SocialHub.AI
← All Posts
Platform·10 min read

The North American "AI-Ready" Checklist: SMS/10DLC, Wallet, and Multi-State Privacy

By SocialHub.AI Team

An autonomous agent is only as good as the channels and compliance underneath it. Before you buy the LLM, audit the action surface. Here is the sober checklist to take into a vendor evaluation.

"AI-ready" is not a model. It is an action surface.

Every retention vendor now has an LLM in the deck. That part is genuinely the easy part. A capable model that can draft a message, segment an audience, or summarize a cohort is, in 2026, close to a commodity. What is not a commodity — and what actually decides whether an autonomous agent helps or hurts you in the North American market — is everything beneath the model: the channels it can legitimately reach the customer through, the consent state it has to respect, and the regulatory obligations that vary by the state your customer happens to live in.

The failure mode is specific. An agent without a compliant, registered, identity-resolved action surface is either useless or dangerous. Useless, because it drafts a perfect SMS it cannot send through carriers, or builds a suppression audience it cannot push to the ad platform. Dangerous, because it acts — sends, targets, retargets — without honoring a customer's deletion request, opt-out, or Global Privacy Control signal, and now you own a compliance incident that an audit trail will trace straight back to an automated decision.

This piece is a checklist, not a pitch. The goal is to give a North American retail, QSR, or D2C operations leader concrete questions to take into a vendor evaluation, with the reason each one matters. Some of these are table stakes that any serious platform should clear; some are still maturing for nearly everyone. The honest move in procurement is to ask which is which — and to distrust any vendor who claims uniform, finished coverage across all of them.

1. SMS/MMS: TCPA consent and 10DLC / short-code carrier registration

SMS is the highest-intent retention channel in North America, and it is also the most heavily governed. Two obligations sit underneath every text you send. The first is consent under the Telephone Consumer Protection Act (TCPA): you generally need prior express written consent to send marketing SMS, the opt-in has to be specific and documented, and you must honor STOP and opt-out requests promptly. The second is carrier-level registration. To send application-to-person messaging in the US you register your brand and use cases under 10DLC (10-digit long codes), or you provision a short code; either way the carriers and The Campaign Registry sit between your platform and the customer's handset.

Why it matters for an agent: an autonomous system that proposes "text the lapsed VIPs a win-back offer" is proposing an action that only completes if the brand is registered, the campaign use case is approved, throughput limits are respected, and — critically — every recipient is in a valid TCPA consent state. Ask the vendor where consent is stored, whether it is captured per-channel, whether opt-outs propagate across the platform in real time, and how 10DLC or short-code registration is provisioned and maintained. If the answer is hand-wavy, the agent will eventually try to send something that gets filtered, throttled, or — worse — delivered to someone who never agreed to receive it.

2. Push and in-app: your first-party reach that no one can deregister

Push notifications and in-app messaging are the channels you most fully control. There is no carrier registry between you and the device, no per-message deliverability tax, and the relationship lives inside your own app or wallet surface rather than someone else's inbox. That independence is exactly why they belong on an AI-readiness checklist: when an agent needs to act in the moment — a price-drop alert, an abandoned-basket nudge, an expiring-points reminder — first-party push is the reach that is least likely to be intercepted, filtered, or rate-limited by an intermediary.

The obligations are lighter than SMS but they are not zero. Push still depends on the customer having installed the app and granted notification permission, and a mature platform treats that permission as a consent state to be respected, not a megaphone to be abused. Ask whether the agent can reason about who is reachable by push versus who must be reached by SMS or email, and whether frequency and quiet-hours rules are enforced centrally. An agent that does not understand the difference between channels it owns and channels it rents will optimize for the wrong thing.

3. Paid-media activation: Customer Match and Conversions API for suppression and look-alikes

Retention does not stop at owned channels. Two of the highest-value moves an agent can make are paid-media moves: suppress your existing, recently-purchased, or opted-out customers from acquisition spend so you stop paying to reach people you already have, and build look-alike audiences from your best cohorts to find more of them. Both require pushing first-party audiences out to the ad platforms — Google Customer Match, and the server-side Conversions API integrations that Meta, Google, and TikTok now expect for durable, privacy-resilient audience and conversion sync.

Suppression is the underrated half of this. It is also where compliance and media efficiency converge: a customer who has asked not to be sold or shared, or who has been deleted, must fall out of the audiences you sync to ad platforms — not just out of your email list. Ask the vendor whether audience activation is bidirectional and real-time, whether suppression states flow outward to the ad platforms automatically, and whether privacy signals (deletion, opt-out, do-not-share) are honored at the audience-sync layer and not just at the send layer. An agent that can build a look-alike but cannot reliably suppress is a liability dressed up as growth.

