The United States (US) boasts the world's largest digital economy, which accounted for 9.6% of its GDP (USD 2051.6 billion) in 2019. The US is home to the world's largest technology firms, four of which currently exceed trillion-dollar market capitalisations, that are exposed to emergent digital fragmentation. Internationally, technology grows in importance in tensions with China, leading the US to invest approx. USD 280 billion to bolster semiconductor capacity.

But what do the US' domestic digital policies stand for? The ninth DPA Digital Digest provides a succinct overview of federal policy developments since 2023 in major policy areas and US-specific points of emphasis.

• In data governance, the US has proposed federal privacy bills without success and implemented various cybersecurity frameworks. Data transfer negotiations with the European Union are ongoing, while a conflict with China has been solved.

• In content moderation, several bills are trying to introduce intermediary liability as well as moderation obligations relating to child sexual abuse material. Litigation upheld the Section 230 liability shield but is pending regarding controversial state social media bills.

• In competition policy, the US has not yet adopted substantial legislation on digital markets but is currently investigating large technology firms' conduct and mergers through several agencies.

• The US' points of emphasis include artificial intelligence, minor protection, 'national security'-motivated access restrictions and cryptocurrencies.

Jump directly to the section that interests you most:

or browse this Digital Digest in full below.

Written by Tommaso Giardini and Maria Buza. Edited by Johannes Fritz.

---

Discover the details of United States' approach below and stay informed on our dedicated page: https://digitalpolicyalert.org/countries/united-states-of-america

Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription

Data governance

Data protection policy developments

The US does not have a comprehensive privacy law at the federal level.^[1] The American Data Privacy and Protection Act, a proposal with momentum, failed to pass before the 117th Congress adjourned in January 2023. The new Congress has introduced, but not advanced, several privacy bills of varying scope. The Data Care Act introduces duties of care and confidentiality for "online service providers" that collect information making users identifiable. The Online Privacy Act establishes data subject rights (e.g. to access, correct and delete data) and imposes restrictions on data collection (e.g. data minimisation). Some proposals focus on minors' data. The Clean Slate for Kids Online Act enables the deletion of any data collected before the subject turned 13. The Children and Teens' Online Privacy Protection Act prohibits personal data collection from subjects between 13 and 16. The Kids PRIVACY Act requires platforms to obtain consent for collecting and processing data of subjects under 18. Other proposals focus on specific types of data, such as the Stop Spying Bosses Act (workers' data), the UPHOLD Privacy Act (health and location data) and the Data Privacy Act (financial customer data). Finally, the Online Privacy Act would establish a Digital Privacy Agency. 

The 2023 National Cybersecurity Strategy aims to shift the burden of cybersecurity from individuals and SMEs onto organisations capable of reducing risks. Following the Colonial Pipeline cyberattack in May 2021, President Biden declared a national emergency and issued the Executive Order to Improve the Nation's Cybersecurity. Since then, several policies advanced government cybersecurity. Federal agencies must comply with the National Institute of Standards and Technology (NIST)'s guidance on using third-party software. The National Defense Authorization Act introduced cybersecurity certification for cloud vendors who store government data. The Quantum Computing Cybersecurity Preparedness Act initiated the migration of government IT systems to post-quantum cryptography. Currently, two agencies are revising their frameworks. The NIST is drafting a second version of its Cybersecurity Framework, which outlines steps for organisations to mitigate, resolve, detect and report cybersecurity risks. The Federal Communications Commission (FCC) is revising its data breach reporting requirements to remove the current mandatory seven-day waiting period before notification. 

Many US cybersecurity rules are sectoral. The Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure entities to report significant cyberattacks within 72 hours and ransomware attacks within 24 hours, to the Cybersecurity and Infrastructure Security Agency (CISA). The Transportation Security Administration issued cybersecurity rules for airports and aircraft operators. The Department of Health and Human Services published a Cybersecurity Framework Implementation Guide. Currently, the Securities and Exchange Commission is deliberating cybersecurity risk management rules for investment advisers.

Data transfer/localisation developments

The US is negotiating a Translatlantic Data Privacy Framework with the European Union (EU) ever since the Court of Justice of the European Union invalidated the US-EU Privacy Shield in 2020. Having reached an agreement in principle on the framework in March 2022, the US president issued the Executive Order On Enhancing Safeguards for United States Signals Intelligence Activities to implement US commitments in October 2022. The order addresses US intelligence services' access to EU user data, by establishing principles for conducting signals intelligence activities (legitimate purpose, necessity, oversight), rules on the processing of collected information, and an international Signals Intelligence Redress Mechanism. The EU is still deliberating its adequacy decision for the Framework, on which the European Data Protection Board and the European Parliament raised concerns.

