Episode 25: Canada's under-16 social ban; CISA's 72-hour patch clock

Canada tables Bill C-34, the Safe Social Media Act — 16-year minimum age for social media, mandatory age verification for upload-enabled porn sites, statutory AI-chatbot safety duties, and a new Digital Safety Commission. Second-reading debate begins within weeks. Sources: Canada.ca news release · Parliament of Canada — C-34 first reading

CISA Binding Operational Directive 26-04 starts a 72-hour patch clock — risk-scored remediation for federal agencies (four criteria: exposure, KEV listing, exploit automation, post-exploitation impact). FedRAMP-hosted systems are in scope. Agencies have 60 days to update processes, 180 days to meet the timelines. Sources: CISA — BOD 26-04 · CISA press release

EU publishes final Code of Practice for labelling AI-generated content — the practical bridge to AI Act Article 50 transparency duties (apply August 2, 2026). Voluntary, but signing brings a presumption-of-conformity pathway. Pre-August-2026 systems' marking grace period cut from six months to three (lands December 2, 2026). Sources: Commission publication · Commission press release

The five-week deadline corridor — a dozen-plus hard compliance dates land between June 13 and July 18, including the July 1 quadruple wall: MiCA CASP hard stop, four US state age-verification laws (NE/CT/CO/LA), China outbound-investment regs, and TC260 personal-information standards.

Enforcement watch — FTC finalises the Illuminate Education order (10.1M students affected); CNIL fines IQVIA €5M over health-data warehouses; California's record $12.75M CCPA settlement with GM/OnStar is the first enforcement of the data-minimization rule; Ofcom's age-assurance enforcement push widens.