The US has a predominantly self-certification regime for radio frequency devices, including intentional transmitters (mobile phones) and non-intentional radiators (PCs and TV receivers), where the manufacturer tests its product and prepares a technical report demonstrating compliance. The technical documentation must be retained and, if required, submitted to the Federal Communication Committee (FCC) on request.

A provision in the Consolidated and Further Continuing Appropriations Act (H.R.933), which President Obama signed into law in March 2013, bars the Departments of Commerce and Justice, the National Aeronautics and Space Administration (NASA), and the National Science Foundation from procuring any information technology (IT) systems that are produced, manufactured, or assembled by any company owned, directed, or subsidised by the People’s Republic of China unless the Federal Bureau of Investigation (FBI) has completed an assessment of the security risk of cyber espionage or sabotage associated with the system to the United States.

The Communication Decency Act (Section 230) establishes a safe harbour regime for intermediaries beyond copyright infringement.

The Allow States and Victims to Fight Online Sex Trafficking Act and the Stop Enabling Sex Traffickers Act (FOSTA-SESTA), has amended Section 230 of the Communication Decency Act in 2018 to no longer apply to federal or state sex-trafficking law. FOSTA allows for private lawsuits and criminal prosecutions against Internet platforms and websites based on any action perceived to either promote prostitution or advertise/facilitate sex trafficking. The law has been critised for imposing in practice a monitoring requirement.

The US Export Administration Regulations (EAR) regulate exports of commercial communication satellites and technology that uses certain types of encryption.
Commercial communications satellites were moved from the military export controls of the State Department to the civilian or “dual use” controls of the Commerce Department in 1996. These regulations are less restrictive than the previously applied United States Munitions List (USML) under the jurisdiction of the Directorate of Defence Trade Controls (DDTC). However, there are still export regulations in place, which may constitute an additional burden for exporters of these items. There is also the matter of the Export Control Reform Act (ECRA) of 2018, which came into effect in 2020. The ECRA modifies the existing EAR by focusing specifically on digital goods and dual-use technologies in a move largely seen as a counterbalancing act directed towards China.
Similarly, the Department of Commerce's Bureau of Industry and Security regulates the export of technology that uses certain types of encryption and imposes certain registration and reporting requirements, as well as provides outlines for when an item is deemed not subject to the EAR.

The US Commerce Control List (CCL) is maintained by the Department of Commerce's Bureau of Industry and Security (BIS) and outlines controlled items subject to export restrictions. Sections 3-4 specifically address electronics and computers, with a recent focus on semiconductors and microchip technologies. These items are regulated through Export Control Lists to restrict their export to China and the (re-)export of related technologies from key allies such as Taiwan, Germany, South Korea, Japan, and the Netherlands to China. The CCL operates alongside the Entity List, which identifies specific firms, governments, and individuals restricted from accessing US exports.
Since February 2022, the BIS has also introduced a series of export controls targeting Russia and Belarus. In April 2022, a final rule imposed additional restrictive measures requiring export licenses for all items listed on the CCL, including sensitive dual-use technologies, software, and commodities with potential military applications. Among these dual-use items are ICT goods, such as equipment for manufacturing semiconductor boules or wafers, semiconductor devices, and electronic integrated circuits. Other restricted items include telephone sets, including those for cellular and wireless networks. These measures aim to curtail the technological capabilities of Russia and Belarus in light of ongoing geopolitical tensions.

According to the Communications Act of 1934 (as amended by the Telecommunications Act of 1996), the Federal Communications Commission (FCC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent of the government in the decision-making process.

Pursuant to the Code of Federal Regulations (§239.7602-2 of Part 239 of Chapter 2 of Title 48), cloud computing service providers to the U.S. Department of Defence (DOD) may be required to store data relating to the DOD within the U.S. The service provider's authorising official may authorise storage of such data outside of the US, but this will ultimately depend on the sensitivity of the data in question. Similarly, Section 2.1 of the Federal Risk and Management Program (FedRAMP) Control Specific Contract Clauses require agencies with 'specific data location requirements' to include contractual obligations identifying where 'data-at-rest […] shall be stored'.

The United States has not adopted laws or regulations requiring that data be stored locally in the United States. Nevertheless, it is reported that in some cases, Team Telecom - an informal grouping of the Departments of Defence, Homeland Security and Justice, and the Federal Bureau of Investigation - imposes requirements to store data locally in security agreements and assurances letters as a condition for the grant of a licence or consent for a merger or acquisition. In such cases, Team Telecom may require that such data be stored only in the United States or that copies of such data be made available in the United States.

The United States has joined agreements with binding commitments to open transfers of data across borders: the Agreement Between The United States Of America And Japan Concerning Digital Trade (Art. 11) and the United States-Mexico-Canada Agreement (Art. 19.11).

The U.S. does not have a comprehensive regime of data protection in place. However, there are sectoral laws, including those covering financial services, healthcare, telecommunications, and education. Moreover, California passed a comprehensive privacy law in 2018, applicable to all businesses operating within the state. The California Consumer Privacy Act of 2018 requires firms to inform consumers about the categories of personal data they collect, sell, or disclose, as well as the recipients of such data. Additionally, the Act grants consumers the right to prohibit the sale or disclosure of their personal information. Consequently, individuals must be notified if their data may be sold and given the option to "opt-out.

It is reported that foreign communications infrastructure providers have been asked to sign Network Security Agreements (NSAs) in order to operate in the U.S. The agreements impose local storage requirements for certain customers' data as well as minimum periods of data retention for data such as billing records and access logs. It is also reported that the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances”, ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

The HIPAA of 2013 requires the designation of a privacy official for HIPAA-covered entities to develop and implement the policies and procedures of the entity (§ 164.530 on administrative requirements).

The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct privacy impact assessments (PIAs) for any information electronic collections and information technology (IT) systems that contain personally identifiable information (PII).

Section 702 of the Foreign Intelligence Surveillance Act allows the National Security Agency to conduct searches of foreigners' communications without any warrant. It is reported that these searches incidentally collect an unknown amount of communications belonging to Americans.