The CFAA Case That Decides Whether AI Agents Can Visit Your Website

Amazon sued Perplexity over its Comet browser purchasing on Amazon below person authorization. On March 10, 2026, a federal choose within the Northern District of California issued a preliminary injunction blocking Comet from accessing Amazon’s logged-in pages. Roughly every week later, the Ninth Circuit Courtroom of Appeals paused the injunction pending Perplexity’s attraction. On Could 8, 2026, Perplexity filed its appellate brief, calling Amazon’s Pc Fraud and Abuse Act principle “a basic misfit” for an AI agent that visits below express person authorization. Oral arguments are scheduled for June 11, 2026, in Seattle.

The case is the primary main authorized take a look at of agent-as-visitor rights in america. The query on the heart of it’s who counts as a licensed customer when a human delegates the go to to an AI agent. The reply on the Ninth Circuit will set the precedent for each retailer, market, reserving platform, and SaaS web site dealing with the identical query, and most of them can be dealing with it throughout the subsequent 12 months.

What Occurred, March By way of Could

The case moved by way of three distinct phases in eight weeks.

In early 2026, Amazon filed swimsuit in opposition to Perplexity within the Northern District of California. Comet, Perplexity’s AI-powered browser, can log right into a person’s Amazon account utilizing the person’s saved credentials, browse merchandise on the person’s behalf, and full purchases by way of Amazon’s checkout movement. Amazon’s grievance argued that this constitutes unauthorized entry to Amazon’s pc methods below the CFAA, no matter whether or not the person licensed the agent. Amazon additionally raised trademark and unfair-competition claims tied to Comet, rendering Amazon’s pages inside Perplexity’s interface.

On March 10, U.S. District Decide Maxine Chesney granted Amazon a preliminary injunction. The order blocked Comet from accessing password-protected parts of Amazon.com, together with account pages, order historical past, and checkout. The choose accepted Amazon’s CFAA principle on the preliminary-injunction stage, discovering that Amazon’s phrases of service govern who is permitted to entry logged-in areas and {that a} person’s instruction to an agent doesn’t lengthen that authorization to the agent itself. Public-facing Amazon pages remained accessible to Comet below the order.

Roughly every week after the District Courtroom ruling, the Ninth Circuit Courtroom of Appeals paused the injunction pending Perplexity’s attraction. The procedural impact: Comet might proceed working on Amazon’s logged-in pages whereas the attraction performed out. The appellate pause was the primary sign that the CFAA principle won’t survive scrutiny at the next court docket, as a result of preliminary injunctions are routine, whereas appellate stays of preliminary injunctions aren’t.

On Could 8, Perplexity filed its appellate transient. The transient argued that the District Courtroom’s studying of the CFAA stretches the statute far past its 1986 anti-hacking origin, that the person is the licensed occasion always, that Comet acts below the person’s delegated authority, and that Amazon’s contractual phrases can’t manufacture federal criminal-law violations out of an agent’s lawful entry on the person’s behalf. Mozilla, the Digital Frontier Basis, and different digital-rights teams filed amicus briefs supporting Perplexity’s place. The Ninth Circuit set oral arguments for June 11 in Seattle.

Amazon’s CFAA Concept In Plain English

The CFAA was handed in 1986. Its authentic goal was hacking-style intrusion, the type of unauthorized entry that gave the impression of crime within the period of WarGames. Over the previous 20 years, the statute has been stretched in civil litigation to cowl scraping, automated entry, account sharing, and different habits that exists on a special spectrum from break-in hacking. The Supreme Courtroom narrowed a few of that stretch in Van Buren v. United States (2021), holding that an individual with permission to entry a system doesn’t violate the CFAA by accessing it for the incorrect motive. Whether or not that narrowing reaches agent-on-behalf-of-user entry is the query Amazon v. Perplexity places squarely on the desk.

Amazon’s principle has three components.

First, Amazon’s phrases of service explicitly prohibit automated entry. The phrases reserve entry to Amazon.com for natural-person searching, not for software program brokers appearing on behalf of customers.

