Amazon sued Perplexity over its Comet browser shopping on Amazon under user authorization. On March 10, 2026, a federal judge in the Northern District of California issued a preliminary injunction blocking Comet from accessing Amazon's logged-in pages. Roughly a week later, the Ninth Circuit Court of Appeals paused the injunction pending Perplexity's appeal. On May 8, 2026, Perplexity filed its appellate brief, calling Amazon's Computer Fraud and Abuse Act theory "a fundamental misfit" for an AI agent that visits under explicit user authorization. Oral arguments are scheduled for June 11, 2026 in Seattle.
The case is the first major legal test of agent-as-visitor rights in the United States. The question at the center of it is who counts as an authorized visitor when a human delegates the visit to an AI agent. The answer at the Ninth Circuit will set the precedent for every retailer, marketplace, booking platform, and SaaS website facing the same question, and most of them will be facing it within the next twelve months.
GET WEEKLY WEB STRATEGY TIPS FOR THE AI AGE
Practical strategies for making your website work for AI agents and the humans using it. Podcast episodes, articles, videos. Plus exclusive tools, free for subscribers. No spam.
What Happened, March Through May
The case moved through three distinct phases in eight weeks.
In early 2026, Amazon filed suit against Perplexity in the Northern District of California. Comet, Perplexity's AI-powered browser, can log into a user's Amazon account using the user's stored credentials, browse products on the user's behalf, and complete purchases through Amazon's checkout flow. Amazon's complaint argued that this constitutes unauthorized access to Amazon's computer systems under the CFAA, regardless of whether the user authorized the agent. Amazon also raised trademark and unfair-competition claims tied to Comet rendering Amazon's pages inside Perplexity's interface.
On March 10, US District Judge Maxine Chesney granted Amazon a preliminary injunction. The order blocked Comet from accessing password-protected portions of Amazon.com, including account pages, order history, and checkout. The judge accepted Amazon's CFAA theory at the preliminary-injunction stage, finding that Amazon's terms of service govern who is authorized to access logged-in areas and that a user's instruction to an agent does not extend that authorization to the agent itself. Public-facing Amazon pages remained accessible to Comet under the order.
Roughly a week after the District Court ruling, the Ninth Circuit Court of Appeals paused the injunction pending Perplexity's appeal. The procedural effect: Comet could continue operating on Amazon's logged-in pages while the appeal played out. The appellate pause was the first signal that the CFAA theory might not survive scrutiny at a higher court, because preliminary injunctions are routine while appellate stays of preliminary injunctions are not.
On May 8, Perplexity filed its appellate brief. The brief argued that the District Court's reading of the CFAA stretches the statute far beyond its 1986 anti-hacking origin, that the user is the authorized party at all times, that Comet acts under the user's delegated authority, and that Amazon's contractual terms cannot manufacture federal criminal-law violations out of an agent's lawful access on the user's behalf. Mozilla, the Electronic Frontier Foundation, and other digital-rights groups filed amicus briefs supporting Perplexity's position. The Ninth Circuit set oral arguments for June 11 in Seattle.
Amazon's CFAA Theory In Plain English
The CFAA was passed in 1986. Its original target was hacking-style intrusion, the kind of unauthorized access that sounded like crime in the era of WarGames. Over the past two decades, the statute has been stretched in civil litigation to cover scraping, automated access, account sharing, and other behavior that exists on a different spectrum from break-in hacking. The Supreme Court narrowed some of that stretch in Van Buren v. United States (2021), holding that a person with permission to access a system does not violate the CFAA by accessing it for the wrong reason. Whether that narrowing reaches agent-on-behalf-of-user access is the question Amazon v. Perplexity puts squarely on the table.
Amazon's theory has three parts.
First, Amazon's terms of service explicitly prohibit automated access. The terms reserve access to Amazon.com for natural-person browsing, not for software agents acting on behalf of users.
Second, when Comet logs into a user's Amazon account, Comet itself is the entity making the request, and from Amazon's perspective the agent is now the visitor rather than the user. Amazon's authorization runs to the user, not to a software agent the user has delegated to.
Third, because Amazon never authorized Comet, Comet's access is "without authorization" under the CFAA. The user's instruction to Comet is irrelevant to whether Amazon authorized Comet.
Perplexity's counter-argument runs the other direction. The user is the principal. Comet is the user's agent in the legal-mechanical sense. When the user instructs Comet to log into the user's own account and complete a transaction the user is authorized to complete, Comet's access is the user's access, channeled through software. There is no unauthorized party in the transaction. The CFAA was not written for, and does not reach, software acting under explicit user delegation.
The trial-court ruling sided with Amazon's reading. The Ninth Circuit's pause is the signal that the appellate panel may not.
Why The Ninth Circuit Paused The Injunction On Appeal
Appellate stays of preliminary injunctions are uncommon enough to be a signal. The Ninth Circuit applies a four-factor test for staying an injunction pending appeal, and the first factor is likelihood of success on the merits. A panel granting a stay is, in effect, signaling that the moving party has a reasonable shot at winning the appeal.
The panel did not write an opinion explaining the stay. Appellate stays at this stage rarely come with reasoned opinions. The signal lives in the procedural fact of the stay itself.
The legal-analyst reading of why the panel might be skeptical of the District Court's CFAA theory comes down to two doctrinal pressures. The first is the Van Buren narrowing. Van Buren cut the CFAA back from a tool that could criminalize any computer use in violation of a terms-of-service clause to a tool that targets actual unauthorized access. Reading Amazon's theory carefully, the District Court's ruling expands the CFAA in ways that look more like the pre-Van Buren expansion than the post-Van Buren narrowing.
