In March 2026, a federal judge in the Northern District of California granted Amazon a preliminary injunction blocking Perplexity's Comet browser from logging into a user's Amazon account and making purchases. It is the first significant agent-commerce ruling, and its core holding is that a user authorizing an agent does not equal the platform authorizing it.
- Judge Maxine Chesney issued a preliminary injunction on March 10, 2026, blocking Comet from Amazon's logged-in pages.
- Amazon's theory rests on the Computer Fraud and Abuse Act: agent access without platform permission is unauthorized access.
- The Ninth Circuit paused the injunction pending appeal; oral arguments were set for June 11, 2026 in Seattle.
- The precedent shifts leverage from open scraping toward authorized agent partnerships, the model behind Perplexity's PayPal Instant Buy.
On March 10, 2026, U.S. District Judge Maxine Chesney in the Northern District of California granted Amazon a preliminary injunction against Perplexity, blocking the company's Comet browser from logging into a user's Amazon account and completing purchases on the user's behalf. It is the first meaningful piece of case law in agentic commerce, and it answers a question everyone in the ecosystem had been hand-waving past: can a retailer refuse to be shopped by an autonomous agent. The early answer is yes.
I read this through the lens of someone who wrote platform rules for a living. At Shopify I built the Partner Program, which is fundamentally a system for deciding which third parties get to operate on a platform, on what terms, and where the line of authorization sits. The Amazon and Perplexity fight is that exact problem wearing new clothes. Comet is a third party. The user invited it in. Amazon says inviting it in is not the platform's permission, and a judge agreed, at least for now.
The mechanism matters. Comet can log into your Amazon account using your stored credentials, browse on your behalf, and check out through Amazon's flow. Amazon argued this is unauthorized access to its systems under the Computer Fraud and Abuse Act, regardless of whether you, the user, said yes. Judge Chesney ruled that your permission to an agent does not substitute for Amazon's authorization. The Ninth Circuit then paused the injunction pending Perplexity's appeal, with oral arguments scheduled for June 11, 2026, so this is law in motion, not law settled.
The reason this is a strategy story and not just a legal one: it reshapes who gets to sell through agents and on whose terms. If retailers can refuse unauthorized agents, then the durable path runs through authorized partnerships, the cooperative model Perplexity itself launched with PayPal in November 2025. For brands and app founders building on Shopify, that distinction decides what to build. I set up the broader picture in how agents change discovery and the buy. This post is what the first ruling changes about it.
What the court
actually did, step
by step.
Before the takes, the facts. Here is the sequence, stripped to what the court did and when, so the rest of this post rests on the record rather than the headlines.
| Date | Event |
|---|---|
Nov 2025 | Perplexity launches Instant Buy with PayPal, an authorized partnership model |
Late 2025 | Amazon sues Perplexity over Comet shopping on Amazon accounts |
Mar 10, 2026 | Judge Maxine Chesney (N.D. Cal.) grants Amazon a preliminary injunction |
Holding | User permission to an agent does not equal Amazon's authorization a landmark boundary for agentic commerce |
~1 week later | Ninth Circuit pauses the injunction pending Perplexity's appeal |
Jun 11, 2026 | Appellate oral arguments scheduled in Seattle |
Two things to hold onto. First, this is a preliminary injunction, not a final judgment, and it is already on a partial pause at the appellate level, so the law is genuinely unsettled. Second, the specific conduct at issue is narrow: an agent logging into a user's account with stored credentials and transacting there. That narrowness matters, because the ruling says more about credentialed access to logged-in systems than it does about an agent simply reading a public product page.
The CFAA argument,
in plain language.
The Computer Fraud and Abuse Act is a decades-old anti-hacking statute. Its core sin is accessing a computer system without authorization or exceeding authorized access. Amazon's move was to point that old law at a brand-new actor: an AI agent operating inside a user's account. The argument has two layers worth separating.
| Question | Amazon's position | Perplexity's position |
|---|---|---|
Whose permission counts? | The platform's. The user can't authorize on Amazon's behalf. | The user's. The agent acts under explicit user authorization. |
Is the CFAA the right tool? | Yes. Unauthorized access to its systems. | No. A "fundamental misfit" for a user-directed agent. |
What's really at stake | Control of who operates on its platform | Whether users can delegate shopping to an agent at all |
The judge sided with Amazon at the preliminary stage on the first question: your permission to an agent does not substitute for the platform's. That is the holding with teeth. It means a retailer can treat an uninvited agent the way it would treat any unauthorized automated access, and reach for a powerful federal statute to enforce the boundary. Perplexity's appeal calls the CFAA theory a fundamental misfit for an agent that visits under explicit user authorization, which is a serious argument, and the reason the Ninth Circuit hit pause rather than rubber-stamping the injunction.
