Skip to content
Back to blog
compliance13 min

GDPR, CCPA & AI Agents: The Compliance Playbook for Agentic Commerce

How to build privacy-compliant agentic commerce — zero-PII boundaries, DSAR endpoints, cookie consent v2, IP pseudonymization, EU AI Act classification, and encrypted checkout sessions.

Executive summary

Complete compliance playbook for agentic commerce covering GDPR (16/17 gaps resolved), CCPA (tiered DSAR SLAs), ePrivacy (granular cookie consent v2), and EU AI Act (trust score classified as LIMITED RISK). Covers zero-PII boundaries, IP pseudonymization, AES-256-GCM encrypted checkout sessions, Shopify ToS ML guard, and audit logging.

Published

2026-04-06

13 min

Author

AgenticMCPStores Engineering

Core Protocol Team

Category

compliance

GDPRCCPAcomplianceprivacyEU AI ActePrivacyDSARdata protectionagentic commercetrust

When AI agents browse, compare, and purchase products on behalf of users, who is responsible for data protection? The merchant? The platform? The agent? This post explains how AgenticMCPStores handles GDPR, CCPA, ePrivacy, and EU AI Act compliance — with production code patterns you can adapt for your own agentic commerce platform.

The Zero-PII Boundary Principle

The core architectural decision: AgenticMCPStores does not persist end-customer shopping data. Agents interact with product catalogs (public data) and create ephemeral checkout sessions (encrypted, 30-minute TTL). No browsing history, no search queries, no customer profiles. This zero-PII boundary drastically simplifies compliance — if you don't store personal data, most GDPR obligations don't apply to that data.
What agents can access (read-only, never cached): catalog data (title, description, price, images, inventory), merchant metadata (slug, name, trust score, verification level). What agents never access: session IDs, browsing history, search queries, customer names, emails, or addresses.

Checkout Session Encryption

When an agent initiates checkout, personal data (buyer name, email, phone, shipping address) is collected via the checkout flow and encrypted with AES-256-GCM before database persistence. The session has a 30-minute TTL and is automatically cleaned up: 
// Checkout session PII handling (simplified)
const encryptedBuyerInfo = encryptString(
  JSON.stringify({ name, email, phone }),
  process.env.CHECKOUT_ENCRYPTION_KEY
);

// Store encrypted — DB never sees plaintext PII
await prisma.acpCheckoutSession.create({
  data: {
    ...sessionData,
    buyerInfo: encryptedBuyerInfo,
    fulfillmentAddress: encryptString(address, key),
    expiresAt: new Date(Date.now() + 30 * 60 * 1000), // 30 min TTL
  },
});

Prohibited practices (enforced by policy + CI): no caching of agent search queries, no ML training on product view sequences, no embedding merchant descriptions for shared index, no cross-merchant order data training, no third-party AI training pipeline exports.

Essential insight

GDPR Compliance: What's Implemented

AgenticMCPStores has resolved 16 of 17 GDPR compliance gaps (94%). The remaining item is pending DPA signatures with Stripe and Google (templates complete). Here's what's production-ready:

Privacy Notice (Art. 13/14)

Bilingual privacy policy (EN + ES) covering 12 sections: data collection, processing purposes, retention, recipients, rights, security, cookies, LSSI-CE compliance, AI system transparency (agents can produce errors or be subject to prompt injection), and merchant obligations.

Data Subject Access Requests — DSAR (Art. 15)

A dedicated POST /api/dsar/request endpoint handles 5 request types: ACCESS, DELETE, RECTIFICATION, PORTABILITY, and OBJECTION. Requests are rate-limited (3/hour per IP), IP addresses are pseudonymized at persistence, and the response confirms dual SLA: 
// DSAR endpoint response
{
  "id": "uuid-of-request",
  "message": "Request received. We will respond within 30 days (EU/GDPR) or 45 days (California/CCPA)"
}
The DSAR admin runbook defines the triage workflow: SELECT * FROM dsar_requests WHERE status = 'pending', then cascade delete across 28 dependent tables for DELETE requests. A public-facing bilingual form at /privacy/dsar makes it easy for data subjects to exercise their rights.

