It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 800, above the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

Foreign entities or organisations need a bona fide presence to set up a US domain (".us") or be a US citizen, permanent resident or an American organisation. "Bona fide presence" requires the entity to have either physical presence or regularly engage in lawful activities (sales of goods or services or other business, commercial or non-commercial, including not-for-profit activities) in the United States. The ".com" and ".org" domains have been made available by US authorities to both domestic and foreign users.

The consumer protection framework governing online commerce in the United States comprises a combination of federal and state statutes and regulations. Prominent legislation includes the Federal Trade Commission Act, as amended by the U.S. Safe Web Act, and the INFORM Consumers Act. Additionally, the Federal Trade Commission has established specific consumer protection regulations aimed at regulating advertising practices and overseeing consumer transactions conducted via the internet.

The U.S. has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

The U.S. has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

The U.S. has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

The US Export Administration Regulations (EAR) regulate exports of commercial communication satellites and technology that uses certain types of encryption.
Commercial communications satellites were moved from the military export controls of the State Department to the civilian or “dual use” controls of the Commerce Department in 1996. These regulations are less restrictive than the previously applied United States Munitions List (USML) under the jurisdiction of the Directorate of Defence Trade Controls (DDTC). However, there are still export regulations in place, which may constitute an additional burden for exporters of these items. There is also the matter of the Export Control Reform Act (ECRA) of 2018, which came into effect in 2020. The ECRA modifies the existing EAR by focusing specifically on digital goods and dual-use technologies in a move largely seen as a counterbalancing act directed towards China.
Similarly, the Department of Commerce's Bureau of Industry and Security regulates the export of technology that uses certain types of encryption and imposes certain registration and reporting requirements, as well as provides outlines for when an item is deemed not subject to the EAR.

The US Commerce Control List (CCL) is maintained by the Department of Commerce's Bureau of Industry and Security (BIS) and outlines controlled items subject to export restrictions. Sections 3-4 specifically address electronics and computers, with a recent focus on semiconductors and microchip technologies. These items are regulated through Export Control Lists to restrict their export to China and the (re-)export of related technologies from key allies such as Taiwan, Germany, South Korea, Japan, and the Netherlands to China. The CCL operates alongside the Entity List, which identifies specific firms, governments, and individuals restricted from accessing US exports.
Since February 2022, the BIS has also introduced a series of export controls targeting Russia and Belarus. In April 2022, a final rule imposed additional restrictive measures requiring export licenses for all items listed on the CCL, including sensitive dual-use technologies, software, and commodities with potential military applications. Among these dual-use items are ICT goods, such as equipment for manufacturing semiconductor boules or wafers, semiconductor devices, and electronic integrated circuits. Other restricted items include telephone sets, including those for cellular and wireless networks. These measures aim to curtail the technological capabilities of Russia and Belarus in light of ongoing geopolitical tensions.

In August 2022, NVIDIA Corporation, a leading US-based chipmaker known for its innovations in graphics processing units (GPUs), artificial intelligence (AI), and high-performance computing, announced that the US government had introduced a new licensing requirement for the export of two of the company’s integrated circuits used as accelerators in AI to China (including Hong Kong) and Russia. This requirement also applies to any future NVIDIA integrated circuits with similar performance, as well as any systems incorporating these circuits.

The procedure for equipment authorisation under Federal Communications Commission (FCC) rules depends on the radio frequency (RF) functions of the device. Intentional radiators, which are devices designed to emit RF energy such as transmitters, must be authorised through the certification process, unless otherwise specified. Certification is the most rigorous form of authorisation and applies to equipment with a high potential to cause harmful interference to radio services. It involves a series of laboratory tests assessing the device’s electromagnetic interference (EMI) and electromagnetic compatibility (EMC), conducted by an FCC-recognised accredited laboratory. The responsible party, such as the manufacturer or importer, must submit the test results and supporting documentation to an FCC-approved Telecommunication Certification Body (TCB), which evaluates whether the device complies with all applicable standards. Examples of intentional radiators include mobile phones, Wi-Fi equipment, Bluetooth devices, and remote controls. Unintentional radiators, such as digital circuitry that emits RF energy unintentionally, are generally authorised through the Supplier’s Declaration of Conformity (SDoC) procedure, which is less demanding and does not require TCB involvement. Many modern devices, such as smartphones, tablets, and notebook computers, incorporate both types of radiators; in such cases, the intentional radiator components must be certified, while the unintentional radiator components may be authorised under the SDoC procedure, with each part subject to the relevant testing and compliance requirements.

The Allow States and Victims to Fight Online Sex Trafficking Act and the Stop Enabling Sex Traffickers Act (FOSTA-SESTA), has amended Section 230 of the Communication Decency Act in 2018 to no longer apply to federal or state sex-trafficking law. FOSTA allows for private lawsuits and criminal prosecutions against Internet platforms and websites based on any action perceived to either promote prostitution or advertise/facilitate sex trafficking. The law has been critised for imposing in practice a monitoring requirement.

The Protecting Americans from Foreign Adversary Controlled Applications Act aims to prevent entities based in countries designated as “foreign adversaries” from controlling more than 20% of a platform that hosts user-generated content. It specifically designates TikTok and other ByteDance-owned platforms, such as the video editor CapCut, as “foreign adversary controlled applications” and requires a divestiture process to ensure that the platforms are no longer “controlled by a foreign adversary.” If ByteDance does not complete the divestiture of TikTok’s United States operations by 19 January 2025, the Act prohibits internet companies, including mobile app stores, cloud service providers, and file-hosting companies, from distributing, maintaining, updating, or providing internet hosting services to the platform. It authorises the Department of Justice to pursue civil penalties against any entity that violates this prohibition. The measure also empowers the President to designate other applications as “foreign adversary controlled applications” under the law, thereby extending its scope beyond ByteDance-owned platforms.

In 2024, the United States Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Determination prohibiting Kaspersky Lab, Inc., the U.S. subsidiary of a Russian cybersecurity and anti-virus software firm, from offering its products and services within the United States or to U.S. persons. This prohibition extended to Kaspersky’s affiliates, subsidiaries, and parent companies. As a result, Kaspersky was no longer permitted to sell its software or provide updates to existing users. However, the Department allowed limited operations to continue until September 2024.

The United States has entered into two international agreements that contain binding commitments to ensure the free flow of data across borders. These include the United States–Mexico–Canada Agreement (USMCA, Art. 19.11), and the Agreement Between the United States of America and Japan Concerning Digital Trade (Art. 11).

There is no single, overarching data protection statute in the United States. Instead, a patchwork of hundreds of laws enacted at both the federal and state levels serves to safeguard the personal data of U.S. residents. At the federal level, the Federal Trade Commission Act broadly authorises the U.S. Federal Trade Commission to initiate enforcement actions in relation to federal privacy and data protection regulations. Other federal statutes primarily pertain to specific sectors, such as financial services or healthcare. In parallel with the federal framework, state-level statutes protect a wide array of privacy rights of individual residents.