Amazon vs. Perplexity: Landmark CFAA Case on AI Website Access

On March 10, 2026, a federal judge in the Northern District of California issued a preliminary injunction against Perplexity, blocking its Comet browser from accessing Amazon’s logged-in pages. Within a week, the Ninth Circuit Court of Appeals paused that order, signaling that the legal theory behind it might not hold. On May 8, Perplexity filed its appellate brief, calling Amazon’s Computer Fraud and Abuse Act (CFAA) argument “a fundamental misfit” for an AI agent operating under explicit user authorization. Oral arguments are set for June 11 in Seattle.

This case marks the first major U. S. legal test of agent-as-visitor rights. At its core is a deceptively simple question: when a human delegates a visit to an AI agent, who is the authorized visitor? The Ninth Circuit’s answer will set a precedent for every retailer, marketplace, booking platform, and SaaS company facing the same dilemma. And most of them will confront it within the next 12 months.

The Case Timeline: March Through May

The dispute unfolded in three distinct phases over eight weeks.

In early 2026, Amazon sued Perplexity in the Northern District of California. Comet, the company’s AI-powered browser, can log into a user’s Amazon account using stored credentials, browse products on their behalf, and even complete purchases through Amazon’s checkout flow. Amazon’s complaint argued that this constitutes unauthorized access under the CFAA, regardless of the user’s authorization. The company also raised trademark and unfair competition claims, alleging that Comet rendered Amazon’s pages inside Perplexity’s interface.

On March 10, Judge Maxine Chesney granted Amazon a preliminary injunction. The order barred Comet from accessing password-protected portions of Amazon.com, including account pages, order history, and checkout. The judge accepted Amazon’s CFAA theory at this stage, finding that Amazon’s terms of service define who is authorized to enter logged-in areas. A user’s instruction to an agent, she reasoned, does not extend that authorization to the agent itself. Public-facing Amazon pages remained accessible to Comet under the order.

Roughly a week later, the Ninth Circuit paused the injunction pending Perplexity’s appeal. This procedural move allowed Comet to continue operating on Amazon’s logged-in pages while the appeal proceeded. The appellate stay was a notable signal: preliminary injunctions are routine, but appellate stays of those injunctions are not.

On May 8, Perplexity filed its appellate brief. The company argued that the District Court’s reading of the CFAA stretches the statute far beyond its 1986 anti-hacking origins. It contended that the user remains the authorized party at all times, that Comet acts under the user’s delegated authority, and that Amazon’s contractual terms cannot turn lawful agent access into a federal crime. Mozilla, the Electronic Frontier Foundation, and other digital-rights groups filed amicus briefs supporting Perplexity’s position. The Ninth Circuit set oral arguments for June 11 in Seattle.

Amazon’s CFAA Theory Explained

The CFAA was enacted in 1986 to combat hacking-style intrusion. Over the past two decades, however, civil litigation has stretched it to cover scraping, automated access, account sharing, and other behaviors far removed from break-in hacking. The Supreme Court narrowed some of that expansion in Van Buren v. United States (2021), holding that a person with permission to access a system does not violate the CFAA by accessing it for the wrong reason. Whether that narrowing reaches agent-on-behalf-of-user access is the central question in Amazon v. Perplexity.

Amazon’s theory rests on three pillars:

First, Amazon’s terms of service explicitly prohibit automated access. They reserve access to Amazon.com for natural-person browsing, not for software agents acting on behalf of users.

Second, when Comet logs into a user’s Amazon account, Comet itself is the entity making the request. From Amazon’s perspective, the agent is now the visitor, not the user. Amazon’s authorization runs to the user, not to a delegated software agent.

Third, because Amazon never authorized Comet, Comet’s access is “without authorization” under the CFAA. The user’s instruction to Comet is irrelevant to whether Amazon authorized the agent.

Perplexity’s counter-argument is straightforward. The user is the principal. Comet is the user’s agent in the legal-mechanical sense. When the user instructs Comet to log into their own account and complete a transaction they are authorized to make, Comet’s access is the user’s access, channeled through software. There is no unauthorized party in the transaction. The CFAA was never written for, and does not reach, software acting under explicit user delegation.

The trial court sided with Amazon. The Ninth Circuit’s pause suggests the appellate panel may not.

Why the Ninth Circuit Paused the Injunction

Appellate stays of preliminary injunctions are uncommon enough to be meaningful. The Ninth Circuit applies a four-factor test for staying an injunction pending appeal, with the first factor being likelihood of success on the merits. A panel granting a stay effectively signals that the moving party has a reasonable chance of winning the appeal.

The panel did not issue a written opinion explaining the stay. Appellate stays at this stage rarely come with reasoned opinions. The signal lives in the procedural fact of the stay itself.

Legal analysts see two doctrinal pressures driving the panel’s skepticism. The first is the Van Buren narrowing. That ruling cut the CFAA back from a tool that could criminalize any terms-of-service violation to one targeting actual unauthorized access. Reading Amazon’s theory carefully, the District Court’s ruling expands the CFAA in ways that look more like the pre-Van Buren expansion than the post-Van Buren narrowing.

