AI Agents Can Access Your Site — Know Your Posture
TL;DR: Amazon sued Perplexity under the Computer Fraud and Abuse Act, arguing that Perplexity’s Comet browser constitutes unauthorized access even when a logged-in user explicitly instructs it to shop on their behalf. A district court agreed and issued a preliminary injunction; the Ninth Circuit then paused that injunction pending appeal. Oral arguments were set for June 11, 2026, and the ruling will determine whether websites can use federal law to block user-delegated AI agents — or whether that fight belongs in the contract-and-technology layer where most operators already live.
What Happened and Why It Moved Fast
In early 2026, Amazon filed suit in the Northern District of California. Perplexity’s Comet browser can log into a user’s Amazon account using stored credentials, browse products, and complete purchases — all under explicit user instruction. Amazon’s argument: its terms of service restrict access to natural-person browsing, so Comet itself is the unauthorized visitor, regardless of what the user told it to do.
On March 10, U.S. District Judge Maxine Chesney sided with Amazon and issued a preliminary injunction blocking Comet from password-protected Amazon pages, including account history and checkout. About a week later, the Ninth Circuit paused the injunction pending Perplexity’s appeal — a procedurally unusual move that signals the appellate panel sees at least a reasonable shot at reversal. On May 8, Perplexity filed its appellate brief calling Amazon’s CFAA theory “a fundamental misfit” for delegated agent access. Mozilla and the Electronic Frontier Foundation filed amicus briefs in support. The case moved from complaint to appellate argument in roughly four months, which is fast for federal court.
The CFAA Argument, Plain and Specific
The Computer Fraud and Abuse Act was written in 1986 to target hacking-style intrusion. Over the following two decades, civil plaintiffs stretched it to cover scraping, automated access, and account sharing. The Supreme Court pushed back in Van Buren v. United States (2021), holding that having permission to access a system means you cannot violate the CFAA merely by accessing it for the wrong reason.
Amazon’s three-part theory: (1) its terms explicitly prohibit automated access; (2) when Comet logs in, Comet is the entity making the request, not the user; (3) because Amazon never authorized Comet, the access is “without authorization” under the statute. The user’s instruction is legally irrelevant to whether Amazon authorized the agent.
Perplexity’s counter: the user is the principal; Comet is the user’s agent in the legal-mechanical sense; when the user delegates a transaction they are already authorized to complete, the agent’s access is the user’s access. The CFAA does not reach software operating under explicit user delegation. Legal-agency doctrine has governed delegated transactions for centuries — this is the modern, automated extension of the same principle.
The district court accepted Amazon’s reading. The appellate stay is the signal that the Ninth Circuit may not.
Why the Stay Is the Most Important Data Point
Appellate stays of preliminary injunctions are uncommon. The Ninth Circuit applies a four-factor test, and the first factor is likelihood of success on the merits. A panel granting a stay signals that the moving party has a real shot at winning the appeal. The panel issued no written opinion explaining the stay, but the procedural fact itself carries the signal.
Two doctrinal pressures explain the skepticism. First, the Van Buren narrowing cuts against using CFAA to criminalize any computer use that violates a terms-of-service clause. Amazon’s theory looks more like the pre-Van Buren expansion than the narrowing the Supreme Court imposed. Second, legal-agency doctrine has governed delegated transactions for centuries. Treating user-delegated software as unauthorized under federal criminal law would create a trap for any user who assigns online tasks to software — which is now the majority of users in any digital-native vertical. Neither pressure guarantees reversal, but together they explain why three appellate judges hit pause.
What This Means for High-CAC Verticals
Operators in Forex acquisition, iGaming player acquisition, and crypto exchange marketing run acquisition funnels where the logged-in experience is the product. If the district court’s CFAA theory survives, platform operators gain a federal-law lever to block AI agents from logged-in account areas — including agent-driven onboarding flows, portfolio dashboards, and transaction completion sequences. That lever cuts both ways: the same legal logic that lets a platform block an unwanted agent also constrains your ability to build user-delegated automation into a competitor’s platform.