Second, when Comet logs right into a person’s Amazon account, Comet itself is the entity making the request, and from Amazon’s perspective, the agent is now the customer somewhat than the person. Amazon’s authorization runs to the person, to not a software program agent the person has delegated to.

Third, as a result of Amazon by no means licensed Comet, Comet’s entry is “with out authorization” below the CFAA. The person’s instruction to Comet is irrelevant as to if Amazon licensed Comet.

Perplexity’s counter-argument runs the opposite path. The person is the principal. Comet is the person’s agent within the legal-mechanical sense. When the person instructs Comet to log into the person’s personal account and full a transaction the person is permitted to finish, Comet’s entry is the person’s entry, channeled by way of software program. There isn’t a unauthorized occasion within the transaction. The CFAA was not written for, and doesn’t attain, software program appearing below express person delegation.

The trial-court ruling sided with Amazon’s studying. The Ninth Circuit’s pause is the sign that the appellate panel could not.

Why The Ninth Circuit Paused The Injunction On Attraction

Appellate stays of preliminary injunctions are unusual sufficient to be a sign. The Ninth Circuit applies a four-factor take a look at for staying an injunction pending attraction, and the primary issue is probability of success on the deserves. A panel granting a keep is, in impact, signaling that the shifting occasion has an affordable shot at profitable the attraction.

The panel didn’t write an opinion explaining the keep. Appellate stays at this stage not often include reasoned opinions. The sign lives within the procedural reality of the keep itself.

The authorized analyst’s studying of why the panel may be skeptical of the District Courtroom’s CFAA principle comes down to 2 doctrinal pressures. The primary is the Van Buren narrowing. Van Buren reduce the CFAA again from a software that would criminalize any pc use in violation of a terms-of-service clause to a software that targets precise unauthorized entry. Studying Amazon’s principle rigorously, the District Courtroom’s ruling expands the CFAA in ways in which look extra just like the pre-Van Buren expansion than the post-Van Buren narrowing.

The second strain is the legal-agency doctrine that has ruled delegated transactions for hundreds of years. When an individual authorizes one other occasion to behave on their behalf, the agent’s acts are imputed to the principal. Software program appearing below express person instruction is the trendy, automated extension of the identical precept. Studying the CFAA to disregard that precept would create a federal criminal-law entice for any person who delegates on-line duties to software program, which is now most customers.

Neither strain ensures the Ninth Circuit reverses, however collectively they clarify why the panel paused.

Why This Decides Extra Than One Lawsuit

If the District Courtroom’s CFAA principle survives appellate overview, the doctrinal impact is easy. Each main web site will get a authorized weapon for blocking AI brokers from logged-in person accounts, even on accounts the person absolutely owns. The blueprint Amazon used in opposition to Comet turns into the usual playbook for any platform that doesn’t need its customers utilizing AI brokers.

The downstream results line up class by class. Retailers can block AI shopping agents from price-comparing on logged-in accounts. Reserving web sites can block AI journey brokers from finishing reservations on person accounts. Banks and brokerages can block AI financial-management brokers from logged-in dashboards. Marketplaces can block brokers from posting listings on person accounts. SaaS platforms can block brokers from managing subscriptions or working workflows on person accounts. In each case, the web site’s terms-of-service language turns into the controlling doc, and the person’s express instruction to the agent turns into legally irrelevant.

If the Ninth Circuit reverses, the doctrinal impact is the other. The CFAA will get pushed again inside its narrower 1986 lane. Web sites lose the federal criminal-law software for blocking user-delegated brokers, and the query of agent entry shifts to the contract-and-technology layer, the place it arguably belongs. Web sites can nonetheless block brokers by way of technical means, phrases enforced by civil cures in need of CFAA claims, or partnership APIs. However they can’t attain for the federal felony statute because the lever.

A middle-ground consequence can also be doable. The Ninth Circuit might affirm the injunction on narrower grounds, distinguish between particular sorts of agent entry, or remand for additional factual improvement. Every of these outcomes leaves the bigger query unresolved and pushes the authorized take a look at ahead into different circuits and different circumstances.

