Amazon v. Perplexity and the new rule for AI agents: identity, not access

When your agent logs in, the old test stops working
For years the cleanest test for whether web data collection was legal fit in one sentence: would a logged-out user see this page in a browser? If yes, you were mostly inside the post-hiQ mainstream. We made that case ourselves in the legal status of web scraping in 2026, which concluded that the Computer Fraud and Abuse Act was largely resolved for scraping public data, and that the live risk had moved to contract terms and DMCA circumvention.
That test was built for reading. It does not settle much once an AI agent logs in to a real account and acts. Amazon v. Perplexity is the case that reopens the question, and it points at a different variable than access.
What is Amazon v. Perplexity? It is a federal lawsuit Amazon filed against Perplexity AI in November 2025 over Perplexity's Comet browser agent, which logs into a user's Amazon account and shops on their behalf. Amazon claims the agent accessed its systems without authorization and concealed that it was an AI agent, in violation of the CFAA and California computer-access law.
What Amazon actually alleges
The case is Amazon.com Services LLC v. Perplexity AI, Inc. in the U.S. District Court for the Northern District of California, docket 3:25-cv-09514-MMC, filed in November 2025. Amazon brings claims under two statutes: the federal Computer Fraud and Abuse Act (CFAA) and California's Comprehensive Computer Data Access and Fraud Act (CDAFA).
The product at the center is Comet, Perplexity's web browsing agent. Comet signs into a user's Amazon account and completes shopping tasks for them: browsing listings, comparing products, placing orders. Amazon's complaint does not argue the user lacked permission to shop. It argues that Perplexity accessed Amazon's systems with the user's permission but without Amazon's authorization, which is a different thing.
The detail Amazon leans on is disclosure. According to the complaint, Comet presented itself as Google Chrome rather than identifying itself as an AI agent. Amazon says it updated its Conditions of Use to require transparent identification of automated agents and to prohibit concealment of automated activity, and that Comet's behavior ran straight through those terms. The CFAA count rests on the familiar elements: knowingly accessing protected computers without authorization, obtaining account information, transmitting that information to Perplexity's own servers, and clearing the statute's $5,000 damages threshold for a civil claim.
Strip away the branding and the allegation is narrow and specific. It is not "AI shopping is illegal." It is "an automated actor entered our platform, we told automated actors they had to say so, and this one said it was a human's browser instead."
Why "the user authorized it" isn't the whole answer
Perplexity's defense is the intuitive one. It says it did not break into Amazon's systems at all. It built a browser, the user is a legitimate account holder, and the user asked the agent to act. On that reading, an agent operating a session the user is entitled to operate is not "unauthorized access" in any meaningful sense. The ACLU filed an amicus brief raising the internet-freedom stakes, warning that a broad ruling for Amazon could let platforms use the CFAA to control how ordinary users automate their own accounts.
The procedural history is not going Perplexity's way so far. In March 2026 the district court granted Amazon a preliminary injunction, finding Amazon likely to succeed on the merits. That order was stayed pending appeal, and the Ninth Circuit heard oral argument on June 11, 2026, where the three-judge panel was reported to be skeptical of Perplexity's position. None of this is a final ruling. The appeal is undecided, and a 1986 statute written for a very different internet is being asked to answer a question its drafters never imagined: what counts as authorized access when the thing doing the accessing is an autonomous agent.
From access to identity
The shift is in what the case turns on. The scraping-era question was whether the data was reachable. The agent-era question is whether the actor disclosed what it was, and whether the site's terms authorized an automated actor at all. Access is close to settled for public pages. Identity is not. Amazon's theory does not depend on the data being secret; the user could see all of it. It depends on Comet allegedly sending a Chrome user-agent instead of announcing itself. That reframes a whole category of product decisions as legal ones.
The same shift is happening above the login
You can watch the same move play out one layer up, at the crawler level, where no login is involved at all.
On July 1, 2026, Cloudflare set a deadline for AI companies to separate the crawlers they use for traditional search from the crawlers they use for AI agents and model training. Under the policy, crawlers that blend those purposes are blocked by default unless a site owner opts in, and Cloudflare specifically called out the largest operator, Google, whose single crawler has long served both search indexing and AI.
Publishers have been making the same complaint in blunter terms. People Inc. chief executive Neil Vogel put it plainly in June 2026: "We can't actually block Google, because Google uses the same crawler for search as they do for AI, which is like an incredible abuse of market power." The grievance is not that Google fetches pages. It is that one identity is being used for two purposes a publisher would price and permission differently.
The same logic runs through both fronts. Above the login and below it, sites are converging on the same demand: tell us who is acting and why, not just what you fetched. Purpose and identity are becoming the unit of permission.
What this means if you ship an agent
If you are building an agent that acts on live sites, a few things follow.
-
Treat a declared, truthful agent identity as a design default, not an afterthought. Whatever your agent sends as it works, sending a real signal of what it is puts you on the defensible side of the exact fact Amazon is litigating. Spoofing a human browser is now the behavior on trial.
-
Read terms of service for automated-agent clauses, not just scraping clauses. The old ToS language targeted scrapers and bots collecting data. The new language, like Amazon's amended Conditions of Use, names automated agents that act, and demands they identify themselves. Re-read the terms of every platform your agent touches; they are being rewritten around exactly this.
-
Separate "acts as the user" from "acts as your service." These are different authorization stories. An agent operating a user's own logged-in session sits on firmer ground than a service reaching into a platform on its own account. Design the two paths deliberately and know which one each feature uses.
-
Prefer sanctioned channels where they exist. Official APIs and MCP servers give you access the platform has agreed to grant, which is a stronger position than access it merely failed to block. Our guide to agentic web access covers when a sanctioned channel is available and when you are left driving a browser.
-
Fold this into build versus buy. Legal exposure now belongs in the same column as reliability and cost when you decide whether to build agent access in-house or route through a vendor that carries the compliance burden. Our build vs buy breakdown is the place to run that trade-off.
What to watch
Three things over the next few months. First, the Ninth Circuit's ruling in Amazon v. Perplexity, which will be the first appellate read on whether the CFAA reaches agentic AI acting on a user's behalf. Second, whether "identify your agent" clauses spread from Amazon's Conditions of Use into the terms of other large platforms, which would turn a single dispute into an industry norm. Third, whether a shared standard for disclosed agent identity emerges, so that acting honestly does not mean getting blocked for your honesty. The direction of travel is already clear: identity, not access, is where the next round is being fought.
More from the blog
Weekly briefing – tool launches, legal shifts, market data.