"The holding with teeth is simple: your permission to an agent is not the platform's permission. A retailer can decide it does not want to be shopped by a bot."
Why should a Shopify-ecosystem builder care about a CFAA fight on Amazon? Because the principle generalizes. If courts hold that platforms control agent access to their own systems, then every storefront and every app gets to decide its own agent policy. That is leverage you can use, and a risk you can run into, depending on which side of the access line your product sits. It is the same structural question I work through in the challenger brand threat model, just applied to autonomous software instead of competitors.
What the ruling settles,
and the much larger
part it does not.
It is easy to over-read a first ruling. This one decides less than the headlines suggest, and that is important for planning. Here is the honest line between what is now reasonably clear and what is still wide open.
What it leans toward settling: a platform can object to an uninvited agent transacting inside a user's logged-in account, and it has at least one serious federal theory (the CFAA) to enforce that objection. A retailer that does not want autonomous bots checking out on its systems now has a precedent pointing its way, even if a preliminary and contested one.
What it does not settle is most of the interesting territory. It does not say an agent cannot read a public product page. It does not say a brand cannot invite an agent to transact, the entire premise of authorized partnerships. It does not resolve the appeal, which could narrow or reverse the holding. And it does not touch the protocol-level future where merchants opt in to agent checkout on purpose. The ruling is a fence around uninvited, credentialed access, not a wall around agentic commerce. The cooperative future I described in AI shopping assistants on your storefront is untouched, and arguably strengthened, because invitation becomes the clean path.
Why this tilts the field
toward authorized
agent partnerships.
Follow the incentives the ruling creates and the strategic picture clarifies fast. If uninvited, credentialed agent access carries real legal risk, then the safe and scalable way for an agent to transact is by invitation, through a partnership the merchant and the platform have agreed to. That is not a hypothetical model. Perplexity itself launched it in November 2025 with PayPal's Instant Buy, where merchants like Abercrombie and Fitch opt in and the agent checks out through an authorized payment flow rather than puppeting the user's account.
So the same company is running both plays at once: scrape-and-transact with Comet, which drew the injunction, and opt-in partnership with PayPal, which did not. The ruling pushes the whole industry toward the second. That is good news for brands, because the authorized model is the one where you keep control: you decide whether to participate, you keep the customer relationship, and you set the terms. The model where a bot silently transacts in your customer's account is the one you have the least say over, and now the least legal cover for if you are the platform.
For app founders in the Shopify ecosystem, this is a build signal. The durable opportunity is in the authorized lane: tools that help merchants opt into agent commerce on their terms, expose a clean transactable catalog, and keep first-party data and the customer relationship. The scrape-the-account lane just got a warning shot. If you are weighing where to point a roadmap, the legal gravity is now clearly toward cooperation, which is consistent with how I see app distribution and platform risk generally, covered in the board conversation on commerce in 2026.
What it means for the
agent protocols, UCP
and ACP.
The ruling does not just favor partnerships in the abstract, it raises the stakes on the protocols that define how an authorized agent and a merchant transact. If invitation is the clean path, then the standards for issuing and honoring that invitation become the rails the whole channel runs on. Two camps are forming. OpenAI and Stripe's Agentic Commerce Protocol defines how a transaction passes from a chat to a merchant. A broader Universal Commerce push aims at interoperability across agents and payment providers.
The legal precedent makes the protocol question more urgent, not less, because a well-designed protocol is exactly how a merchant grants authorization in a clean, auditable way. An agent transacting under an agreed protocol is, by construction, an invited agent. That is the opposite of Comet logging into an account uninvited. So the brands and apps that adopt the right protocol are not just chasing convenience, they are positioning on the authorized side of the line the court is drawing. I compared the two approaches and what they mean for who controls the customer in UCP versus ACP.