The second pressure is the legal-agency doctrine that has governed delegated transactions for centuries. When a person authorizes another party to act on their behalf, the agent's acts are imputed to the principal. Software acting under explicit user instruction is the modern, automated extension of the same principle. Reading the CFAA to ignore that principle would create a federal criminal-law trap for any user who delegates online tasks to software, which is now most users.
Neither pressure guarantees the Ninth Circuit reverses, but together they explain why the panel paused.
Why This Decides More Than One Lawsuit
If the District Court's CFAA theory survives appellate review, the doctrinal effect is straightforward. Every major website gets a legal weapon for blocking AI agents from logged-in user accounts, even on accounts the user fully owns. The blueprint Amazon used against Comet becomes the standard playbook for any platform that does not want its users using AI agents.
The downstream effects line up category by category. Retailers can block AI shopping agents from price-comparing on logged-in accounts. Booking websites can block AI travel agents from completing reservations on user accounts. Banks and brokerages can block AI financial-management agents from logged-in dashboards. Marketplaces can block agents from posting listings on user accounts. SaaS platforms can block agents from managing subscriptions or running workflows on user accounts. In every case, the website's terms-of-service language becomes the controlling document, and the user's explicit instruction to the agent becomes legally irrelevant.
If the Ninth Circuit reverses, the doctrinal effect is the opposite. The CFAA gets pushed back inside its narrower 1986 lane. Websites lose the federal criminal-law tool for blocking user-delegated agents, and the question of agent access shifts to the contract-and-technology layer where it arguably belongs. Websites can still block agents through technical means, terms enforced by civil remedies short of CFAA claims, or partnership APIs. But they cannot reach for the federal criminal statute as the lever.
A middle-ground outcome is also possible. The Ninth Circuit could affirm the injunction on narrower grounds, distinguish between specific kinds of agent access, or remand for further factual development. Each of those outcomes leaves the larger question unresolved and pushes the legal test forward into other circuits and other cases.
Whichever way the panel rules, the case is now the load-bearing precedent for agent-as-visitor access rights in the United States. Every major retailer, marketplace, and booking website will write its agent-access posture against the standard the Ninth Circuit sets on June 11.
What To Watch For At Oral Arguments
Three signals at oral arguments are worth watching specifically.
The first is how the panel handles the agency-doctrine question. If the judges push Amazon's counsel hard on why a user's explicit instruction does not extend authorization to the user's chosen agent, that is the soft tell that the panel is uncomfortable with the District Court's reading. If the judges instead press Perplexity on why an automated agent should be treated identically to a human user, the panel may be open to the District Court's framing.
The second is whether the judges distinguish between kinds of agent access. The case so far has treated "agent access" as one category. The panel might draw lines: agents that complete transactions versus agents that only retrieve data, agents that use stored credentials versus agents that ask the user to log in each time, agents identified by a verified protocol versus unidentified browser automation. A ruling that draws those lines would shape how websites can structure their access posture more than a blanket affirm-or-reverse.
The third is what the panel says about the future of the CFAA in the agentic era. The judges have an opportunity to write a doctrinal frame for how the statute applies to AI agents generally, and they may or may not take it. A narrow ruling on Amazon-and-Perplexity-specific facts leaves the larger question for another case, possibly in another circuit, possibly with different facts. A broader ruling sets the doctrinal frame for the entire category.
Oral arguments at the Ninth Circuit are public. The audio is typically posted within hours. The panel composition, when published, signals how the case will likely be heard. Tracking those three signals through argument day is the cheapest way for a website owner to read the direction of travel.
What To Do This Week
Three concrete moves for any website owner whose users might want to use AI agents on logged-in accounts.
Read your own terms of service for clauses about automated access. Most terms of service inherited their automated-access language from the pre-agent era, when "automated access" meant scraping bots and unauthorized scripts. Decide whether that language still says what you want it to say when the automated access is a user's own AI agent acting under explicit user instruction. If your position is that you want to welcome user-delegated agents, your terms should say so. If your position is that you want to block them, your terms should say that too, and your robots.txt and access-control posture should match.
Audit your access-control posture against the AI agent user agents your users actually use. The current major ones include GPTBot, OAI-SearchBot, ChatGPT-User, PerplexityBot, ClaudeBot, and Google-Extended for the search-and-citation crawlers, plus Perplexity Comet, ChatGPT Atlas, and the various Gemini surfaces for the user-delegated browsers. If your robots.txt or web application firewall blocks any of these by default, your users may already be hitting the wall on their own accounts. That is your decision to make, but it should be a decision, not a default.
Decide your position on agent access before the Ninth Circuit decides it for you. Three postures are coherent. The first is welcome: you accept user-delegated agents on accounts, you may charge differently for agent-driven transactions, you may publish an agent-readable surface that makes the work easier for both sides. The second is block: you treat user-delegated agents as unauthorized access, you back that position with terms and technical controls, and you accept that some users will leave for websites with the welcome posture. The third is partner: you build an API or capability surface that user-delegated agents can use without scraping your logged-in pages, and you put the agents through that door rather than the front one.
The default posture most websites have today was written before agent-as-visitor was a real access class. Whatever the Ninth Circuit rules on June 11, the default is now the wrong posture for most websites. Choose deliberately.
Related reading on No Hacks: Selling to AI: The Complete Guide to Agentic Commerce, Lessons Learned From Adobe's 2026 Q2 AI Traffic Report, and Google-Agent: The Web's New Visitor Just Got an Identity.