It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the U.S. The agreements impose local storage requirements for certain customers' data as well as minimum periods of data retention for data such as billing records and access logs. It is also reported that the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances”, ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

Pursuant to Section 164.530(a) of Title 45 of the Code of Federal Regulations, a covered entity is required to designate a privacy official who shall be responsible for the development and implementation of the entity’s privacy policies and procedures. The term "covered entity" encompasses: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a transaction subject to the provisions of this subchapter.

Section 702 of the Foreign Intelligence Surveillance Act allows the National Security Agency to conduct searches of foreigners' communications without any warrant. It is reported that these searches incidentally collect an unknown amount of communications belonging to Americans.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the US. These agreements ensure that U.S. government agencies have the ability to access communications data when legally requested, often through a National Security Letter (NSL). NSLs do not require prior approval from a judge. The data in question can include call-identifying information, user location, call duration, start time, end time, IP addresses, location information, URLs, etc., and must be reported to the federal Department in question within five business days following request.

Under Directive No. 3340-049a of 2018, US Customs and Border Protection (CBP) asserts broad powers to conduct device searches and requires travellers to provide their device passwords to CBP agents. Section 5.3.1 provides that "travellers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents. If presented with an electronic device containing information that is protected by passcode encryption or other security mechanism, an officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents." It is reported that CBP officers have compelled American citizens to unlock and hand over their phones, even after being told that the phones contained sensitive data. The directive also includes a provision that allows officers to examine a phone with external equipment if there is a "national security concern (Section 5.1.4).

The Digital Millennium Copyright Act (DMCA) establishes a safe harbour regime for intermediaries for copyright infringements. Title II of DMCA protects online intermediaries from liability in the case of copyright infringement, provided a notice and takedown system to deal with infringements is implemented. The DMCA amended Title 17 of the United States Code to extend the reach of copyright while limiting the liability of the providers of online services for copyright infringement by their users.
Intermediaries also have the right to counter-notify when they believe there is no copyright infringement involved. Safe harbour is available only to an intermediary that “does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity."

The Communication Decency Act (Section 230) establishes a safe harbour regime for intermediaries beyond copyright infringement.

Section 1.50002 of the Commission's rules mandates that the Public Safety and Homeland Security Bureau publish a "Covered List" of communications equipment and services deemed to pose an unacceptable risk to U.S. national security or the safety of U.S. persons. This designation is based on specific sources of risk assessment. Telecommunications providers in the U.S. are required to remove any equipment or services from companies on this list from their networks and are prohibited from using Federal Communications Commission (FCC) funds to acquire such equipment or services. The Covered List includes several foreign companies, such as Huawei, ZTE, Hytera Communications, Hangzhou Hikvision Digital Technology, Dahua Technology, AO Kaspersky Lab, China Mobile International USA, China Telecom (Americas) Corp, Pacific Networks Corp, and China Unicom (Americas) Operations Limited.

The United States has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

According to the Communications Act of 1934 (as amended by the Telecommunications Act of 1996), the Federal Communications Commission (FCC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent of the government in the decision-making process.

Pursuant to the Code of Federal Regulations (§239.7602-2 of Part 239 of Chapter 2 of Title 48), cloud computing service providers to the U.S. Department of Defence (DOD) may be required to store data relating to the DOD within the U.S. The service provider's authorising official may authorise storage of such data outside of the US, but this will ultimately depend on the sensitivity of the data in question. Similarly, Section 2.1 of the Federal Risk and Management Program (FedRAMP) Control Specific Contract Clauses require agencies with 'specific data location requirements' to include contractual obligations identifying where 'data-at-rest […] shall be stored'.

Section 1 of Executive Order No. 14117 introduces stringent review mechanisms for the transfer of personal data and explicitly prohibits data sharing with foreign entities affiliated with designated "countries of concern". Section 2 of the Order directs the United States Department of Justice (DOJ) to establish regulations aimed at preventing the large-scale transfer of sensitive personal and government-related data to such countries. In accordance with this Order, the DOJ promulgated the "Final Rule Implementing Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons". This regulation governs, restricts, and, in certain instances, prohibits the dissemination of U.S. Government-related information and bulk sensitive personal data to entities associated with countries of concern. Under Section 202.601, the current list of countries of concern includes China (inclusive of Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The Rule delineates two categories of transactions: specific highly sensitive transactions are outright prohibited, whereas other classes of transactions are subject to compliance with defined security protocols designed to mitigate the risk of unauthorised access to high-risk bulk data. Section 202.249 defines sensitive personal data to encompass precise geolocation information, biometric identifiers, human genomic data, personal health and financial information, as well as personal identifiers.
In addition, the "Protecting Americans’ Data from Foreign Adversaries Act of 2024" further empowers the federal government to block transactions involving the transfer of sensitive data that may pose national security risks. Section 2 of the Act prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of U.S. individuals (i.e., persons residing in the United States) to any foreign adversary country or to entities under their control. Currently, foreign adversary countries are defined as China, Iran, North Korea, and Russia. Although the Act is ostensibly directed at data brokers, the term is defined broadly and may encompass a substantial proportion of U.S. businesses engaged in data-sharing practices for purposes such as digital marketing, online engagement, and other routine commercial activities.

The United States has not adopted laws or regulations requiring that data be stored locally in the United States. Nevertheless, it is reported that in some cases, Team Telecom - an informal grouping of the Departments of Defence, Homeland Security and Justice, and the Federal Bureau of Investigation - imposes requirements to store data locally in security agreements and assurances letters as a condition for the grant of a licence or consent for a merger or acquisition. In such cases, Team Telecom may require that such data be stored only in the United States or that copies of such data be made available in the United States.

It is reported that the U.S. does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is required by law.

It is reported that entities intending to offer telecommunications services between the United States and any foreign destination are required to apply for, and obtain, an international Section 214 authorisation from the Federal Communications Commission (FCC), pursuant to the Communications Act of 1934, prior to initiating service. The approval of licence assignment applications may occur as swiftly as overnight or may extend over several months, depending on various factors, including the involvement of foreign ownership. Although the FCC has established detailed licensing timelines, including a 14-day streamlined review process for the majority of international Section 214 applications, this expedited procedure is typically suspended in cases where aggregate foreign ownership exceeds 10%. In such instances, the FCC refers the application to the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (commonly referred to as Team Telecom), which conducts potentially protracted national security reviews.