Agentic AI is generally an autonomous software system that is capable of “perceiv[ing], reason[ing], and act[ing] in digital environments to achieve goals on behalf of human principals.”[1] The AI tool behaves as the human’s agent.One specific use case is online shopping, where a user can provide a shopping prompt to an AI agent for a product (e.g., new winter jacket), and the agent will find that product based on the user’s style (purchase history), sales promotions, fastest free shipping, and then complete the purchase.[2]
Amazon has an in-house AI assistant, Rufus, directly on its online platform.[3] Rufus can help users find items and automatically add them to the user’s cart, which the user can review before check-out.[4] Walmart, in addition to its in-house AI assistant Sparky, has partnered with OpenAI and Google to allow Sparky to operate within these external chatbots.[5] In this set-up, when a ChatGPT user encounters Sparky in their ChatGPT chat, the user logs into Sparky with their Walmart credentials, which gives ChatGPT information about the user’s consumption behavior.[6]
What about third-party AI agents that do not have agreements with Amazon or Walmart? In Amazon.com Services LLC v. Perplexity AI, Inc., Amazon sued Perplexity in November 2025 alleging that Perplexity’s AI agent, Comet, was accessing Amazon’s computers without authorization when conducting agentic transactions on behalf of Amazon customers, in violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq.[7] Prior to the lawsuit, in October 2025, Amazon sent a cease-and-desist letter “revoking [Perplexity’s] access to the Amazon Store when using covert AI agents.”[8]
Specifically, Amazon alleged that Perplexity violated 18 U.S.C. § 1030(a)(2), which prohibits intentionally accessing a computer without authorization or in excess of authorization to obtain information from a protected computer, and 18 U.S.C. § 1030(a)(4), which prohibits such unauthorized access as part of a fraudulent scheme and obtaining a thing of value, other than use of the computer, that has a value of more than $5,000.[9] Amazon sought an injunction,[10]which the court granted on March 9, 2026.[11] The district court relied on the holding in Facebook, Inc., v. Power Ventures, Inc., where the Ninth Circuit held that consent from platform users is insufficient to act as continuing authorization to access the platform’s computers after the platform expressly revokes permission.[12]
On April 1, 2026, Perplexity filed an appeal to the Ninth Circuit.[13] Perplexity argued that the CFAA serves to address computer hacking and equated Comet users accessing Amazon to Safari browser users accessing Amazon, which does not amount to hacking.[14] Perplexity pointed to the fact that Amazon account holders authorized Comet to access the account holders’ “own private information,” thus allowing Comet to facilitate the transaction, which benefits all parties, including Amazon.[15] Perplexity also argued that the district court incorrectly relied on Power Ventures.[16]There, Power Ventures obtained consent from Facebook users to access their accounts and scrape information about other users in order to send promotions to third-parties.[17] Facebook, at the time, was completely behind a password gate and had an interest in protecting this information from competitors trying to circumvent the tech barrier and misuse the grant of access from the users and Facebook, which the Court recognized.[18] Perplexity argued that unlike Power Ventures, Perplexity accesses Amazon to comply with the users’ instructions, which matches Amazon’s purpose of selling products.[19]
The crucial Supreme Court decision about exceeding authorized access under the CFAA is Van Buren v. United States, where the Court held that the phrases “without authorization” and “exceeds authorized access” is a gates-up-or-down inquiry, where one either can or cannot access a computer system.[20] The Court expressly declined to address whether the inquiry requires a tech-based limitation (e.g., code restrictions) on access or also limits in contracts/policies.[21] The Ninth Circuit has ruled on several CFAA-related cases in the last decade. In Nosal I, the Ninth Circuit held that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions,” i.e., terms of service, noting that such terms can be vague, unknown, and susceptible to change “at any time and without notice” by website owners.[22] In Nosal II, the Ninth Circuit explained that “without authorization” in the CFAA means “without permission,” and an entity “can grant or revoke that permission.”[23] In Nosal II, an employer revoked a former employee’s computer access credentials after which the former employee used another employee’s credentials to access the system, constituting access “without authorization.”[24]
In hiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit explained that the CFAA is “an anti-intrusion statute” per Nosal I.[25] For publicly available websites, the gate is up under Van Buren, but when a computer or website’s information is protected by a username/password login system, the gate is down, just like in Nosal II and Power Ventures.[26] Therefore, a cease-and-desist letter cannot lower the gate for a public website.