IP Pseudonymization (Rec. 30)

All IP addresses are pseudonymized before database persistence: IPv4 last octet zeroed (192.168.1.42 → 192.168.1.0), IPv6 last 64 bits zeroed. This applies to DSAR requests, security logs, webhook events, and NLWeb query logs. A retroactive migration pseudonymized all existing IPs: 
// IP pseudonymization (ip-pseudonymizer.ts)
function pseudonymizeIp(ip: string): string {
  if (isIPv4(ip)) {
    return ip.replace(/\.\d+$/, ".0"); // 192.168.1.42 → 192.168.1.0
  }
  if (isIPv6(ip)) {
    return zeroLastFourGroups(ip);       // 2001:db8::1 → 2001:db8::
  }
  return "0.0.0.0"; // Invalid/null fallback
}

Critical nuance: pseudonymization happens at DB persistence only. Live request rate-limiting uses real IP to function correctly — the real IP is never stored.

Essential insight

Granular Cookie Consent (Art. 7 + ePrivacy Art. 5(3))

Cookie consent v2.0 implements four categories: Necessary (always on, cannot be disabled — session, security, CSRF), Functional (performance monitoring), Analytics (GA4, Mixpanel, Sentry — opt-in only), and Marketing (retargeting, email automation — opt-in only). The consent banner offers Accept All / Reject All / Customize, and integrates with GA4 Consent Mode v2.
Legacy cookie_consent: "accepted" values are automatically migrated to the granular v2 format. 9 E2E test scenarios verify banner behavior, category toggles, and persistence.

CCPA: California-Specific Requirements

CCPA compliance uses the same DSAR infrastructure with a 45-day SLA (vs 30 days for EU/EEA). The DSAR endpoint response includes both deadlines. The consumer deletion right (§1798.105) is implemented via the same cascade-delete process that serves GDPR Art. 17 (right to erasure).

For agentic commerce, the key CCPA question is: who is the "business" collecting consumer data? In our architecture, AgenticMCPStores is a service provider (processor in GDPR terms) — the merchant is the business. Our terms require merchants to maintain their own privacy policies disclosing agent-assisted commerce.

EU AI Act: Trust Score Classification

The EU AI Act (Regulation 2024/1689) requires AI systems to be classified by risk. Our Trust Score Engine — the system that ranks merchants and determines checkout eligibility — has been formally assessed and classified as LIMITED RISK.
Why not HIGH-RISK? The trust score is deterministic and rule-based: no machine learning, no neural networks, no training on historical data. Same inputs always produce same outputs. It does not fall under Annex III (no critical infrastructure, employment, justice, education, or essential services evaluation). The formal AI Impact Assessment (v1.1) is published for regulatory review.
  • 1
    Transparency requirement (Art. 52): Public methodology at /trust, 12 components with weights disclosed in agent-policy.json, 5 guidance ranges documented
  • 2
    Human oversight: Merchant dashboard displays score + component breakdown. Merchants can appeal via the trust score appeal mechanism (logged as audit event)
  • 3
    Automated decision notice (Art. 22 GDPR): "Trust Score is advisory only" disclaimer in UI. Agents must inform users before restricting checkout (trust < 0.5)

Shopify ToS: The ML Import Guard

Shopify ToS Section 2.3.24 restricts certain uses of merchant data. To ensure compliance, a CI-enforced guard blocks 33 ML/AI packages (TensorFlow, PyTorch, ONNX, Pinecone, Weaviate, NLP libraries, embedding tools) from the MCP server codebase. 12 tests enforce this at lint + CI stage. If a developer accidentally imports a blocked package, the build fails.

Agent Policy: Machine-Readable Privacy

The /.well-known/agent-policy.json (v1.4) serves as a machine-readable privacy contract for AI agents. It defines allowed actions (read, recommend, start_checkout, complete_checkout), confirmation requirements (always require for checkout, never require for search), dollar thresholds ($100 confirm, $500 max per session), and fail-safe rules: 
// Agent policy fail-safe rules (excerpt)
{
  "failSafe": [
    { "condition": "trustScore < 0.5", "action": "DO_NOT_PROCEED" },
    { "condition": "verificationLevel == UNVERIFIED", "action": "WARN_USER" },
    { "condition": "checkout_response.status == error", "action": "ABORT_AND_INFORM" },
    { "condition": "availability_freshness > 24h", "action": "WARN_USER" },
    { "condition": "ambiguous_user_intent", "action": "ASK_FOR_CLARIFICATION" }
  ]
}