4. Multi-state privacy: CCPA/CPRA, the widening patchwork, and honoring GPC

There is no single US privacy law, and the patchwork is widening every year. California's CCPA, as amended by CPRA, gives consumers the right to opt out of the "sale" and "sharing" of personal information and to request deletion. Virginia's VCDPA, Colorado's CPA, and a growing list of other state statutes layer on their own definitions, opt-out rights, and obligations — frequently with overlapping but not identical requirements. A customer's rights now depend partly on which state they live in, which means your platform has to resolve obligations per-person, not per-campaign.

Two requirements deserve explicit attention in a vendor evaluation. First, Global Privacy Control: California and several other states treat a browser-level GPC signal as a valid opt-out of sale/share, which means honoring it is not optional and cannot be a manual process. Second, propagation. A deletion or do-not-sell request has to reach every downstream surface — the SMS consent store, the push audience, and the paid-media sync described above — not just the primary database. Ask how the platform maps a single consumer request to the full set of state-specific obligations, how GPC is ingested and honored, and how quickly a suppression or deletion propagates everywhere an agent might act. This is precisely the layer where an unsupervised agent does the most damage if the plumbing is wrong.

5. Compliance posture: SOC 2 Type II and PCI-DSS as procurement baselines

Before any of the channel mechanics matter, your security and procurement teams will ask a more basic question: can this platform be trusted to hold customer data at all? In North American enterprise retail, two attestations function as the de facto entry ticket. SOC 2 Type II demonstrates that the vendor's security, availability, and confidentiality controls are not just designed but operating effectively over a period of time. PCI-DSS applies wherever payment card data is in scope, and a retail or QSR program that touches transactions almost always has it in scope somewhere.

These are table stakes, and you should treat them as such — present and current, not aspirational. But the AI-specific question goes one layer further: when an agent takes an action, is there an immutable, queryable record of what it did, on whose data, under which consent state, and why? Autonomy raises the bar on auditability, because "the system decided" is not an acceptable answer to a regulator or an enterprise security review. Ask to see the audit trail for agent actions, not just the SOC 2 report cover page.

6. Wallet and mobile conventions: Apple and Google membership cards

Loyalty lives in the customer's pocket, and increasingly that means their wallet. Apple Wallet and Google Wallet membership cards have become a baseline convenience expectation for retail and QSR programs: a card that the customer adds once, that updates its balance and tier dynamically, and that can surface a location- or time-relevant notification on the lock screen. For an agent, the wallet card is both a first-party reach surface and a live state display — the points balance the agent just updated should be the points balance the customer sees without opening an app.

The obligations here are more about correctness and convention than about law. A wallet pass that shows a stale balance, an expired offer, or a tier the customer no longer holds erodes trust faster than no pass at all. Ask whether the platform issues and updates Apple and Google wallet passes natively, whether updates are real-time, and whether the agent's actions (an awarded bonus, a redeemed coupon, a tier change) reflect on the card without a manual sync. Mobile convention is the difference between a loyalty program the customer carries and one they forget.

7. Real-time identity resolution: the foundation that lets any of this act in the moment

Everything above assumes the platform knows who it is acting on — and knows it now, not in tomorrow's batch. Real-time identity resolution is the foundation that ties an email address, a phone number, a device push token, a loyalty ID, a wallet pass, and a paid-media identifier to a single resolved person. Without it, the channels fragment: the customer who opted out by SMS still gets retargeted because the ad-platform identifier was never linked, or the agent awards points to a profile that is one of three duplicates.

For an autonomous agent this is not a nicety; it is the precondition for acting legitimately in the moment. Consent is per-person, deletion is per-person, suppression is per-person, and reachability is per-person across channels — and none of those obligations can be honored if identity is resolved hours late or never. Ask how quickly a new signal (a purchase, an opt-out, a GPC flag, a wallet add) is resolved to the unified profile, and whether the agent reads from that resolved profile at decision time. A demo can hide a slow or fuzzy identity graph. Production cannot.

The LLM is the easy part. The compliant action surface is the moat.

Walk back through the list and notice what it is not about: it is not about how clever the model is. It is about whether the model's decisions can become legitimate actions in a specific, regulated, mobile-first market. SMS that clears carrier registration and TCPA consent. Push you own outright. Paid-media sync that suppresses as reliably as it expands. Privacy obligations resolved per-person across a widening state patchwork, with GPC honored automatically. Security attestations your procurement team already requires. Wallet cards that stay correct. And underneath all of it, an identity graph fast enough to make every one of those obligations true in the moment.

This is why an AI-readiness evaluation should spend most of its time below the model. The vendor with the best LLM and a thin action surface ships impressive demos and risky production. The vendor with a localized, compliant, identity-resolved action surface can put an ordinary model to work safely — and that combination is what actually compounds retention. Be skeptical of anyone claiming finished, uniform coverage across every item here; the mature answer acknowledges what is table stakes, what is still maturing, and exactly where the audit trail lives.

If you are mapping your own North American AI-readiness gaps and want to pressure-test a platform against this checklist, we are happy to walk through it with you — channel by channel, obligation by obligation. Talk to us, or book a demo, and bring your hardest compliance questions.

Want to Learn More?

Schedule a conversation with our retention loop experts.