In Amazon’s case, the platform has a public-facing website. The gate is up for the public-facing part of the website. Thus, under hiQ Labs and Van Buren, Comet’s access to the publicly available information on Amazon’s website is neither access without authorization nor exceeding authorized access under the CFAA. Comet, however, gains access to password-protected parts of Amazon’s computers when a Comet user logs into their own Amazon account.[27] Then, Comet obtains access to the private customer information stored on Amazon’s computers, but such information is not publicly available, meaning the gate is down for that part of the website.[28] When there is a tech barrier causing the gate to be down, a user’s own consent to access the system does not amount to permission.[29] Even though in its complaint, Amazon pointed to its publicly available Conditions of Use, which require AI agents “to transparently identify themselves” to Amazon,[30] those terms do not affect the “without authorization” or “exceeds authorized access” analysis under Nosal I.[31]
Given the expected growth of agentic AI in online commerce, merchants can expect to encounter such systems accessing customer accounts, where the gate is down. Even though Perplexity points out that its actions are to the benefit of Amazon,[32] the CFAA is “an anti-intrusion statute.”[33] Perplexity is intruding into Amazon’s computers. There is an alternative available for AI agents seeking to use Amazon’s platform: identify yourself to Amazon and/or partner with Amazon similar to how OpenAI and Gemini have partnered with Walmart. It is also important to note that online merchants have access to consumers’ personal information, which may be subject to various States’ data breach notification laws in case of a breach. This can affect platforms’ decision to prevent unidentified AI agents from lurking behind their gate where the platform stores that information. Innovation is moving towards significant convenience, but it requires delicate balancing of authority to enter and confidentiality.
[1] Peyman Shahidi et al., The Coasean Singularity? Demand, Supply, and Market Design with AI Agents, in The Economics of Transformative AI 2 (2025), https://www.nber.org/system/files/chapters/c15309/c15309.pdf.
[2] Taylor Soper, AI Is Coming for Your Shopping Cart: How Agentic Commerce Could Disrupt Online Retail, GeekWire (Dec. 15, 2025, at 7:41 AM), https://www.geekwire.com/2025/ai-agents-are-coming-for-your-shopping-cart-how-agentic-commerce-could-disrupt-online-retail/.
[3] Ben Shimkus, Target Has a Warning If You Use Google’s AI to Shop, Bus. Insider (Mar. 30, 2026, at 5:57 PM ET), https://www.businessinsider.com/targets-google-gemini-ai-shop-terms-update-2026-3.
[4] Amazon’s Next-Gen AI Assistant for Shopping is Now Even Smarter, More Capable, and More Helpful, Amazon News (Nov. 18, 2025), https://www.aboutamazon.com/news/retail/amazon-rufus-ai-assistant-personalized-shopping-features.
[5] Paresh Dave, Why Walmart and OpenAI Are Shaking Up Their Agentic Shopping Deal, Wired (Mar. 18, 2026, at 2:01 PM), https://www.wired.com/story/ai-lab-walmart-openai-shaking-up-agentic-shopping-deal/.
[6] Id.
[7] Complaint at 2–3, 18, Amazon.com Services LLC v. Perplexity AI, Inc., No. 3:25-CV-09514 (N.D. Cal. Nov. 4, 2025).
[8] Id. at 14.
[9] Id. at 18; see also 18 U.S.C. § 1030(a)(2); 18 U.S.C. § 1830(a)(4).
[10] Complaint at 18, Amazon.com Services LLC v. Perplexity AI, Inc., No. 3:25-CV-09514 (N.D. Cal. Nov. 4, 2025).
[11] Order Granting Plaintiff’s Motion for Preliminary Injunctive Relief at 7–8, Amazon.com Services LLC v. Perplexity AI, Inc., No. 3:25-CV-09514-MMC (N.D. Cal. Mar. 9, 2026).
[12] Id. at 3 (citing Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1068 (9th Cir. 2016)).
[13] Brief for Appellant, Amazon.com Services LLC v. Perplexity AI, Inc., No. 26-1444 (9th Cir. Apr. 1, 2026).
[14] Id. 1–2.
[15] Id. at 2–3.
[16] Id. at 3.
[17] Id. at 40.
[18] Id. at 40–41.
[19] Id. at 41.
[20] Van Buren v. United States, 593 U.S. 374, 390 (2021).
[21] Id. at 390 n.8.
[22] United States v. Nosal (Nosal I), 676 F.3d 854, 862–63 (9th Cir. 2012).
[23] United States v. Nosal (Nosal II), 844 F.3d 1024, 1034–38 (9th Cir. 2016).
[24] Id. at 1038.
[25] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1196 (9th Cir. 2022) (quoting Nosal I, 676 F.3d at 857–58).
[26] Id. at 1199.
[27] Complaint at 3, Amazon.com Services LLC v. Perplexity AI, Inc., No. 3:25-CV-09514 (N.D. Cal. Nov. 4, 2025).
[28] hiQ Labs, Inc., 31 F.4th at 1199.
[29] Id. (citing Facebook v. Power Ventures, 844 F.3d 1058, 1067 n.2).
[30] Complaint at 3, Amazon.com Services LLC v. Perplexity AI, Inc., No. 3:25-CV-09514 (N.D. Cal. Nov. 4, 2025).
[31] Nosal I, 676 F.3d 854, 862–63 (9th Cir. 2012).
[32] Brief for Appellant at 2–3, Amazon.com Services LLC v. Perplexity AI, Inc., No. 26-1444 (9th Cir. Apr. 1, 2026).
[33] hiQ Labs, Inc., 31 F.4th 1180, 1196 (9th Cir. 2022) (quoting Nosal I, 676 F.3d at 857–58).