Personal data involved in a UCP transaction
A Universal Commerce Protocol transaction involves several categories of personal data:
- Identity Linking data: first name, last name, delivery address, phone number, email, transmitted from the AI agent to the merchant per order
- AP2 token: cryptographic pseudonym linked to a real payment method, processed by the payment processor
- Order data: products purchased, amount, date, retained by the merchant
- Transaction logs: timestamp, AI agent used, endpoint called, technical transaction data
- Delivery data: carrier, tracking number, status, shared with the carrier
All this data falls under GDPR as soon as the merchant or buyer is located in the European Economic Area.
Legal bases for UCP data processing
Performance of contract (Article 6.1.b GDPR)
The primary legal basis for processing Identity Linking data is performance of the sales contract. Without name and delivery address, the merchant cannot ship the order. This processing is necessary for the contract concluded between the buyer and the merchant via the AI agent.
Important: this legal basis only covers what is strictly necessary for delivery. Using the delivery address for newsletters or promotional offers requires a separate legal basis (consent, Article 6.1.a).
Legal obligation (Article 6.1.c GDPR)
Retention of transaction data (orders, invoices, amounts) for accounting purposes (typically 7-10 years depending on member state requirements) is justified by legal obligation.
Legitimate interest (Article 6.1.f GDPR)
Retaining agentic transaction logs for security and fraud prevention can be based on the merchant's legitimate interest, with documented justification and limited retention period (typically 12 to 24 months).
Identity Linking and consent: where does responsibility lie?
Initial user consent for data sharing via Identity Linking is collected by the AI agent (Google Gemini, ChatGPT, etc.), not by the merchant. The merchant receives personal data whose consent was collected by a third party (the AI agent). The merchant must therefore:
- Verify that the transmitting AI agent is UCP-certified (guaranteeing consent was properly collected)
- Document in their processing activities register that the data source is UCP Identity Linking
- Not use this data beyond the order's purpose without collecting additional direct consent from the buyer
Data subject rights in the UCP context
Right of access (Article 15 GDPR)
If a user requests access to the data you hold on them (including Identity Linking data), you must be able to provide it within one month. Ensure your system can identify and extract all data linked to an individual, including data from the agentic channel.
Right to erasure (Article 17 GDPR)
The user can request erasure of their data, except where legal obligations apply (invoice retention). Clearly distinguish in your systems "erasable" data (profile data, browsing history) from "retention-required" data (legally required transaction data).
Data Processing Agreements: who to sign them with?
In the UCP ecosystem, you have several processors in the GDPR sense:
- Your payment processor (Stripe, Adyen): a DPA must be signed, typically included in processor T&Cs, but verify GDPR-specific addendum exists
- Your carrier: DPA required for delivery address sharing
- UCP infrastructure: if you use a third-party service to manage your UCP endpoints, DPA required
- The AI agent: technically, Google (Gemini) or OpenAI (ChatGPT) are independent third parties, not processors. No DPA needed, but document that you verified their UCP certification.
Privacy policy update
Add a section in your privacy policy explaining:
- That you accept orders via AI agents (UCP channel)
- What data is received via Identity Linking and how it's processed
- That payment data is managed via AP2 protocol (pseudonymization)
- How to exercise rights for data from agentic purchases