Payment Processor Roles

  • 1
    Stripe: Data Processor (Art. 28). Direct Charges model — funds flow directly to merchant's Stripe Connected Account. No card data reaches AgenticMCPStores servers (PCI DSS compliant).
  • 2
    PayPal: Independent Data Controller (NOT a processor). PayPal's own Privacy Policy applies to PayPal-collected data.
  • 3
    Google Analytics: Data Processor. GA4 analytics are opt-in only via cookie consent. DPA signature pending.

Audit Logging

Every privacy-relevant event is logged with context but without sensitive data. The security logger tracks: login success/failure/blocked, registration, unauthorized access, rate limit exceeded, MFA events, DSAR requests, trust score appeals, and threshold alerts. Sensitive keys (password, token, apiKey, creditCard, mfaSecret, ssn) are automatically redacted. Audit logs are retained for 180 days.

Testing Compliance

Compliance is tested, not just documented. The E2E test suite includes: 9 scenarios for cookie consent (accept/reject/customize/migration), 6 scenarios for DSAR (form validation, SLA display, request types), and 15 assertions for payment processor disclosure and merchant checklists. The Shopify ML guard has 12 unit tests ensuring blocked packages are caught at CI time.

Implementation Checklist for Developers

  • 1
    Zero-PII boundary: Never persist agent browsing data, search queries, or customer profiles. Checkout sessions are ephemeral (30 min) and encrypted (AES-256-GCM).
  • 2
    IP pseudonymization: Zero the last octet (IPv4) or last 64 bits (IPv6) before DB write. Use real IP only for rate limiting.
  • 3
    Cookie consent: Implement granular categories (necessary, functional, analytics, marketing). Integrate with GA4 Consent Mode v2.
  • 4
    DSAR endpoint: Rate-limit (3/hour), pseudonymize requester IP, support 5 request types, display dual SLA (30d EU / 45d CCPA).
  • 5
    Audit trail: Log all security events with automatic PII redaction. Retain for 180 days.
  • 6
    AI classification: If your scoring system is rule-based (no ML), document it as LIMITED RISK under EU AI Act. Publish methodology publicly.
  • 7
    ML guard: If you integrate with Shopify, block ML libraries from your MCP server at CI level.

What's Next: EU Cyber Resilience Act (CRA)

Phase 1 of CRA compliance is in progress (April-May 2026): Technical Dossier, EU Declaration of Conformity, vulnerability disclosure policy, and SBOM enhancements. Phase 0 (SBOM generation, Dependabot, product classification) is already complete. The CRA reporting deadline is September 11, 2026, with full compliance required by December 11, 2027.

Frequently asked questions

Does AgenticMCPStores store personal data about end customers?

No. The platform enforces a zero-PII boundary. Agents access product catalogs (public data) and create ephemeral checkout sessions (encrypted, 30-minute TTL). No browsing history, search queries, or customer profiles are persisted.

How do I exercise my GDPR/CCPA rights?

Visit /privacy/dsar and submit a request. We support 5 types: ACCESS, DELETE, RECTIFICATION, PORTABILITY, and OBJECTION. Response time: 30 days for EU/EEA residents, 45 days for California residents under CCPA.

Is the trust score considered a high-risk AI system under the EU AI Act?

No. The Trust Score Engine is deterministic and rule-based (no machine learning). It has been formally classified as LIMITED RISK under Regulation 2024/1689, as it does not fall under Annex III high-risk categories.

Does AgenticMCPStores handle credit card data?

No. Payments use Stripe Direct Charges — funds flow directly to the merchant's Stripe Connected Account. No card data touches AgenticMCPStores servers. This architecture is PCI DSS compliant by design.

What happens to my data if I delete my merchant store?

Hard delete via CASCADE across 28 dependent tables. No archival copy is retained. Audit logs are kept for 180 days per legal retention requirements, then purged.

Sources and references

Related articles

GDPR & CCPA Compliance for AI Agent Commerce | AgenticMCPStores | AgenticMCPStores