UCP, ACP, and Copilot Checkout: The 48‑Hour Privacy & Pricing Checklist for Agentic Commerce (Jan 29, 2026)

AI-led checkout moved from slides to production this month. Google’s Universal Commerce Protocol (UCP) brings buy buttons into AI Mode and the Gemini app; Microsoft and PayPal rolled out Copilot Checkout; and OpenAI + Stripe advanced the Agentic Commerce Protocol (ACP). With pilots live, the real founder problem is shipping fast without stumbling into consent, parity, or pricing headlines—especially as watchdogs raise “surveillance pricing” concerns and Google publicly reiterates parity policies. Context, features, and partners.

This 48‑hour plan is the fastest way to turn on agentic checkout—and prove you’re privacy-first, compliant, and price-fair from day one.

Who is this for?

• Shopify/WooCommerce brands and headless/composable teams adopting UCP or ACP.
• Marketplace, DTC, and omnichannel retailers testing Copilot Checkout/Gemini buy buttons.
• Founders who want speed and defensibility: consent, logs, and price integrity.

What just changed (and why it matters)

• UCP buy buttons now let U.S. shoppers complete purchases inside AI Mode and Gemini; loyalty and PayPal support are on deck. (AP, The Verge)
• ACP gives agents a standard to request checkout and pass secure payment tokens (e.g., Stripe’s SharedPaymentToken) into your stack. (Stripe Docs)
• Public scrutiny is rising around pricing, upsell logic, and consent language. (TechCrunch)

The 48‑Hour Privacy & Pricing Checklist

1. Write—and publish—your price parity policy.
   • Commit to no higher price in agent channels than on your site at time of checkout; document exceptions (e.g., channel-funded discounts).
   • Store a daily price snapshot per SKU/variant for parity proof. Keep price, compare_at_price, tax rules, and timestamp.
   • Disallow agent-only “dark pricing” until you have audit-ready logs (see Step 4).
2. Map UCP/ACP actions to consent scopes you actually show users.
   • Group actions into human-readable scopes: Account Link, Cart & Checkout, Identity & Shipping, Offers & Loyalty, Order Support.
   • Render a clear, one-screen consent with toggles and a link to your data policy; store the user’s choices and a consent hash.
   • Respect channel consent differences. Gemini vs. Copilot vs. ChatGPT may pass different identity tokens and permissions.
3. Turn on discount governance.
   • Whitelist allowed promotions per channel: public code, loyalty, new-customer, direct offer.
   • Block stackable promos that create unintentional “agent-only” prices; require a promotion_id and expiry per order.
   • If you join Google’s Direct Offers or similar, keep parity with site promos or document the channel-funded delta.
4. Log what regulators will ask for later.
   • At checkout create an immutable record with: channel (Gemini/Copilot/ChatGPT), agent_app_id, consent_hash, sku/qty, list_price, final_price, promotions_applied[], tax/shipping, identity_source, and SPT_present (yes/no).
   • Retain only what you need; store payment tokens, not raw PANs. Stripe’s SharedPaymentToken covers the card without PCI scope creep.
5. Harden for agent-specific abuse.
   • Prevent prompt-injection SKU swaps: validate price/SKU at your API before issuing a payment intent.
   • Lock fulfillment rules (hazmat, age-gated, regional) to order validation—don’t rely on the agent to screen them.
   • Run our Security Checklist before enabling buy buttons.
6. Ship attribution that survives agents.
   • Use server-side events plus channel parameters (utm_source=gemini | copilot | chatgpt), and create a custom agentic revenue view in your BI.
   • Follow our Attribution Playbook to separate incremental lift from cannibalized web sales.
7. Respect deletion and support workflows.
   • Make account deletion and data erasure easy and documented (example: HireNinja Data Deletion).
   • Publish a single page for agent-channel returns, warranty, and cancellations; link it in your Merchant Center/agent profile.

Starter data contract (copy/paste)

{
  "order_id": "ord_123",
  "channel": "gemini|copilot|chatgpt",
  "agent_app_id": "app_xxx",
  "consent_hash": "sha256(...)",
  "identity": {"source": "google_wallet|microsoft_id|openai|guest"},
  "line_items": [{"sku": "SKU-001", "qty": 1, "list_price": 129.99, "final_price": 119.99}],
  "promotions_applied": [{"id": "LOYALTY10", "type": "loyalty", "value": 10}],
  "totals": {"subtotal": 119.99, "tax": 9.60, "shipping": 0, "grand_total": 129.59},
  "payment": {"token_type": "SPT", "present": true},
  "parity_snapshot_id": "ps_2026-01-29",
  "risk": {"policy_version": "1.3", "flags": ["sku_restricted": false]}
}

“Who owns the customer?” (and other board questions)

• Brand control: With ACP/UCP you keep catalog, pricing logic, fulfillment, returns, and CS data. Agents request; you decide and log.
• Payments: Use network- and PSP-supported tokens (e.g., Stripe SPT) so you don’t store sensitive data while still running your stack.
• Channels: It’s additive, not either/or. Your site remains the system of record; AI surfaces become incremental entry points.

What to do by Friday

1. Day 1: Publish parity & consent pages; add a channel field to your orders; enable daily price snapshots.
2. Day 2: Whitelist promos, block stackability; turn on audit logging; run agent abuse tests; wire S2S attribution.
3. Day 3–4: Flip on a limited UCP/ACP pilot for 10 SKUs; monitor conversion, returns, and agentic revenue in a live dashboard.

Keep learning

• Weekly briefing: Jan 28, 2026
• Payments priorities: Google Pay, PayPal, Stripe
• AASO: Rank in Business Agents

Turn this checklist into shipped reality

If you want a partner to wire feeds, consent, price parity, and attribution while your team ships product, HireNinja can help. Our AI agents and specialists set up UCP/ACP pilots, harden security, and build the dashboards you need to report results.

Talk to HireNinja or compare plans on our pricing page. Ship fast, stay compliant, and keep every sale audit-ready.