Section 702 of the Foreign Intelligence Surveillance Act allows the National Security Agency to conduct searches of foreigners' communications without any warrant. It is reported that these searches incidentally collect an unknown amount of communications belonging to Americans.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the US. These agreements ensure that U.S. government agencies have the ability to access communications data when legally requested, often through a National Security Letter (NSL). NSLs do not require prior approval from a judge. The data in question can include call-identifying information, user location, call duration, start time, end time, IP addresses, location information, URLs, etc., and must be reported to the federal Department in question within five business days following request.

Under Directive No. 3340-049a of 2018, US Customs and Border Protection (CBP) asserts broad powers to conduct device searches and requires travellers to provide their device passwords to CBP agents. Section 5.3.1 provides that "travellers are obligated to present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents. If presented with an electronic device containing information that is protected by passcode encryption or other security mechanism, an officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents." It is reported that CBP officers have compelled American citizens to unlock and hand over their phones, even after being told that the phones contained sensitive data. The directive also includes a provision that allows officers to examine a phone with external equipment if there is a "national security concern (Section 5.1.4).

The Digital Millennium Copyright Act (DMCA) establishes a safe harbour regime for intermediaries for copyright infringements. Title II of DMCA protects online intermediaries from liability in the case of copyright infringement, provided a notice and takedown system to deal with infringements is implemented. The DMCA amended Title 17 of the United States Code to extend the reach of copyright while limiting the liability of the providers of online services for copyright infringement by their users.
Intermediaries also have the right to counter-notify when they believe there is no copyright infringement involved. Safe harbour is available only to an intermediary that “does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity."

The Communication Decency Act (Section 230) establishes a safe harbour regime for intermediaries beyond copyright infringement.

According to the Communications Act of 1934 (as amended by the Telecommunications Act of 1996), the Federal Communications Commission (FCC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent of the government in the decision-making process.

Pursuant to the Code of Federal Regulations (§239.7602-2 of Part 239 of Chapter 2 of Title 48), cloud computing service providers to the U.S. Department of Defence (DOD) may be required to store data relating to the DOD within the U.S. The service provider's authorising official may authorise storage of such data outside of the US, but this will ultimately depend on the sensitivity of the data in question. Similarly, Section 2.1 of the Federal Risk and Management Program (FedRAMP) Control Specific Contract Clauses require agencies with 'specific data location requirements' to include contractual obligations identifying where 'data-at-rest […] shall be stored'.

Section 1 of Executive Order No. 14117 introduces stringent review mechanisms for the transfer of personal data and explicitly prohibits data sharing with foreign entities affiliated with designated "countries of concern". Section 2 of the Order directs the United States Department of Justice (DOJ) to establish regulations aimed at preventing the large-scale transfer of sensitive personal and government-related data to such countries. In accordance with this Order, the DOJ promulgated the "Final Rule Implementing Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons". This regulation governs, restricts, and, in certain instances, prohibits the dissemination of U.S. Government-related information and bulk sensitive personal data to entities associated with countries of concern. Under Section 202.601, the current list of countries of concern includes China (inclusive of Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The Rule delineates two categories of transactions: specific highly sensitive transactions are outright prohibited, whereas other classes of transactions are subject to compliance with defined security protocols designed to mitigate the risk of unauthorised access to high-risk bulk data. Section 202.249 defines sensitive personal data to encompass precise geolocation information, biometric identifiers, human genomic data, personal health and financial information, as well as personal identifiers.
In addition, the "Protecting Americans’ Data from Foreign Adversaries Act of 2024" further empowers the federal government to block transactions involving the transfer of sensitive data that may pose national security risks. Section 2 of the Act prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of U.S. individuals (i.e., persons residing in the United States) to any foreign adversary country or to entities under their control. Currently, foreign adversary countries are defined as China, Iran, North Korea, and Russia. Although the Act is ostensibly directed at data brokers, the term is defined broadly and may encompass a substantial proportion of U.S. businesses engaged in data-sharing practices for purposes such as digital marketing, online engagement, and other routine commercial activities.

The United States has not adopted laws or regulations requiring that data be stored locally in the United States. Nevertheless, it is reported that in some cases, Team Telecom - an informal grouping of the Departments of Defence, Homeland Security and Justice, and the Federal Bureau of Investigation - imposes requirements to store data locally in security agreements and assurances letters as a condition for the grant of a licence or consent for a merger or acquisition. In such cases, Team Telecom may require that such data be stored only in the United States or that copies of such data be made available in the United States.

The United States has entered into two international agreements that contain binding commitments to ensure the free flow of data across borders. These include the United States–Mexico–Canada Agreement (USMCA, Art. 19.11), and the Agreement Between the United States of America and Japan Concerning Digital Trade (Art. 11).

There is no single, overarching data protection statute in the United States. Instead, a patchwork of hundreds of laws enacted at both the federal and state levels serves to safeguard the personal data of U.S. residents. At the federal level, the Federal Trade Commission Act broadly authorises the U.S. Federal Trade Commission to initiate enforcement actions in relation to federal privacy and data protection regulations. Other federal statutes primarily pertain to specific sectors, such as financial services or healthcare. In parallel with the federal framework, state-level statutes protect a wide array of privacy rights of individual residents.

Based on 2024 data, the United States ranks first in global digital piracy traffic, accounting for 12.3% of all visits to piracy-related platforms. This includes activity across television, publishing, film, software, and music. The US has been among the top countries involved in digital piracy in recent years.

The US has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.

The US has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

The Defend Trade Secrets Act (DTSA) provides a framework for the effective protection of trade secrets by establishing a federal claim for misappropriation of trade secrets. Until the adoption of the DTSA, trade secrets had been protected at the state level, with all states, other than New York, adopting their own version of the Uniform Trade Secrets Act (UTSA). States adopting the UTSA impose liability for improper acquisition of trade secrets; use or disclosure of a trade secret is not required for liability, though additional damages may accrue. On the other hand, States (New York) adopting the Restatement of Torts (Section 757) approach require unauthorised use or disclosure for liability to accrue.