The federal law that decides whether your AI agent is allowed to shop on your behalf was written in 1986, for a different internet. On June 11, a Ninth Circuit panel spent thirty-seven minutes trying to fit it onto software that logs into your account and buys things, and could not find the seam. Amazon v. Perplexity is the first real test of who counts as an authorized visitor when the visitor is an AI agent, and the law has no answer yet.
Amazon sued Perplexity over its Comet browser, which logs into a user's Amazon account and shops on the user's behalf. Amazon won a preliminary injunction in March, then watched the Ninth Circuit pause it weeks later. June 11 was the appeal. No ruling came, the case was submitted. But the questions the judges asked are the clearest signal yet of how unprepared the law is for the agentic web, and of how much rides on the answer for every website with a login.
Updated June 13, 2026: Added a section on the June 11 Ninth Circuit oral argument, what the judges actually asked, transcribed from the CourtListener audio, and sharpened the thesis around it. Removed the earlier forward-looking sections now that the hearing has happened.
GET WEEKLY WEB STRATEGY TIPS FOR THE AI AGE
Practical strategies for making your website work for AI agents and the humans using it. Podcast episodes, articles, videos. Plus exclusive tools, free for subscribers. No spam.
What Happened, From The Lawsuit To The Argument
The case moved from lawsuit to appellate argument in about seven months.
In November 2025, Amazon filed suit against Perplexity in the Northern District of California. Comet, Perplexity's AI-powered browser, can log into a user's Amazon account using the user's stored credentials, browse products on the user's behalf, and complete purchases through Amazon's checkout flow. Amazon's complaint argued that this constitutes unauthorized access to Amazon's computer systems under the CFAA, regardless of whether the user authorized the agent. Amazon also raised trademark and unfair-competition claims tied to Comet rendering Amazon's pages inside Perplexity's interface.
On March 10, 2026, US District Judge Maxine Chesney granted Amazon a preliminary injunction. The order blocked Comet from accessing password-protected portions of Amazon.com, including account pages, order history, and checkout. The judge accepted Amazon's CFAA theory at the preliminary-injunction stage, finding that Amazon's terms of service govern who is authorized to access logged-in areas and that a user's instruction to an agent does not extend that authorization to the agent itself. Public-facing Amazon pages remained accessible to Comet under the order.
Roughly a week after the District Court ruling, the Ninth Circuit Court of Appeals paused the injunction pending Perplexity's appeal. The procedural effect: Comet could continue operating on Amazon's logged-in pages while the appeal played out. The appellate pause was the first signal that the CFAA theory might not survive scrutiny at a higher court, because preliminary injunctions are routine while appellate stays of preliminary injunctions are not.
On May 8, 2026, Perplexity filed its appellate brief, calling Amazon's CFAA theory a "fundamental misfit" for an AI agent that visits under explicit user authorization. Mozilla, the Electronic Frontier Foundation, and other digital-rights groups filed amicus briefs supporting Perplexity, while software-developer, finance, and airline-industry groups lined up behind Amazon. The Ninth Circuit heard oral arguments on June 11 in Seattle and submitted the case without a ruling.
Amazon's CFAA Theory In Plain English
The CFAA was passed in 1986. Its original target was hacking-style intrusion, the kind of unauthorized access that sounded like crime in the era of WarGames. Over the past two decades, the statute has been stretched in civil litigation to cover scraping, automated access, account sharing, and other behavior that exists on a different spectrum from break-in hacking. The Supreme Court narrowed some of that stretch in Van Buren v. United States (2021), holding that a person with permission to access a system does not violate the CFAA by accessing it for the wrong reason. Whether that narrowing reaches agent-on-behalf-of-user access is the question Amazon v. Perplexity puts squarely on the table.
Amazon's theory has three parts.
First, Amazon's terms of service explicitly prohibit automated access. The terms reserve access to Amazon.com for natural-person browsing, not for software agents acting on behalf of users.
Second, when Comet logs into a user's Amazon account, Comet itself is the entity making the request, and from Amazon's perspective the agent is now the visitor rather than the user. Amazon's authorization runs to the user, not to a software agent the user has delegated to.
Third, because Amazon never authorized Comet, Comet's access is "without authorization" under the CFAA. The user's instruction to Comet is irrelevant to whether Amazon authorized Comet.
Perplexity's counter-argument runs the other direction. The user is the principal. Comet is the user's agent in the legal-mechanical sense. When the user instructs Comet to log into the user's own account and complete a transaction the user is authorized to complete, Comet's access is the user's access, channeled through software. There is no unauthorized party in the transaction. The CFAA was not written for, and does not reach, software acting under explicit user delegation.
The trial-court ruling sided with Amazon's reading. The Ninth Circuit's pause was the first sign the appellate panel might not, and the June 11 argument, covered below, did nothing to dispel it.
Why The Ninth Circuit Paused The Injunction On Appeal
Appellate stays of preliminary injunctions are uncommon enough to be a signal. The Ninth Circuit applies a four-factor test for staying an injunction pending appeal, and the first factor is likelihood of success on the merits. A panel granting a stay is, in effect, signaling that the moving party has a reasonable shot at winning the appeal.
The panel did not write an opinion explaining the stay. Appellate stays at this stage rarely come with reasoned opinions. The signal lives in the procedural fact of the stay itself.
The legal-analyst reading of why the panel might be skeptical of the District Court's CFAA theory comes down to two doctrinal pressures. The first is the Van Buren narrowing. Van Buren cut the CFAA back from a tool that could criminalize any computer use in violation of a terms-of-service clause to a tool that targets actual unauthorized access. Reading Amazon's theory carefully, the District Court's ruling expands the CFAA in ways that look more like the pre-Van Buren expansion than the post-Van Buren narrowing.