In December 2022, the US Public Company Accounting Oversight Board (PCAOB) confirmed its ability to inspect public accounting firms established in China and Hong Kong, ending tensions including the possibility of delisting Chinese companies from US exchanges. The US Holding Foreign Companies Accountable Act gives the PCAOB the power to inspect companies issuing securities in the US using a foreign accounting firm, to certify that they are not owned or controlled by a foreign governmental entity. Following a 2021 PCAOB report stating its inability to inspect Chinese firms and Securities and Exchange Commission enforcement threatening delisting, a cooperation agreement to grant inspection access was signed in August 2022.

Enforcement developments

In May 2023, the US Federal Trade Commission (FTC) proposed to amend its 2020 privacy order against Meta/Facebook. The FTC alleges that Meta deceived parents on their ability to control their children's communication on the Messenger Kids app and about data sharing with application developers. The amendments prohibit Meta, including its services Facebook, Instagram, WhatsApp and Oculus, from monetising data collected on users under 18. 

The FTC is currently focusing on health data, following its 2021 statement clarifying that health apps are subjected to the Health Breach Notification Rule. In February 2023, the FTC ordered GoodRx to pay a civil penalty of USD 1.5 million for failing to notify consumers of unauthorised health data disclosures for advertising purposes. In May 2023, the FTC fined Prenom USD 100,000 and banned it from sharing consumer data for advertising, due to the sharing of sensitive health data with third parties without consent. In March 2023, the FTC proposed an order against BetterHelp for sharing health data with third parties for targeted advertising without consent and security measures. The proposal requires BetterHelp to pay USD 7.8 million, direct third parties to delete health data and obtain consent before data disclosures.

The FTC further focuses on data collection practices. In May 2022, the FTC fined Twitter USD 150 million for deceptively collecting over 140 million users' data, supposedly for account protection, and providing access to advertisers for targeting. In addition to the fine, Twitter cannot profit from deceptively collected data, must notify affected users and must develop a comprehensive privacy program. In December 2022, the FTC announced a settlement with Epic Games including a fee of USD 275 million for allegedly collecting personal data from users under 13 from its Fortnite game without providing information on the data collection or obtaining parental consent.

Content moderation

Content moderation developments

Online content moderation and user speech rights are central topics in US digital policy, largely due to “Section 230” (U.S. Code Title 47/Communications Decency Act). The provision creates a liability shield for “interactive computer services”, which are not regarded as “information content providers” or publishers of user content.  A withdrawn Executive Order attempted to repeal this immunity, as do several currently deliberated bills. The See Something, Say Something Online Act aims to remove the immunity for platforms that fail to report suspicious activity relating to serious crimes (illegal drug sales, hate crimes, murder, terrorism). The EARN IT Act removes the immunity for platforms that do not prevent the distribution of child sexual abuse material. The DISCOURSE Act removes the immunity for platforms that amplify specific content through algorithms, limit the expression of specific worldviews or fund specific content. The Social Media Accountability Act removes the immunity for platforms that censor content and de-platform users that do not violate the terms of use.

In May 2023, the Supreme Court clarified the applicability of Section 230 in two cases concerning intermediary liability for ISIS content. In Gonzalez v Google, the Supreme Court confirmed that Section 230 immunity extends to targeted algorithmic content recommendation. In Twitter v Taamneh, the Supreme Court denied that social media platforms “aid and abet” terrorism by not removing and algorithmically recommending ISIS content.

Beyond amendments to Section 230, several content moderation bills are under debate. The END CSAM Act introduces fines of USD 100,000 to 500,000 for “social media companies” that host child sexual abuse material and demands companies to install a notification mechanism including a  designated agent. The REPORT Act strengthens mandatory reporting obligations regarding online sexual exploitation of children to the National CyberTipline. The Preventing Deepfakes of Intimate Images Act establishes the non-consensual creation and sharing of AI-generated, manipulated intimate content as a criminal offence. The Honest Ads Act aims to prevent foreign interference in US elections by granting the Federal Election Commission the power to monitor and regulate online political advertising. Finally, the Journalism Competition and Preservation Act regulates content remuneration negotiations between news organisations and digital platforms. Platforms exceeding monthly active users of 50 million (US) or 1 billion (global) and USD 550 billion in annual sales must follow a specific negotiation procedure, which enables news organisations to bargain collectively.

