
Canada is advancing sweeping changes to its digital governance, targeting both online safety and data privacy. Over a single week in June 2026, the government introduced two major bills designed to regulate online harms and modernize the national privacy regime. Bill C-34 focuses on the internet and artificial intelligence, while Bill C-36 seeks to overhaul the private-sector privacy framework. The proposed legislation creates new federal regulators, imposes strict duties on service providers, and introduces significant financial penalties for noncompliance.
Bill C-34, known as the Digital Safety Act, would replace the previous Online Harms Act. The legislation creates a framework of binding duties for social media companies, AI chatbot providers, and other online services. Regulators would enforce these rules through the newly established Digital Safety Commission of Canada.
Operators must label synthetically generated material, including AI audio or video that could be mistaken for real recordings. AI chatbots are prohibited from pretending to be human, impersonating licensed professionals, or encouraging self-harm. Social media platforms face the most stringent requirements, including a minimum account age of sixteen.
Content removal is a core component of the new rules. Services must delete nonconsensual intimate images and child sexual abuse material within twenty-four hours. Companies must also publish digital safety plans that the regulator will assess. Failure to comply carries a heavy price tag. Offenses carry a maximum fine of the greater of $20 million or five percent of gross global revenue. Administrative penalties under the commission can reach $10 million or three percent of global revenue.
A Privacy Reset for the Digital Age
Bill C-36 aims to replace the Personal Information Protection and Electronic Documents Act (PIPEDA). The new Protecting Privacy and Consumer Data Act (PPCDA) is the most significant update to Canadian privacy law in over twenty years. It shifts the framework toward a rights-based approach, treating privacy as a fundamental right.
Related: Gift Card Sales Raise Regulatory Concerns
The bill grants individuals more control over their personal information. This includes the right to access data, correct errors, and request deletion. It also mandates that companies maintain auditable privacy management programs. Automated decision-making systems must be disclosed, and users must be given a way to challenge outcomes.
Children’s personal information receives special protection under this legislation. It is designated as sensitive by default, triggering stricter limits on how organizations collect, use, and store such data. The bill departs from earlier drafts by removing specific AI regulations to focus exclusively on privacy modernization.
For U.S. attorneys, the reach of these laws extends far beyond traditional Canadian operations. The penalties are calculated based on gross global revenue, not just the company’s footprint north of the border. This means a small Canadian presence could expose a multinational corporation to fines measured against its worldwide earnings. Additionally, the laws apply to any service accessible in Canada, potentially capturing platforms that do not have a physical Canadian office but allow Canadians to interact or create content. This creates a significant risk for companies operating AI chatbots or consumer platforms that are used by minors, as these sectors face the most acute exposure under the proposed rules.
What It Means for Cross-Border Operations
Canadian law has rarely regulated chatbots directly, making the DSA a landmark for AI governance. Meanwhile, the PPCDA brings Canada closer to other nations in its approach to children’s data. U.S. businesses with any Canadian dimension—whether through operations, users, or accessible platforms—must assess their risk exposure now.
The legislation is still in the early stages of the parliamentary process, but the financial and operational implications for international companies are clear.