The second pressure is the legal agency doctrine that has governed delegated transactions for centuries. When a person authorizes another party to act on their behalf, the agent’s acts are imputed to the principal. Software acting under explicit user instruction is the modern, automated extension of the same principle. Reading the CFAA to ignore that principle would create a federal criminal-law trap for any user who delegates online tasks to software, which is now most users.

Neither pressure guarantees the Ninth Circuit will reverse. But together, they explain why the panel paused.

Why This Case Decides More Than One Lawsuit

If the District Court’s CFAA theory survives appellate review, the doctrinal effect is clear. Every major website gains a legal weapon to block AI agents from logged-in user accounts, even on accounts the user fully owns. The blueprint Amazon used against Comet becomes the standard playbook for any platform that does not want its users employing AI agents.

The downstream effects line up by category. Retailers can block AI shopping agents from price-comparing on logged-in accounts. Booking websites can block AI travel agents from completing reservations. Banks and brokerages can block AI financial-management agents from logged-in dashboards. Marketplaces can block agents from posting listings on user accounts. SaaS platforms can block agents from managing subscriptions or running workflows. In every case, the website’s terms of service become the controlling document, and the user’s explicit instruction to the agent becomes legally irrelevant.

If the Ninth Circuit reverses, the opposite holds. The CFAA gets pushed back inside its narrower 1986 lane. Websites lose the federal criminal-law tool for blocking user-delegated agents. The question of agent access shifts to the contract-and-technology layer, where it arguably belongs. Websites can still block agents through technical means, terms enforced by civil remedies short of CFAA claims, or partnership APIs. But they cannot reach for the federal criminal statute as the lever.

A middle-ground outcome is also possible. The Ninth Circuit could affirm the injunction on narrower grounds, distinguish between specific kinds of agent access, or remand for further factual development. Each of those outcomes leaves the larger question unresolved and pushes the legal test forward into other circuits and other cases.

Whichever way the panel rules, this case is now the load-bearing precedent for agent-as-visitor access rights in the United States. Every major retailer, marketplace, and booking website will write its agent-access posture against the standard the Ninth Circuit sets on June 11.

What to Watch at Oral Arguments

Three signals at oral arguments are worth tracking specifically.

First, watch how the panel handles the agency-doctrine question. If the judges push Amazon’s counsel hard on why a user’s explicit instruction does not extend authorization to the user’s chosen agent, that suggests discomfort with the District Court’s reading. If they instead press Perplexity on why an automated agent should be treated identically to a human user, the panel may be open to the District Court’s framing.

Second, watch whether the judges distinguish between kinds of agent access. The case has treated “agent access” as one category. The panel might draw lines: agents that complete transactions versus those that only retrieve data, agents that use stored credentials versus those that ask the user to log in each time, agents identified by a verified protocol versus unidentified browser automation. A ruling that draws those lines would shape how websites structure their access posture more than a blanket affirm-or-reverse.

Third, watch what the panel says about the future of the CFAA in the agentic era. The judges have an opportunity to write a doctrinal frame for how the statute applies to AI agents generally. A narrow ruling on Amazon-and-Perplexity-specific facts leaves the larger question for another case. A broader ruling sets the doctrinal frame for the entire category.

Oral arguments at the Ninth Circuit are public. Audio is typically posted within hours. The panel composition, when published, signals how the case will likely be heard. Tracking those three signals through argument day is the cheapest way for a website owner to read the direction of travel.

What to Do This Week

Three concrete moves for any website owner whose users might want to use AI agents on logged-in accounts.

First, read your own terms of service for clauses about automated access. Most terms inherited their language from the pre-agent era, when “automated access” meant scraping bots and unauthorized scripts. Decide whether that language still says what you want it to say when the automated access is a user’s own AI agent acting under explicit user instruction. If your position is to welcome user-delegated agents, your terms should say so. If your position is to block them, your terms should say that too, and your robots.txt and access-control posture should match.

Second, audit your access-control posture against the AI agent user agents your users actually use. The current major ones include GPTBot, OAI-SearchBot, ChatGPT-User, PerplexityBot, ClaudeBot, and Google-Extended for the search-and-citation crawlers, plus Perplexity Comet, ChatGPT Atlas, and the various Gemini surfaces for user-delegated browsers. If your robots.txt or web application firewall blocks any of these by default, your users may already be hitting the wall on their own accounts. That is your decision to make, but it should be a decision, not a default.

Third, decide your position on agent access before the Ninth Circuit decides it for you. Three postures are coherent. The first is welcome: you accept user-delegated agents on accounts, you may charge differently for agent-driven transactions, you may publish an agent-readable surface that makes the work easier for both sides. The second is block: you treat user-delegated agents as unauthorized access, you back that position with terms and technical controls, and you accept that some users will leave for websites with the welcome posture. The third is partner: you build an API or capability surface that user-delegated agents can use without scraping your logged-in pages, and you put the agents through that door rather than the front one.

The default posture most websites have today was written before agent-as-visitor was a real access class. Whatever the Ninth Circuit rules on June 11, the default is now the wrong posture for most websites. Choose deliberately.