The practical posture is to stay protocol-flexible. You do not yet know which standard your buyers' agents will adopt, and betting the store on one is premature. What you can do now is get your catalog clean and transactable, the groundwork in the Shopify catalog data agents read, so that whichever authorized protocol wins, you can plug into it without a rebuild. The legal direction and the protocol direction point at the same destination: invited, structured, opt-in agent commerce.
What to watch, and
what to do, while
the law settles.
This is law in motion, so the right posture is informed flexibility, not paralysis. Watch a short list, and make a short list of moves that pay off regardless of how the appeal lands.
What to watch. The Ninth Circuit appeal, with oral arguments June 11, 2026, which could narrow, affirm, or reverse the holding. Whether other retailers follow Amazon in challenging uninvited agents. How OpenAI's shift toward retailer-controlled experiences interacts with the access question, which I track in how ChatGPT is becoming an app store for retailers. And which agent protocol gains real merchant adoption.
What to do now if you're a brand. Get on the authorized side of the line. Make your catalog discoverable and transactable to invited agents, keep your first-party customer relationship intact, and decide your own agent policy deliberately rather than by default. Discovery and the authorized buy are still the goal; the ruling just clarifies that the buy should happen by invitation.
What to do now if you're an app founder. Build in the cooperative lane. The legal gravity favors tools that help merchants opt into agent commerce on their terms, not tools that scrape and transact uninvited. That is where the durable, defensible product sits, and it is consistent with how platform-aligned apps have always won in the Shopify ecosystem.
A judge ruled that a retailer can refuse to be shopped by a bot. Strip away the legalese and the precedent says the future of agent commerce runs through invitation, not intrusion. Build on the invited side: discoverable, transactable, protocol-flexible, and in control of your customer. The law is still moving, but it is moving toward the side the smart builders were already on.
Questions brands and app
founders ask me about
the Perplexity ruling.
In March 2026, a federal judge in the Northern District of California granted Amazon a preliminary injunction blocking Perplexity's Comet browser from logging into a user's Amazon account and making purchases. The core holding is that a user authorizing an agent does not equal the platform authorizing it, so Amazon could treat Comet's credentialed access as unauthorized under the Computer Fraud and Abuse Act. The Ninth Circuit later paused the injunction pending appeal. The broader context is in agentic commerce for Shopify brands.
No. The ruling targets an uninvited agent transacting inside a user's logged-in account with stored credentials. It does not touch authorized agent partnerships, where a merchant opts in, which is the model Perplexity itself launched with PayPal in November 2025. If anything, the precedent favors that invited model, as I explain in AI shopping assistants on your storefront.
The Computer Fraud and Abuse Act is a federal anti-hacking statute that prohibits accessing a computer system without authorization. Amazon pointed it at Perplexity's Comet, arguing that an agent logging into Amazon's logged-in systems without Amazon's permission is unauthorized access, even with the user's consent. The judge agreed at the preliminary stage. Perplexity is appealing, calling the CFAA a fundamental misfit for a user-directed agent.
Get on the authorized side of the line. Keep making your catalog discoverable and transactable to invited agents, protect your first-party customer relationship, and set your own agent policy deliberately. The ruling does not change that discovery and the buy are the goal, it clarifies that the buy should happen by invitation through an agreed protocol, which is the groundwork in the Shopify catalog data agents read.
No. It is a preliminary injunction, not a final judgment, and the Ninth Circuit paused it pending Perplexity's appeal, with oral arguments scheduled for June 11, 2026 in Seattle. Treat it as a strong signal of where the law is heading, not a settled rule, and build with enough flexibility to adapt if the appeal narrows or reverses the holding.
Sorting out where agent commerce leaves your brand or app?
I built the Shopify Partner Program, the system that decides which third parties operate on a platform and on what terms. Agent commerce is that same question with a new actor. That is the view I bring to deciding what to build, what to allow, and where the durable opportunity sits.
Start a conversation See the case studies →A note on sources: the March 10, 2026 preliminary injunction by Judge Maxine Chesney, the CFAA theory, and the Ninth Circuit pause are reported by CNBC and CyberScoop, with legal analysis from Jones Day. The June 11, 2026 oral-argument date and Perplexity's appellate brief are from public reporting. The Perplexity and PayPal Instant Buy launch is from PayPal's newsroom. This is not legal advice; the strategic read is mine, drawn from building the Shopify Partner Program.