Cybersecurity Score – S.2033: American Innovation and Choice Online Act (AICOA)

Bill Summary

S.2033: American Innovation and Choice Online Act (AICOA). Makes covered platforms’ preferential treatment of their own products and services unlawful. Referred to the Senate Judiciary Committee.

Cybersecurity Score Rating

Rating: Cyber concerns exist. This bill has the potential to reduce the security of covered platforms drastically and either exacerbate or introduce cybersecurity vulnerabilities. (Last updated: Aug. 1, 2023)

Key Provisions

  • Regulates a subset of digital service providers by making preferential treatment of their own products and services unlawful.
  • Outlines 10 categories of unlawful preferential treatment, to include:
    • Actions that would “materially harm competition,” such as: preferencing their own products or services over those of other business users of their platforms; limiting the ability of business users’ products or services to compete with the platform’s own offerings; and discriminating in the application of their terms of service among similarly situated business users;
    • Materially restricting, impeding or unreasonably delaying efforts to access or interoperate with the covered platform’s technology stack; and
    • Materially restricting or impeding a competitor from accessing data generated on or from the covered platform’s products or services.
  • Provides affirmative defenses, including for platform core functionality concerns, complying with state and federal laws and protecting user privacy and platform security.


In 2020, the House Judiciary Committee unveiled a 450-page report detailing alleged anti-competitive conduct by select companies. In an attempt to remedy this finding, legislators introduced AICOA in both the House and Senate in 2021 (with revisions in 2022). According to sponsors, the bill aims to facilitate competition against tech companies and provide greater consumer choice. AICOA sparked fierce debate among legislators, industry and advocacy organizations and, as a result, had not progressed to either chamber floor. Sen. Amy Klobuchar (D-Minn.), Sen. Chuck Grassley (R-Iowa) and several colleagues reintroduced AICOA (S.2033) in June 2023.

As R Street’s Cybersecurity team has written previously, AICOA would raise significant cybersecurity and data privacy concerns. It has the potential to reduce the security of platforms drastically and either exacerbate or introduce cybersecurity vulnerabilities. (Other concerns exist, though we limited our scope here to cyber concerns.) Various cybersecurity and national security leaders have raised similar concerns. To improve the cyber considerations of this bill, legislators should consider removing or revising language to ensure the security of online platforms, any entities that may meaningfully interact with these platforms, and U.S. consumers.

Key Takeaways

This bill would have a number of chilling effects on cybersecurity, including:

  • Introducing cyber vulnerabilities and risk of data compromise by requiring interoperability and/or data access across platforms and services through actions such as: (1) sharing sensitive or non-public data with competitors (and potentially malicious actors) that may not have adequate cybersecurity or privacy safeguards; or (2) allowing the installation of insecure software or hardware.
  • Failing to specify whether platform users can apply any data sharing preferences to every service or application that interoperates or interacts with the covered platform.
  • Risking damage to U.S. consumer trust and cyber safety in the event of a material cyber incident resulting from the above legal requirements.

Cybersecurity Analysis


Alongside the cybersecurity and privacy concerns highlighted in our analysis, we put forth the following recommendations with the goal of reducing these risks.

Section and SummaryRecommendation(s)
Unlawful Conduct Section 3(a)(4)
Platform interoperability
Remove this provision.
Forcing interoperability across numerous platforms and services without a clear definition of what interoperability entails has the potential to be costly and create cyber vulnerabilities. While the text carved out an exception for “significant cyber risk,” it is unclear how covered platforms would prove cyber risk without potential disclosure of sensitive or otherwise non-public data. This could impact a company’s ability to protect sensitive or other non-public data from malicious actors who would take advantage of relaxed privacy and security controls.

Unlawful Conduct Section 3(a)(7)
Data access

Remove this provision.

This provision would expand business user access and could jeopardize data security if the business user is an unverified third party that does not employ adequate safeguards.

Unlawful Conduct Section 3(a)(8)
Uninstalling preinstalled apps or changing default settings

Amend this provision to exclude security applications or processes from the restrictions for user freedom of choice on platforms; 

Amend provisions to unlawful conduct to include security exemptions or make a standalone security provision applicable to all; and 

Amend the definition of security to improve clarity.

Allowing opt-outs and installations or uninstallations of security software applications undermines the security of the entire cyber ecosystem and its users. The word “necessary” in this section could undermine the utility of the security exemption added in the Senate bill, as it is too limited. Moreover, the security exemption is only applicable to this provision, creating a confusing mix of legal requirements.
Affirmative Defenses 3(b)(1)(A-C)
Preventing violations of, or complying with, federal or state law; protecting user safety, nonpublic data, platform security; and maintaining or enhancing the core functionality of the platform.

Amend this provision to remove the need for an affirmative defense for security actions or to exclude security broadly by adding a separate security exemption section.

Affirmative defenses place the burden of proof on platforms to justify exclusionary actions that may be construed as harmful to competition. For example, it is unclear whether spam and fraud activity, while not impacting the core functionality of a platform but having significant impact on a platform’s credibility and user’s safety, would serve as a justifiable exemption to limit competitor products. Determining what is and is not lawful could drastically slow the platform’s process of implementing policies, safeguards or defenses against adversarial cyber activity.

Get the latest cybersecurity policy right in your inbox. Sign up for the R Street newsletter today.