There is no single federal consumer privacy law in the United States. Instead, every state is passing its own — and each one gives consumers slightly different rights, with slightly different thresholds, definitions, and deadlines.

California led with the CCPA in 2018, followed by the CPRA amendments in 2020. Then Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, Kentucky, and others all passed their own laws. More are coming.

For a business running an AI voice agent that interacts with customers across state lines, keeping up with this patchwork is close to impossible. That's where our US Data Privacy (USDP) program comes in.

What USDP actually is

USDP is our internal framework for complying with the full set of U.S. state consumer privacy laws — collectively and individually. It's built on top of the strictest common denominator of all state requirements, which means if we meet the USDP framework, we automatically meet every current U.S. state privacy law.

The framework covers every privacy-relevant process on the platform:

• How we collect personal information during a call or text

• How we disclose what's being collected and why

• How we handle consent, opt-outs, and sensitive data

• How consumers can exercise their rights (access, delete, correct, portability, opt-out of sale and sharing)

• How we process data subject requests from your customers and respond within the required deadline

• How we document our data processing activities

• How we handle children's data and sensitive data

• How we manage the service provider / processor relationship with you

• How we verify consumer identities when they exercise rights

• How we track cross-state differences in definitions and apply the most protective standard

The consumer rights our framework protects

Every state privacy law grants some combination of these rights to consumers. USDP implements all of them at the most protective level:

• Right to know / access — a consumer can ask what personal information you've collected about them and get a copy

• Right to delete — a consumer can ask you to delete the personal information you've collected about them

• Right to correct — a consumer can ask you to correct inaccurate personal information

• Right to portability — a consumer can ask you for a portable, readable copy of their data

• Right to opt-out of sale — a consumer can tell you not to sell their personal information

• Right to opt-out of sharing / targeted advertising — a consumer can tell you not to share their data for advertising purposes

• Right to limit use of sensitive personal information — a consumer can restrict how you use categories like health data, precise geolocation, biometric data, or children's data

• Right to opt-out of automated decision-making — in states that grant it, a consumer can opt out of being subject to consequential automated decisions

• Right to non-discrimination — a business cannot retaliate against a consumer for exercising privacy rights

The state laws currently in scope

As of today, our USDP framework covers:

• California — CCPA / CPRA

• Virginia — VCDPA

• Colorado — CPA

• Connecticut — CTDPA

• Utah — UCPA

• Iowa — ICDPA

• Indiana — INCDPA

• Tennessee — TIPA

• Montana — MCDPA

• Texas — TDPSA

• Oregon — OCPA

• Delaware — DPDPA

• New Jersey — NJDPA

• New Hampshire — NHPA

• Minnesota — MCDPA

• Maryland — MODPA

• Rhode Island — RIDTPPA

• Kentucky — KCDPA

• And any state law enacted during your subscription — we add them to the framework as they pass, with no additional cost or configuration required from you

Why we built this ourselves

Most SaaS vendors pick one state (usually California) and claim compliance with "the" state privacy law. If a consumer in another state asks to exercise a right that California doesn't grant, that vendor is caught flat-footed.

We took the opposite approach: we operationalized every right granted by every state. When a consumer submits a data subject request, we don't ask where they're calling from — we fulfill the most protective version of every applicable right.

This is more work on our end, but it means:

• You never have to monitor which states your customers are in

• You never have to maintain separate response workflows by state

• Your customers receive consistent, predictable privacy protections regardless of where they live

• You get ahead of the inevitable federal law, because we're already meeting everything stricter than it is likely to be

How data subject requests work in practice

When one of your customers submits a request — "what information do you have about me?" or "please delete my data" — we handle the full workflow:

• We verify the requestor's identity using the thresholds required by the most protective applicable law

• We identify all personal information associated with that person across our systems

• We produce the requested report, deletion, correction, or portability export within the shortest deadline applicable (currently 45 days, reduced to 15 for opt-out requests in some states)

• We log the request and our response for the records retention period required by law

• We notify you of the request and outcome so you can update your own records

You don't need to build any of this. If you prefer to handle requests yourself through your own privacy intake, we give you the tools to identify data and produce the required export on demand.

What this means for you

• You can offer your customers a modern AI-driven experience without absorbing the compliance risk of 19+ overlapping state laws

• You can point to a single framework (USDP) when your privacy counsel or a state attorney general asks how you handle privacy rights

• You can stop tracking which new laws have passed and which are pending — we do that, and you inherit the update

• You can confidently operate in every U.S. state without redesigning your AI for California versus Texas versus Virginia

• You can answer your enterprise customers' privacy questionnaires with a single, comprehensive answer

What you still have to do

Privacy compliance is a shared responsibility. Our USDP framework handles the platform side. You still need to:

• Maintain your own privacy notice that tells your customers what you collect and why

• Include us in your list of service providers / processors in your public privacy notice

• Handle privacy requests that relate to data outside our platform (your CRM, your billing system, etc.)

• Train your team on how to route privacy requests to us when they come through your own channels

Requesting our data processing agreement

We provide a standard Data Processing Agreement (DPA) that incorporates all U.S. state privacy requirements and is updated whenever a new state law takes effect. Visit our Trust Center at trust.365agents.com to request the DPA. Most are countersigned within one business day.

If you operate internationally and need GDPR or UK DPA coverage as well, ask during the DPA request — we have an international module that extends our USDP program to cover EU, UK, Brazilian, and Canadian requirements.