AI agents in e-commerce: what online shop operators must observe under data protection law

Online shops are increasingly opening to AI agents—software that independently searches for products, compares prices, and completes orders on a user's behalf. The instruction might be: buy the cheapest organic olive oil. The agent chooses the route. It selects shops, adds items to the cart, submits master data and payment information, confirms prompts, and completes the purchase without perceiving anything in a human sense. For shop operators that is tempting because it promises reach and new customers. Under data protection law, however, a new risk profile emerges that few have priced in so far.

The agent as a new market participant

AI agents differ from conventional automated requests in one decisive respect: they do not only retrieve information but trigger functions designed for human action. They make declarations aimed at concluding contracts, transmit personal data, and initiate payments. Their output consists of legally significant acts.

Many operators actively promote this by publishing product catalogues via open protocols and providing interfaces for automated access. At the same time agents also access shops without invitation, and some disguise themselves as human users and are not readily identifiable. That identifiability question runs through all issues below.

Opening access changes the duty set

Anyone who deliberately opens a shop to agents can no longer assume a human sees the cookie banner and consciously takes legally effective steps. That assumption collapses once software is expressly invited. Article 25(1) GDPR requires suitable technical and organisational measures. Privacy by design here is not an abstract principle but the concrete task of shaping agent access so data protection duties remain fulfilable.

Why consent given by the agent does not work

Consent under Article 4(11) GDPR is an informed, highly personal declaration of will. Both aspects are strained when an agent gives consent. An agent can technically capture a cookie banner but cannot understand it in the legal sense. If it follows an instruction such as accept what is needed for the purchase, the user remains unaware of what they are consenting to—especially as such systems behave probabilistically and unpredictably.

The argument that will can be delegated is unconvincing. Informedness relates to the specific processing operation, not abstract willingness to accept any processing. A blanket instruction does not replace an informed decision. Advance blanket consent also fails the specificity requirement because it anticipates future unknown processing. Terms obliging users to consent only after reading purposes merely shift risk contractually; they do not change data protection law, because requirements on consent and proof are not at the parties' disposal.

For the controller it follows: they cannot rely on consent transmitted by an agent if they know or must know that no human gave it in an informed way. Anyone who deliberately opens a shop to agents is close to that knowledge.

Section 25 TDDDG: access to the end-user device

Before any non-essential cookie and similar tracking, consent under Section 25(1) TDDDG (successor to the former Section 25 TTDSG) is required. The prior question is whether the end-user device is accessed at all. If the agent uses the user's real browser, tracking data merges with the user's profile. If the agent runs in the cloud, tracking initially goes nowhere because the shop sees neither IP address nor device fingerprint.

In that setup a cloud-based agent effectively acts like a privacy-friendly technique: it separates user and shop and enforces data minimisation as long as it does not transmit personal data. Protection need revives once the agent transfers master data for the order or the shop recognises the agent and links data to a profile. The practically safest approach is therefore to forgo non-essential tracking for recognised agent access.

Contract performance as fallback? Limits of attributing knowledge

If consent fails, contract performance under Article 6(1)(b) GDPR comes into view. How far it reaches depends on whether the user's agent's knowledge can be attributed to the user. That does not help consent—you can attribute knowledge but not will. For contract content one might argue via German Civil Code § 166, but that requires a human representative. An agent does not make declarations of intent; it performs technical operations.

Attribution of automated declarations traditionally assumes deterministic, predictable behaviour. Agents based on large language models do not meet that. Terms and conditions law adds difficulty: if no human takes note of terms, incorporation may fail and surprising clauses never become part of the contract. Shop operators must therefore live with the fact that mere T&C acceptance by an agent does not expand processing under lit. b.

Information duties on agent access

Regardless of legal basis, information duties under Articles 13 and 14 GDPR remain. They require making information available, not actual awareness. Privacy notices on the website therefore satisfy the duty even if an agent skips them. It is different if the controller offers a dedicated agent interface and provides no notices there—then availability itself is missing, because what is easily accessible under Article 12(1) GDPR is measured by the access path the controller opens. Anyone who creates a channel for agents assumes responsibility for its information architecture.

Loss of control on the data subject side

Users' perspective also matters. They disclose data to the agent without necessarily knowing which shops it shares them with, what tracking runs there, or which third parties receive data. The provider of a cloud-based agent is often itself a controller. Information asymmetry can deepen and the right of access under Article 15 GDPR may be hollow if data subjects do not know whom to contact. Shop operators who allow agents should understand this loss of control because it shapes their own responsibility.

What shop operators should do now

The legally sound path is channelled, professionalised access. Anyone opening a shop to agents should do so via a dedicated interface, not tacit tolerance via the website. In practice:

• Dedicated API instead of tolerance: A controlled channel technically bounds interaction, making contract performance a more viable basis than uncontrolled website access.
• Build agent detection: It is prerequisite for everything else. With a dedicated API detection is solved for that path; for website access it remains.
• Reduce tracking: For recognised agent access, forgo non-essential tracking to avoid Section 25 TDDDG.
• Machine-readable privacy notices: In the API channel, in a format the agent can pass to the user.
• Discard excess data: If the agent transmits more than necessary, do not store it.

If neither consent nor contract performance applies, legitimate interests under Article 6(1)(f) GDPR may anchor processing—with natural limits at special categories under Article 9 GDPR when an agent transmits or infers health or other sensitive data.

Long term, development may point elsewhere. The Digital Omnibus proposes machine-readable consent and objection signals under a new Article 88b GDPR. Agents might perform a similar function and allow only necessary processing. Whether preference signals and agent-driven minimisation converge is open; as of mid-2026 the Digital Omnibus is only a proposal.

Conclusion

Opening an online shop to AI agents changes the backend, not the rules of processing. When no human accompanies checkout, familiar consent mechanisms fail and civil-law attribution for deterministic systems becomes fragile. Whether shop operators and agent providers are joint controllers is also open. Data protection analysis of agent-mediated commerce is only beginning. Early structured access creates an advantage and reduces liability risk.

Want to open your online shop to AI agents in a GDPR-compliant way—from the interface through consent and tracking design to role clarification with agent providers? Get in touch.