With respect to user access rights, US courts are litigating two wide-randing social media laws from Texas and Florida. The Texas law prohibits social media platforms with over 50 million users from blocking users and content based on political beliefs, while requiring the takedown of illegal content within 48 hours of notification. The Florida Bill prohibits social media platforms from deplatforming and shadow-banning political candidates and restricting large journalistic enterprises with more than 100,000 active users per month or 50,000 paid subscribers. Social media platforms must disclose standards for censoring, deplatforming, and shadow-banning content or users.

Competition

Competition policy developments

Ensuring competition in digital markets is a priority for the US government, as evidenced by the 2021 Executive Order on Promoting Competition in the American Economy. The order strives to ensure competition in the digital sphere by encouraging the Federal Trade Commission to pursue stricter merger controls concerning big technology companies and investigate anti-competitive behaviour and data accumulation in online markets.

Competition bills, however, are rarely adopted. The current Congress is deliberating several proposals. The Advertising Middlemen Endangering Rigorous Internet Competition Accountability (AMERICA) Act introduces consumer transparency requirements and prohibits companies with annual digital advertising revenue over USD 20 billion from owning more than one component of the digital advertising ecosystem (e.g. sell-side platforms, buy-side platforms, advertising space). The Digital Platform Commission Act establishes a federal agency to regulate online platforms. The agency can conduct investigations, issue fines and regulations, and designate “systemically important digital platforms” to specific rules. 

The previous Congress had also proposed ambitious competition bills, including the Open App Markets Act and the American Innovation and Choice Online Act. Instead of ambitious proposals, however, Congress adopted only minor competition bills before adjourning in January 2023. The State Antitrust Enforcement Venue Act prohibits, in antitrust cases, requests from companies to move cases to preferred courts, but allows for the consolidation of cases on similar issues. The Foreign Merger Subsidy Disclosure Act requires companies operating in the US to disclose economic support (of all kinds) from foreign states to the FTC and the Department of Justice before mergers. The Merger Filing Fee Modernization Act changes merger filing fees companies must pay to the Federal Trade Commission (FTC) for the review of proposed acquisitions, increasing fees for transactions over USD 1 billion. Another adopted bill, the INFORM Consumers Act, requires online marketplaces to collect and verify contact and financial information on third-party sellers (with over 200 sales or USD 5,000 revenue per year) and enable consumers to report suspicious activities. The current Congress is considering several bills to expand consumer protection, concerning smart devices, automatic subscription renewals, and products’ country of origin. Finally, the FTC is deliberating an Unfair or Deceptive Fees Trade Regulation Rule to require transparent pricing.

Enforcement developments

Various government bodies enforce unilateral conduct rules in digital markets. State Attorneys General conduct joint investigations into large technology firms with federal agencies. In April 2023, the Court of Appeals for the District of Columbia Circuit affirmed a ruling dismissing a lawsuit by the Federal Trade Commission (FTC) and several states regarding Meta's alleged monopoly position. The lawsuit aimed to undo Meta's acquisitions of Instagram and WhatsApp because of its "buy-or-bury" approach. It was dismissed due to the delay in filing and unsubstantiated claims. In January 2023, the Department of Justice (DOJ) and several states filed a lawsuit against Google over the alleged monopolisation of digital advertising technology. The lawsuit claims that Google 1) acquired competitors to increase its control over digital advertising tools for website publishers, 2) "forced" website publishers to use its tools through its advertising exchange and thus preferenced its own products, 3) distorted competition in advertising auctioning by limiting real-time bidding to its advertising exchange and 4) engaged in auction manipulation. A previous lawsuit by the DOJ and several states alleges that Google created and maintained a monopoly in the search advertising market through exclusivity agreements and the preferential treatment of its own services. 

Unilateral conduct rules are further enforced through federal agencies' investigations and civil lawsuits. In March 2023, the FTC reached a settlement with Epic Games including compensation of USD 245 million to consumers for employing dark patterns. Through dark patterns, Epic increased purchase numbers, allowed children to purchase without parental authorisation and blocked access to purchased content. In the Epic Games v. Apple lawsuit, Epic Games accuses Apple of non-competitive behaviour since Apple does not allow external in-app payment systems and takes charges a 30% commission for its own in-app purchase system. In April 2023, the US Court of Appeals for the Ninth Circuit ruled that Apple did not violate competition law by banning competing app marketplaces on iPhones. Still, Apple must allow developers to place links inside their apps for users to make external purchases. 