For law firm intake funnels, the implications are equally direct. Mass-tort and personal-injury intake is increasingly AI-assisted — a user delegating an AI agent to submit a claim form or retrieve case status is the same pattern as a user delegating Comet to complete an Amazon checkout. If terms-of-service language can make that delegation unauthorized under federal law, every intake platform in legal needs to decide, deliberately, whether to welcome or block those agents. The CDL recruitment marketing space faces the same question for job-application automation and carrier portal access.
The doctrinal outcome also shapes how operators think about AI agents for lead qualification. If agent access to third-party logged-in pages is legally fragile, the safer build is an owned surface — an API or a dedicated agent-readable endpoint — rather than browser automation across platforms you do not control. That architectural choice has budget implications at the $10K-and-up spend level where platform decisions compound.
Three Postures, One Decision
Whatever the Ninth Circuit rules, every website operator needs an explicit position on agent access. The default posture most sites inherited was written before user-delegated agents were a real access class. Three coherent postures exist.
Welcome: Accept user-delegated agents on logged-in accounts. Potentially price agent-driven transactions differently. Publish an agent-readable surface — a structured endpoint or documented API — that makes the access cleaner for both sides. This posture maximizes user utility and positions the platform to attract the segment of users who rely on AI assistance.
Block: Treat user-delegated agents as unauthorized access. Back that position with explicit terms-of-service language and matching technical controls — robots.txt rules, WAF rules blocking known agent user-agents (GPTBot, PerplexityBot, ClaudeBot, ChatGPT-User, Google-Extended, and the browser agents like Perplexity Comet and ChatGPT Atlas). Accept that some users will migrate to platforms with the welcome posture.
Partner: Build an API or capability surface for agent access, and route agents through that door rather than the logged-in frontend. This is the posture that survives either appellate outcome, because it makes the CFAA question irrelevant — agents use the authorized channel, not a scraped session.
Running a full marketing audit of your current terms, robots.txt, and access-control stack against these three postures is the fastest way to identify where your default conflicts with your actual intent. The audit takes less time than a Ninth Circuit brief and costs less than one week of paid acquisition spend.
What to Watch at Oral Arguments
Three signals in oral argument are worth tracking specifically. First, how hard the panel presses Amazon’s counsel on why a user’s explicit instruction does not extend authorization to the user’s chosen agent — sustained pressure there suggests the panel is uncomfortable with the district court’s reading. Second, whether the judges try to distinguish types of agent access: transaction-completing agents versus data-retrieving agents, stored-credential agents versus session-based agents, identified protocol agents versus unidentified browser automation. A ruling that draws those lines shapes access posture more precisely than a blanket affirm-or-reverse. Third, whether the panel takes the opportunity to write a broader doctrinal frame for CFAA in the agentic era, or limits the ruling to the specific Amazon-Perplexity facts and leaves the larger question for another circuit.
Ninth Circuit oral arguments are public, and audio is typically posted within hours. The panel composition — published before argument day — is the first read on how the case will likely be heard. For operators already running paid media campaigns that depend on logged-in user journeys, the argument transcript is worth one hour of attention before June 11’s ruling reshapes the landscape. Operators running precision targeting across user account data need to know now whether the infrastructure they depend on sits inside or outside the access-control perimeter the Ninth Circuit is about to define.
Originally reported by Search Engine Journal, June 2026.
Get a playbook for your vertical
Forex lead gen
FTD acquisition, depositor funnels, regulated broker campaigns across Tier 1 & Tier 2 GEOs.
Explore → CryptoCrypto & Web3
Token launches, exchange user acquisition, DeFi protocol growth. Compliant campaigns only.
Explore → LegalLaw firm marketing
Mass tort, personal injury, immigration. High-intent lead gen for US law firms with $50K+/mo budgets.
Explore →