The second pressure is the legal-agency doctrine that has governed delegated transactions for centuries. When a person authorizes another party to act on their behalf, the agent's acts are imputed to the principal. Software acting under explicit user instruction is the modern, automated extension of the same principle. Reading the CFAA to ignore that principle would create a federal criminal-law trap for any user who delegates online tasks to software, which is now most users.
Neither pressure guarantees the Ninth Circuit reverses, but together they explain why the panel paused.
What The Judges Actually Asked On June 11
The Ninth Circuit posts its oral-argument audio publicly. I pulled the June 11 recording from CourtListener, docket 26-1444, and transcribed it with AssemblyAI. The quotes below are from that audio.
The fight came down to an analogy. Perplexity's lawyer, Chris Michel, argued Comet is a browser and the user is the one accessing Amazon, no different from Safari or Chrome. "No one would say that Apple accessed the website simply because a Safari user navigated his or her browser there," he said. The intent is the user's, he argued: "all of the intent to access Amazon comes from the user itself." His homey version: if he asked his daughter to look at his screen and say which paper towels to buy, and he then bought them, "she is not accessing Amazon."
Judge Eric Tung pushed on the framing. "Isn't another way to frame what is happening that the user is giving the key to Perplexity, and Perplexity is then entering Amazon's servers?" he asked, setting Perplexity's Safari analogy against Amazon's, a friend handed the key to your safe-deposit box, walking into the bank. "So much of this case turns on the proper analogy."
Amazon's lawyer, Hagan Scotten, argued there is no daylight: Comet accesses Amazon "exactly the way anyone accesses a website," sending signals that put items in a cart. "At every step of the train, Perplexity is driving," he said, with a test attached: "if you sever the connection between Perplexity and the user's computer, everything stops." He turned Perplexity's own marketing against it. Perplexity says Comet is "nothing like these passive web browsers," that "what sets Comet apart is its agentic capabilities, the ability to find information and act on it intelligently and autonomously." A browser is a car the user drives, Scotten argued, and Comet is a taxi, and if the taxi "decides to drive over barricades and into some secure area," the driver is trespassing. He also leaned on norms. Brave and Microsoft Edge can do what Comet does, "but they don't. If a user says specifically go there, they say, for security reasons, I cannot go there. They respect the settled rules."
The judges did not sound settled. The hardest questions went to the statute itself. Judge John Hinderaker, sitting by designation, named the problem: "This case is difficult in part because we are dealing with a statute from 1986. It's not really built for these circumstances." He worried about consequences "that flow from whatever we do here today, and they're hard to foresee." And he asked what the 1986 Congress never had to: "Does an AI agent ever have intent?" He added: "I'm a lawyer, so I'm struggling with this." Tung pressed the opposite worry, that Amazon's theory could sweep in ordinary people, asking whether, if Comet's access is a crime, the user is "exposed to criminal liability under the CFAA." No one on the panel sounded like they had a clean rule. The case was submitted with no ruling and no timeline.
Why This Decides More Than One Lawsuit
If the District Court's CFAA theory survives appellate review, the doctrinal effect is straightforward. Every major website gets a legal weapon for blocking AI agents from logged-in user accounts, even on accounts the user fully owns. The blueprint Amazon used against Comet becomes the standard playbook for any platform that does not want its users using AI agents.
The downstream effects line up category by category. Retailers can block AI shopping agents from price-comparing on logged-in accounts. Booking websites can block AI travel agents from completing reservations on user accounts. Banks and brokerages can block AI financial-management agents from logged-in dashboards. Marketplaces can block agents from posting listings on user accounts. SaaS platforms can block agents from managing subscriptions or running workflows on user accounts. In every case, the website's terms-of-service language becomes the controlling document, and the user's explicit instruction to the agent becomes legally irrelevant.
If the Ninth Circuit reverses, the doctrinal effect is the opposite. The CFAA gets pushed back inside its narrower 1986 lane. Websites lose the federal criminal-law tool for blocking user-delegated agents, and the question of agent access shifts to the contract-and-technology layer where it arguably belongs. Websites can still block agents through technical means, terms enforced by civil remedies short of CFAA claims, or partnership APIs. But they cannot reach for the federal criminal statute as the lever.
A middle-ground outcome is also possible. The Ninth Circuit could affirm the injunction on narrower grounds, distinguish between specific kinds of agent access, or remand for further factual development. Each of those outcomes leaves the larger question unresolved and pushes the legal test forward into other circuits and other cases.
Whichever way the panel rules, the case is now the load-bearing precedent for agent-as-visitor access rights in the United States. Every major retailer, marketplace, and booking website will write its agent-access posture against the standard the Ninth Circuit sets.
The Law Has No Answer Yet
The argument settled nothing. The panel has not ruled, and a decision could take a year or more. The question underneath has no legal answer yet: whether an AI agent acting on your explicit instruction is you, or a separate visitor the website never authorized. A statute from 1986 has no concept of an agent's intent, and the judges said as much.
That uncertainty does not pause the agentic web while the court catches up. Your users are already pointing agents at their accounts, and every website with a login is running an access posture written for a web where the only automated visitors were scrapers. Whatever the Ninth Circuit decides, the default you are running was set before agent-as-visitor existed. Until the court rules, pretending you don't have a position is itself a position.
Related reading on No Hacks: Selling to AI: The Complete Guide to Agentic Commerce, Google-Agent: The Web's New Visitor Just Got an Identity, and Chrome Auto-Browse Acts On Your Website, Apple's Siri AI Only Reads It.