The FTC is also in charge of merger control. In December 2022, the FTC issued a complaint against Microsoft/Activision Blizzard acquisition. The complaint alleges that Microsoft 1) has previously bought rivals in gaming to suppress competition, 2) restricted rival consoles' access to games, and 3) could restrict the availability of Activision games to Microsoft consoles. In February 2023, the FTC dismissed its complaint against the Meta/Within merger following a court ruling that found insufficient grounds for blocking the acquisition. The FTC originally claimed that the transaction would lessen competition or create a monopoly in the virtual reality fitness applications market. 

Further points of emphasis

Artificial Intelligence

Artificial Intelligence (AI) is a strategic priority for the US, as evidenced in the 2019 Executive Order focused on Maintaining American Leadership in AI. Currently, the government emphasises the mitigation of AI risks. In May 2023, the White House announced the Action Plan to Promote Responsible AI Innovation, aiming to develop a comprehensive framework of AI risks and opportunities, through National AI Research Institutes, public evaluations of AI systems and additional guidance. The Advancing American AI Act, adopted in December 2022, schedules guidance from the Office of Management and Budget on the navigation of risks and impact in public procurement and use of AI. The ASSESS AI, introduced in April 2023, would establish a cabinet-level AI Task Force to assess policy gaps in the governmental use of AI.

In the past months, several agencies have advanced secondary legislation on AI risks. The National Institute of Standards and Technology adopted the AI Risk Management Framework for organisations creating, developing, implementing, or using AI systems. The framework provides an overview of the AI risks and characteristics of trustworthy AI systems, as well as four functions to address the risks of AI systems. The Federal Trade Commission (FTC) published guidance regarding advertisers’ claims on the abilities of AI tools and a consumer alert on advertisements for fake AI software. Currently, the National Telecommunications and Information Administration is consulting on its AI systems accountability policy, aiming to create trust in AI through audits, assessments, and certifications. Finally, the FTC, the Department of Justice, the Consumer Financial Protection Bureau and the Equal Employment Opportunity Commission issued a joint statement on enforcement efforts against discrimination and bias in automated systems, including AI. 

Beyond AI risks, various policy proposals consider the copyright for AI-authored works. In March 2023, the United States Copyright Office issued guidance on works containing material generated by Artificial Intelligence, clarifying that copyright only protects human work. AI cannot be listed as a co-author when filing for copyright registration. Similarly, in April 2023, the Supreme Court refused to hear a challenge against the US Patent and Trademark Office (USPTO)’s refusal to issue patents for AI inventions, since the Patent Act expressly provides that inventors must be “individuals.” The USPTO is deliberating guidance on AI and Inventorship and consulted on the effect of listing AI as patent inventor on innovation.

Minor Protection

Minor protection is a salient issue in US digital policy, especially since the adoption of social media laws in Utah and Arkansas and California’s Age-Appropriate Design Code. Congress is considering several age-verification laws. The Making Age-Verification Technology Uniform, Robust, and Effective Act requires social media platform operators to verify the age of individuals that create accounts, imposing a minimum age of 16. Operators must request an image of government-issued identification, cannot use the collected data for another purpose and must delete the data within 30 days of account deletion. The Protecting Kids on Social Media Act requires online platforms to verify the age of users, prevent access by individuals under 13 and obtain parental consent for minors to create accounts.

Two bills introduced in May 2023 focus on mitigating risks for minors that access online services. The Kids Online Safety Act affects providers of social media, online video gaming, messaging, video streaming and online platforms. Providers must limit the ability of individuals to contact minors, remove minors' personal data or reduce its visibility, enable opt-out for algorithmic recommendation systems relying on minors’ data and implement parental controls. The Children and Teens' Online Privacy Protection Act requires providers of internet websites, online services, mobile applications and connected devices to prevent minors from posting content containing personal data and to enable minors and parents to delete such content.

