Bill C-34: What’s Changing and How Digital Service Operators Can Prepare (Client Alert)

Bill C-34 at a glance

• Bill C‑34 would establish a new federal digital safety framework for regulated social media, chatbots, and certain online services
• The proposed regime would apply to regulated social media services, AI chatbot services using natural language and prescribed online services posing risks to children
• Operators would be subject to new obligations relating to child protection, harmful content, governance and transparency
• Non‑compliance may result in administrative monetary penalties of up to the greater of $10 million or 3% of gross global revenues or up to the greater of $20 million or 5% of gross global revenues in the case of offences
• Key elements of the framework will be defined through future regulations, creating uncertainty around scope and implementation

What is Bill C-34 and why does it matter?

The federal government tabled Bill C-34 on June 10, 2026, introducing the Digital Safety Act (the “DSA”) and the Digital Safety Commission of Canada Act (the “DSCCA”).

Bill C‑34 forms part of Canada’s broader approach to regulating online harms, digital platforms and AI-enabled services.

If enacted, the Bill would establish a new federal digital safety framework for regulated social media, chatbot and online services, with a strong emphasis on regulating harmful content and protecting children. This framework is further supported by a strong enforcement regime, including significant financial penalties for non-compliance.

Bill C‑34 is the successor to Bill C‑63, (the proposed Online Harms Act), which was not adopted. While both bills seek to address online harms and protect children, Bill C‑34 adopts a predominantly regulatory and administrative framework focused on duties of operators of specific types of services.

This shift reflects a more targeted and operational approach to digital safety. Nevertheless, as was the case with Bill C‑63, many key elements of the regime remain contingent on future regulations, creating material uncertainty as to its scope, technical requirements, and implementation timelines for affected operators of regulated services.

Scope and application of the DSA

The DSA applies to three different categories of services:

1. Social media services: website or app with the primary purpose of facilitating online communication between its users by enabling users to access and share content.
2. Chatbot services: AI system accessible online that uses a natural language interface to provide in a conversational format human-like responses to user inputs, is capable of being used through multiple interactions to simulate human-like relationships and can generate content that is not fully predetermined by its developer or its operator.
3. Online services: websites or applications, other than a social media service or a chatbot service, that allow users to interact with the website or application, to the extent it falls under a category of online services that pose a significant risk of harm to children, to be set out in future regulations on the recommendation of the Commission.

The obligations of the DSA apply specifically to regulated social media, chatbot, or online services.

Services are considered regulated where they:

• meet the number of users equal to or greater than the significant number of users set out in regulations; or
• if that threshold is not met, pose a significant risk of harm to individuals (in the case of chatbot services), a significant risk that harmful content is accessible (in the case of social media services), or a significant risk of harm to children in Canada (in the case of online services)

The DSA excludes several types of services from its scope, including:

• services primarily used to facilitate the sale, listing or advertisement of goods or services
• services providing directories, search results, maps or navigation tools
• basic internet connectivity services provided by telecommunications service providers
• private messaging features of social media or online services

The DSA targets the following types of harmful content:

• intimate content communicated without consent
• content that sexually victimizes a child or revictimizes a survivor
• content that induces a child to harm themselves
• content used to bully a child
• content that foments hatred
• content that incites violence
• terrorism or violent extremism content

Key compliance obligations under Bill C-34

The Bill proposes to create specific obligations that would apply to operators of any regulated service, but also specifically to certain types of regulated services.

The Bill classifies those obligations as:

• duties to protect children (all regulated services)
• duties to act responsibly (regulated social media and chatbot services)
• duties to be transparent (all regulated services)
• duties to make certain content inaccessible (regulated social media services)

Obligations applicable to all regulated services

The DSA would impose a general duty to protect children on operators of any regulated service. This duty would include the obligation to integrate the children-protective design features set out in regulations.

For operators that have reasonable grounds to suspect that their regulated service provides access to pornographic content, the DSA would also impose a duty to implement adequate age-verification or age-estimation measures to mitigate the risk of children being exposed to such content on their platform, in addition to any measures set out in regulations.

Operators of all types of regulated services would also have the obligation to prepare, submit to the Commission and publish a “digital safety plan” notably setting out the measures they have implemented to comply with their other obligations under the DSA.

Such plans must include:

• child safety-by-design features and an evaluation of their effectiveness
• age-assurance measures applicable to pornographic content
• the allocation of resources to compliance, including in respect of automated decision-making
• processes for reporting child sexual exploitation content

Finally, operators must describe any protocols for escalating serious risks to law enforcement, including situations involving a risk of death or serious bodily harm, and disclose data on how often such notifications occur.

Obligations specific to social media services

Operators of regulated social media services would be subject to additional obligations as part of their duty to protect children, including:

• implementing adequate age-verification or age-estimation measures to prevent children under 16 years old from creating an account (subject to exemption)
• implementing adequate measures to mitigate the risk of users being exposed to harmful content as well as the measures identified in applicable regulations
• providing blocking and reporting tools
• implementing, to the extent reasonable, adequate measure to label “synthetic content” (audio or visual representations of a person, object, place, entity or event created by electronic or mechanical means that could reasonably be mistaken for authentic content)

Such operators may, however, obtain an exemption from this obligation if they demonstrate to the Commission that they have put in place adequate safeguards for the protection of children.

Obligations specific to chatbot services

Operators of regulated chatbot services would be required to:

• mitigate the risk of harmful content being provided as outputs
• implement crisis‑intervention mechanisms, including directing users to appropriate human support where suicidal ideation, self‑harm or harm to others is expressed
• prevent specified harmful behaviours, including impersonation, deceptive practices regarding the nature of the service as an AI system
• prevent the encouragement of emotional dependency
• provide users with tools to flag harmful content generated by the chatbot

Enforcement and penalties

From an enforcement perspective, the DSCCA would establish a centralized regulator through the Commission, which has broad oversight, audit, and enforcement powers. These powers include the ability to issue compliance orders and review digital safety plans.

Non‑compliance with the DSA may result in significant administrative monetary penalties of up to the greater of $10 million or 3% of gross global revenues (for the year prior to the offence).

Where offences are prosecuted by indictment, materially higher penalties may be imposed, reaching the greater of $20 million or 5% of gross global revenues.

This graduated penalty regime positions Canada alongside other jurisdictions that have adopted strong financial enforcement mechanisms in this space.

Where organizations may face the greatest challenges

Organizations may face practical implementation challenges, including:

• implementing effective age‑assurance measures
• managing risks associated with AI chatbot outputs
• scaling content moderation and reporting systems to meet new regulatory expectations
• developing and maintaining digital safety plans

Preparing for Bill C-34: Next steps for organizations

Organizations operating digital services in Canada should begin preparing for the potential impact of Bill C‑34, including:

• Assess applicability
  Determine whether your platform could qualify as a regulated social media, chatbot, or online service
• Evaluate risk exposure
  Identify potential areas where harmful content may arise, particularly involving children
• Review existing safeguards, including:
• age-verification or age-estimation measures
• reporting and escalation processes
• existing measures to mitigate exposure to harmful content
• Prepare digital safety plans
  Begin documenting compliance measures, governance structures, and internal accountability mechanisms

Organizations that may fall within scope should begin preparing now by assessing applicability, identifying compliance gaps and building the governance structures needed to respond as the legislative and regulatory framework develops.

Our team will continue to monitor developments relating to Bill C‑34 and the Digital Safety Act and will provide updates on their implications for organizations operating digital services in Canada.