Whichever manner the panel guidelines, the case is now the load-bearing precedent for agent-as-visitor entry rights in america. Each main retailer, market, and reserving web site will write its agent-access posture in opposition to the usual the Ninth Circuit units on June 11.

What To Watch For At Oral Arguments

Three alerts at oral arguments are value watching particularly.

The primary is how the panel handles the agency-doctrine query. If the judges push Amazon’s counsel arduous on why a person’s express instruction doesn’t lengthen authorization to the person’s chosen agent, that’s the tender inform that the panel is uncomfortable with the District Courtroom’s studying. If the judges as a substitute press Perplexity on why an automatic agent needs to be handled identically to a human person, the panel could also be open to the District Courtroom’s framing.

The second is whether or not the judges distinguish between sorts of agent entry. The case to this point has handled “agent entry” as one class. The panel would possibly draw traces: brokers that full transactions versus brokers that solely retrieve information, brokers that use saved credentials versus brokers that ask the person to log in every time, brokers recognized by a verified protocol versus unidentified browser automation. A ruling that attracts these traces would form how web sites can construction their entry posture greater than a blanket affirm-or-reverse.

The third is what the panel says about the way forward for the CFAA within the agentic period. The judges have a possibility to put in writing a doctrinal body for the way the statute applies to AI brokers typically, they usually could or could not take it. A slim ruling on Amazon-and-Perplexity-specific info leaves the bigger query for an additional case, presumably in one other circuit, presumably with completely different info. A broader ruling units the doctrinal body for your entire class.

Oral arguments on the Ninth Circuit are public. The audio is often posted inside hours. The panel composition, when printed, alerts how the case will probably be heard. Monitoring these three alerts by way of argument day is the most cost effective manner for an internet site proprietor to learn the path of journey.

What To Do This Week

Three concrete strikes for any web site proprietor whose customers would possibly wish to use AI brokers on logged-in accounts.

Learn your personal phrases of service for clauses about automated entry. Most phrases of service inherited their automated-access language from the pre-agent period, when “automated entry” meant scraping bots and unauthorized scripts. Resolve whether or not that language nonetheless says what you need it to say when the automated entry is a person’s personal AI agent appearing below express person instruction. In case your place is that you just wish to welcome user-delegated brokers, your phrases ought to say so. In case your place is that you just wish to block them, your phrases ought to say that too, and your robots.txt and access-control posture ought to match.

Audit your access-control posture in opposition to the AI agent person brokers your customers truly use. The present main ones embrace GPTBot, OAI-SearchBot, ChatGPT-Person, PerplexityBot, ClaudeBot, and Google-Prolonged for the search-and-citation crawlers, plus Perplexity Comet, ChatGPT Atlas, and the varied Gemini surfaces for the user-delegated browsers. In case your robots.txt or net utility firewall blocks any of those by default, your customers could already be hitting the wall on their very own accounts. That’s your resolution to make, nevertheless it needs to be a call, not a default.

Resolve your place on agent entry earlier than the Ninth Circuit decides it for you. Three postures are coherent. The primary is welcome: You settle for user-delegated brokers on accounts, chances are you’ll cost in another way for agent-driven transactions, chances are you’ll publish an agent-readable floor that makes the work simpler for each side. The second is block: You deal with user-delegated brokers as unauthorized entry, you again that place with phrases and technical controls, and also you settle for that some customers will go away for web sites with the welcome posture. The third is associate: You build an API or capability surface that user-delegated brokers can use with out scraping your logged-in pages, and you place the brokers by way of that door somewhat than the entrance one.

The default posture most web sites have immediately was written earlier than agent-as-visitor was an actual entry class. Regardless of the Ninth Circuit guidelines on June 11, the default is now the incorrect posture for many web sites. Select intentionally.

Extra Assets:

This publish was initially printed on No Hacks.

Featured Picture: Billion Pictures/Shutterstock