'National Security'-motivated access restrictions

In early 2023, the US government banned TikTok from government devices, following several similar state-level bans that unleashed an international wave of bans that is still unfolding – Montana recently adopted a law to ban the app entirely. The federal ban originated from the No TikTok on Government Devices Act, adopted in December 2022, which bans TikTok from federal agencies' information technologies. The Act charged the Office of Management and Budget with mandating the removal of TikTok from federal agencies' devices, which was executed via a memorandum that will enter into force at the end of May 2023. Under the previous administration, an Executive Order attempted to prohibit transactions related to TikTok (along with WeChat and Huawei) but was replaced by a set of non-company-specific criteria. The criteria prohibit transactions with companies under the control of a "foreign adversary" that could pose an unacceptable risk to national security, ITC production, or critical infrastructure, including the digital economy. Another Executive Order aimed to force the divestment of Musical.ly (now TikTok) by ByteDance based on national security concerns.

Congress is currently deliberating several bills aiming to expand the bans. The SAFETY on Social Media Act introduces a blacklisting mechanism for "untrustworthy" social media services controlled by a foreign entity of concern. The president can blacklist companies and oblige app stores and internet service providers to block access to the companies’ applications and websites, under the oversight of the Federal Communications Commission. The ANTI-SOCIAL CCP Act enables the president to restrict access and prohibit commercial operations in the US of companies from a “country of concern” (including China, Russia, Iran, North Korea, Venezuela and Cuba) and designates Bytedance and its subsidiaries (including TikTok). The Deterring America's Technological Adversaries (DATA) Act empowers the president to assess potential violations of the International Emergency Economic Powers Act by Bytedance/TikTok and impose sanctions, including a ban if the president concludes that TikTok operates on behalf of China. In addition, the Secretary of the Treasury could prohibit sensitive personal data transfers to entities operated in, influenced or owned by China. The RESTRICT Act empowers the Secretary of Commerce to review and block transactions involving ICT products with foreign adversaries that pose national security risks, though it does not mention TikTok explicitly.

Cryptocurrencies

Cryptocurrencies are subject to several government bodies’ policies and enforcement. In January 2023, the White House published the Roadmap to Mitigate Cryptocurrencies’ Risks. The Roadmap outlines initiatives to regulate cryptocurrency, including expanding regulators’ powers and imposing transparency requirements, and calls for continued enforcement and guidance from government agencies. The 2022 Executive Order on Responsible Development of Digital Assets lays out a national policy for digital assets, explains risks (e.g. regarding financial regulation, consumer protection and cybersecurity) and directs government agencies to study digital assets. Subsequently, several agencies published reports, including the Department of the Treasury’s Framework for International Engagement on Digital Assets, the Department of Justice’s report on the role of law enforcement in detecting, investigating and prosecuting criminal activity related to digital assets, the Financial Stability Oversight Council’s report on Digital Asset Financial Stability Risks and Regulation, and the Framework on Competitiveness of Digital Asset Technologies currently deliberated by the International Trade Administration. 

Congress has not passed cryptocurrency legislation but is currently deliberating several proposals. The Blockchain Regulatory Certainty Act determines that blockchain developers who do not hold user funds are not to be considered money transmitters or financial institutions and are thus not subject to licensing requirements. The Responsible Digital Asset Advertising Act requires digital asset intermediaries to disclose conflicts of interest, refrain from misleading advertising, clarify the relationship between past performance and future returns, and provide accurate information about hidden fees. Another Bill requires payment stablecoin issuers to register and ensure asset-backing and technical knowledge. The Bill further introduces a two-year ban on issuing stablecoins without backed assets. Finally, certain bills aim to prevent a US Central Bank Digital Currency (CBDC). The CBDC Anti-Surveillance State Act prohibits the Federal Reserve Bank from issuing a CBDC directly to individuals and using it for monetary policy, as does a similar House bill. Finally, two senators that introduced cryptocurrency bills in the previous Congress, namely the Responsible Financial Innovation Act and the Digital Asset Anti-Money Laundering Act, announced plans to introduce new legislation.

Enforcement is currently pursued by the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC), as cryptos’ categorisation as securities or commodities is not yet clarified. The SEC is currently deliberating rules on Safeguarding Advisory Client Assets and investigating several firms for operating unregistered securities exchanges, including Bittrex, Beaxy, Terraform Labs, Payward/Kraken, and Genesis/Gemini, having reached settlements in similar investigations into Coinme and Nexo Capital. The CFTC is investigating Binance for operating an illegal digital asset derivatives exchange and Vista for fraudulent solicitation and misappropriation of customers' digital assets commodities.