department of Health and Human Services
- Department of Homeland Security (DHS)
- Department of Justice
- Department of the Treasury
- Design
- Digital Markets Act
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DORA
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Electronic Protected Health Information
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- Financial Data
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Genetic Data
- Geofencing
- Geolocation
- Geolocation Data
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Grok
- Hacker
- Hawaii
- Health Data
- HIPAA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Large Language Model
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Louisiana
- Madrid Resolution
- Maine
- Malaysia
- Maryland
- Massachusetts
- Meta
- Mexico
- Michigan
- Microsoft
- Minnesota
- Missouri
- Mobile
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- North Dakota
- North Korea
- Norway
- Obama Administration
- OCPA
- OECD
- Office for Civil Rights (OCR)
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Online Behavioral Advertising
- Online Privacy
- Opt-In Consent
- Opt-Out
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Poland
- PRISM
- Privacy
- Privacy and Information Security Law
- Privacy By Design
- Privacy Notice
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Profiling
- Protected Health Information
- Purpose Limitation
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk Assessment
- Risk-Based Approach
- ROSCA
- Rosemary Jay
- Russia
- Safe Harbor
- Salesforce
- Sanctions
- Schrems
- Scott Kimpel
- SECURE Data Act
- Securities and Exchange Commission
- Security Rule
- Senate
- Sensitive Data
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Surveillance Pricing
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code