A court in the Northern District of California found, at the preliminary injunction stage, that when a website prohibits artificial intelligence (AI) agents from accessing user accounts, continued access by agents may violate state and federal law – even where the user has granted the agent permission. Now on appeal to the US Court of Appeals for the Ninth Circuit, the decision raises important questions for both platforms seeking to set guardrails on AI agents and makers of AI agents whose products interact with third-party websites.

The case

In Amazon.com Services LLC v. Perplexity AI, Inc., Amazon alleged that Perplexity configured its AI agent to, at the direction of Perplexity users, access the user’s password-protected Amazon accounts. Users could instruct Perplexity’s Comet agentic feature to browse products and even make purchases on their behalf. Amazon’s terms of service require AI agents to identify themselves (e.g., through a user-agent string) and limit agent access to only the public portions of Amazon’s website. Amazon alleged that Comet violated these terms by accessing Amazon’s ecommerce website in a logged-in state without identifying itself as an AI agent, and that Amazon was unable to distinguish Comet’s activity from that of a human user. Pointing to its terms of service, Amazon alleged violations of state and federal hacking laws and sought a preliminary injunction to stop Comet from accessing Amazon users’ accounts.

The decision

On March 9, 2026, Judge Maxine M. Chesney granted Amazon’s motion for preliminary injunctive relief, finding that Amazon was likely to prevail on its claims under the federal Computer Fraud and Abuse Act (CFAA) and the California Comprehensive Computer Data Access and Fraud Act (CDAFA). A central question in the case was whether user consent to the AI agent’s access was sufficient authorization or whether the website operator’s terms of service controlled. The court sided with Amazon on this point at the preliminary injunction stage, finding that Comet’s access was not authorized by Amazon notwithstanding any permission granted by the user.

The court noted that Amazon sent cease-and-desist correspondence to Perplexity, reinforcing its position that continued access to Amazon user accounts by Perplexity’s AI agent was unauthorized. The court enjoined Perplexity from accessing “Amazon’s protected computer systems using AI agents” and from “using any accounts … for the purpose of allowing Perplexity’s AI agents to access Amazon’s protected computer systems.” The order also requires Perplexity to delete any Amazon customer data that it collected using its AI agent on password-protected areas of Amazon’s website. Perplexity appealed this decision the next day, and the Ninth Circuit may ultimately reach a different conclusion on the merits.

What this means for websites

Websites that want to prevent AI agents from accessing account data, or taking actions like making purchases on behalf of users, may want to draft explicit terms prohibiting this agentic behavior. Websites may also want to require that AI agents identify themselves as AI agents when they interact with the website, so the website can treat agent traffic differently from human visits. If AI agents violate these terms, websites may want to send cease-and-desist correspondence to further strengthen the argument that the access is unauthorized. These steps may support efforts to seek injunctions blocking the conduct (along with other downstream remedies), though the legal landscape in this area remains unsettled.

What this means for AI agents

Makers of AI agents that access password-protected accounts should be aware of this decision and its potential implications. The court’s ruling suggests that conduct violating a website’s terms of service may give rise to claims under the CFAA and CDAFA, and that user consent alone may not constitute sufficient authorization where the website operator has expressly revoked it. However, this was a preliminary ruling, and there are significant counterarguments, including whether terms of service should override a user’s affirmative decision to authorize an agent to act on the user’s own account, and whether such terms of service restrictions are enforceable in this context. The Ninth Circuit’s review on appeal may provide further clarity. In the meantime, makers of AI agents should also be mindful that both statutes not only create private rights of action but also carry potential criminal liability.

Related insights

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.