The Internet Application I.D. Act requires operators, distributors, and sellers of internet websites and mobile applications to disclose to U.S. users whether the service is owned (in whole or part) by a foreign adversary country or related entities, whether user information is stored in such a country, and whether those actors have access to that information.
The statute uses the Department of Defense’s statutory list (10 U.S.C. 4872(f)(2)) to identify “foreign adversary countries” and defines covered entities to include services owned by entities organized under those countries’ laws or controlled by their governments.
Enforcement is assigned to the Federal Trade Commission: violations are treated as unfair or deceptive acts or practices, and knowingly providing false disclosure is unlawful. The bill is focused on consumer-facing transparency rather than an outright ban, but it creates significant compliance questions about ownership tracing, what constitutes “access” to data, and how to disclose effectively to users across platforms and devices.
At a Glance
What It Does
The bill requires covered services to clearly and conspicuously tell U.S. individuals whether the service is owned, wholly or partly, by a foreign adversary (or an entity organized/controlled in such a country), whether user data is stored and maintained in that country, and whether that country or its state-owned entities have access to the data. It becomes effective one year after enactment.
Who It Affects
The requirement applies to any person who owns, controls, or distributes access to an internet website or mobile application that meets the bill’s ‘covered service’ definition — including foreign-owned apps available in U.S. app stores, websites hosted or backed up in adversary jurisdictions, and distributors (such as app stores or platform operators) who provide access to those services.
Why It Matters
The bill shifts responsibility onto platforms and distributors to disclose foreign-adversary connections and data residency, creating a new compliance vector for multinational digital services and for app store/operators. For privacy and security teams, it forces operational mapping of ownership, control, data flows, and access rights in a politically defined set of countries.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act creates a narrow but operationally demanding disclosure duty. A covered service—defined by ownership ties to a foreign adversary, organization under that country’s laws, or the storage of user information in that country—must notify any U.S. individual who downloads or uses the service whether the service is owned by or connected to a foreign adversary, whether user information is stored there, and whether the adversary or its entities can access that information.
The required disclosures must be clear and conspicuous; the Act makes knowingly false disclosures unlawful.
To determine scope, the bill points to 10 U.S.C. 4872(f)(2) for the list of foreign adversaries. It also imports a CFR control definition to identify entities “controlled” by a foreign government, and it treats entities organized under a foreign adversary country’s laws as covered.
The statute does not set a specific disclosure format or placement, but it ties violations to the Federal Trade Commission’s unfair-or-deceptive framework and gives the FTC its usual investigatory and remedial powers. There is no private right of action in the text; enforcement rests with the FTC.Practically, compliance teams will need to map corporate ownership and corporate form, inventory data flows and storage locations (including cloud regions and backups), and assess what “access” means in contractual and technical terms.
The one-year compliance window gives time to perform that mapping, but the bill’s text leaves several operational details—disclosure method, exact timing of notice to 'users,' and standards for proving access—open for the FTC to interpret or for industry to litigate.
The Five Things You Need to Know
The Act takes effect one year after enactment; covered services must be in compliance by that deadline.
A 'covered service' includes any website or mobile app that is owned wholly or partly by a foreign adversary, is organized under that adversary’s laws, is controlled by its government, or stores/maintains collected user information in that country.
Required disclosures are threefold: (1) ownership ties to a foreign adversary or related entity, (2) whether user information is stored and maintained in that country, and (3) whether the adversary or its state-owned entities have access to the information.
The bill criminalizes knowingly false disclosures and treats violations as unfair or deceptive acts enforceable by the Federal Trade Commission under its full array of remedies and penalties.
The term 'foreign adversary country' is drawn from 10 U.S.C. 4872(f)(2), making the statutory list (and any future changes to it) central to who and what the law covers.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the 'Internet Application Integrity and Disclosure Act' (Internet Application I.D. Act). This is a simple drafting device, but it signals Congress’ intent to emphasize both integrity (ownership/data transparency) and user-facing identification requirements.
Core disclosure duty and timing
Imposes the substantive disclosure obligation and sets a one-year compliance window. The operative rule requires firms that 'own, control, or distribute access to' a covered service to provide clear and conspicuous notice to any U.S. individual who downloads or uses the service. That phrase ('own, control, or distribute access') sweeps beyond mere ownership to include distributors such as app stores and content delivery platforms, creating obligations for intermediaries as well as operators.
False statements and definitions
Makes it unlawful to knowingly provide false disclosures and then defines key terms: 'covered service,' 'foreign adversary country' (via 10 U.S.C. 4872(f)(2)), 'individual' (U.S. natural persons), and 'non-state-owned entity located in a foreign adversary country' (either controlled by that country's government under 31 C.F.R. 800.208 or organized under that country’s laws). These definitions import external legal reference points, which anchors coverage but raises interpretive dependencies on other statutes and regulations.
FTC enforcement and remedies
Classifies violations as unfair or deceptive acts or practices under the FTC Act and grants the FTC all of its usual powers to investigate and remedy violations, including civil penalties and equitable relief. The Act does not create a private right of action; enforcement is centralized at the FTC, which must interpret the disclosure standards and adjudicate knowledge-based falsehoods.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- U.S. consumers concerned about national-security-linked data exposures — they gain affirmative information to consider when choosing apps or websites, improving informed decision-making about where to run sensitive activity.
- Privacy and security teams at U.S. companies — the disclosure requirement creates a public signal that can be used in procurement and risk assessments when choosing third-party services or competitors.
- Regulators and researchers — mandatory disclosures create a dataset for monitoring foreign-adversary ties and data-residency practices that can inform security policy and enforcement targeting.
Who Bears the Cost
- Foreign-owned and foreign-organized service operators — they must map ownership structures, storage locations, and access pathways and build or modify user-facing disclosures; the compliance burden can be large for smaller operators.
- Distributors and app stores (platforms) — the bill’s language includes parties that 'distribute access,' exposing intermediaries to compliance and potential enforcement even if they are not the content owner.
- The Federal Trade Commission — enforcement responsibility imposes investigatory and adjudicatory resource needs; the FTC will need guidance to interpret 'clear and conspicuous,' 'access,' and the knowledge standard for false statements.
Key Issues
The Core Tension
The central dilemma is between consumer transparency about foreign-adversary ties (and the national-security rationale for such transparency) and the practical limits of reliably and fairly identifying which services are covered: demanding clear disclosures promotes informed choice but forces companies and regulators to make fine-grained legal and technical judgments about ownership, control, storage, and access that the bill does not fully define.
The Act trades a straightforward transparency obligation for a set of operationally difficult determinations. Ownership and control can be obscured through complex corporate structures, shareholdings, and contracts; determining whether an entity is 'controlled' by a foreign government requires applying a CFR control test that was designed for CFIUS filings, not consumer disclosures.
Similarly, data storage and 'maintenance' are technically nuanced in cloud-native architectures: data can be replicated, cached, or backed up across multiple jurisdictions, and 'stored and maintained' is not defined to exclude ephemeral caches or mirrored content.
The bill imposes a knowledge requirement for false disclosures, which narrows liability but shifts the enforcement challenge to proving what a firm knew. It also leaves critical specifics—disclosure format, timing (when during download/use notice is required), and how to prove 'access' by a foreign adversary—to FTC rulemaking or case-by-case enforcement.
Finally, importing the statutory list from 10 U.S.C. 4872(f)(2) means coverage will change as that list changes, producing regulatory uncertainty for multinational services that operate across jurisdictions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.