Amazon vs. Perplexity: The First Legal Battle Over AI Shopping Agents
A court just decided that your customers giving permission isn’t the same as you giving permission. Every merchant should care about this distinction.
Perplexity launched Comet in July 2025 - a browser with a built-in AI assistant. By November 2025, Comet had expanded into a full AI shopping agent. Users could tell it to buy something, and the agent would log into their accounts on Amazon, navigate the site, select products, and complete purchases. All automated. All on behalf of the user.
Amazon sued. On March 10, 2026, a federal judge in Northern California sided with Amazon. The preliminary injunction blocks Perplexity’s shopping agent from accessing password-protected parts of Amazon’s site and requires destruction of previously collected Amazon data.
This is the first major courtroom test of AI shopping agents. The legal distinction at the center of the ruling will define the rules of engagement for agentic commerce.
What Comet actually did
Comet wasn’t a conventional product search tool. It was a full proxy buyer. When a user told Comet to purchase something on Amazon, the agent:
- Logged into the user’s Amazon account using their credentials
- Navigated Amazon’s site, reading product pages and interpreting checkout flows
- Selected products based on the user’s request
- Completed the purchase using the user’s stored payment methods
- Did all of this while masking its bot activity as human browsing
That last point mattered in court. Comet didn’t identify itself as an automated agent. It mimicked human browser behavior to avoid detection. Amazon argued this wasn’t just unauthorized access - it was deliberately deceptive access.
The ruling: consent vs. authorization
The judge’s decision turned on a distinction that sounds subtle but has massive implications.
Perplexity’s defense: users gave Comet permission to act on their behalf. The user consented. The user provided their credentials. The agent was doing what the user asked.
Amazon’s argument: user consent is not the same as platform authorization. Amazon’s terms of service prohibit automated access to password-protected areas. The user can consent to let Comet use their credentials, but Amazon never authorized Comet to access its systems.
The judge found Amazon presented “strong evidence” that Perplexity’s tool was accessing Amazon systems unlawfully. The key finding: having a user’s password doesn’t give a third-party agent the right to use it on a platform that prohibits automated access.
The injunction:
- Bars Perplexity from accessing password-protected areas of Amazon (including Prime)
- Requires destruction of previously collected Amazon data
- Enforcement paused seven days for appeal
- Perplexity appealed immediately
Why this distinction matters for every merchant
The consent-vs-authorization line doesn’t just apply to Amazon. It applies to every merchant with a website and terms of service.
If this ruling holds (and it’s a preliminary injunction, not a final judgment), it establishes that:
- Merchants control who accesses their platforms, even when customers give an AI agent their credentials
- Terms of service can block AI agents, provided they explicitly prohibit automated access
- Bot masking is a liability, not a feature - disguising automated access as human browsing strengthens the case for unauthorized access
- User consent alone isn’t sufficient for an AI agent to interact with a merchant’s systems
This matters because the entire premise of agentic commerce is that AI agents act on behalf of users. The question this ruling raises: when does “on behalf of the user” cross the line into “unauthorized access to the merchant’s platform”?
Two models of AI commerce, one courtroom apart
The Amazon-Perplexity case highlights two fundamentally different approaches to how AI agents should interact with merchants.
The consent model (Perplexity’s position): Users own their accounts and their data. If a user wants an AI agent to shop for them - even on a platform that would prefer they didn’t - that’s the user’s right. The agent is a tool of the user, not an intruder.
The authorization model (Amazon’s position, upheld by the court): Platforms set the rules for their own systems. An AI agent needs the platform’s permission, not just the user’s. Without that permission, automated access is unauthorized regardless of user intent.
The open protocols - ACP and UCP - sidestep this entirely. They’re built on explicit merchant opt-in. A merchant implements the protocol, publishes a product feed, and AI agents interact through defined endpoints. No credential sharing. No bot masking. No gray area.
| Perplexity Comet | Amazon Buy for Me | ACP/UCP protocols | |
|---|---|---|---|
| Merchant consent | None (uses user credentials) | None (scrapes public web) | Explicit opt-in |
| Agent identification | Masked as human | Unclear | Identified via protocol |
| Legal basis | User consent | Public accessibility | Merchant authorization |
| Court status | Blocked by injunction | No legal challenge (yet) | N/A - consent-based |
| Data access | Password-protected accounts | Public product pages | Merchant-provided feeds |
The Amazon hypocrisy
There’s an irony here that’s hard to ignore.
Amazon sued Perplexity for sending an AI agent to shop on Amazon without Amazon’s permission. Fair enough - the court agreed.
But as we covered in our analysis of Buy for Me, Amazon’s own AI agent does something similar. Buy for Me sends an AI agent to third-party merchant websites, navigates their checkout flows, and completes purchases - all without the merchant’s permission.
The difference: Buy for Me accesses publicly available websites, not password-protected accounts. Legally, that’s a meaningful distinction. Comet logged into Amazon accounts. Buy for Me browses public product pages.
But the practical effect for merchants is similar. An AI agent they never authorized is transacting on their platform. Amazon successfully argued that this shouldn’t happen to them. It continues to do it to others.
Cooperate or litigate: the platform split
Amazon chose litigation. Not every platform made the same call.
Walmart and Target are experimenting with cooperative partnerships with AI shopping platforms. Instead of blocking external agents, they’re building integration points. Both joined Google’s UCP. Both have ChatGPT integrations. Their bet: working with AI agents generates more value than fighting them.
This split creates two very different futures for agentic commerce:
- The Amazon model: Platforms control access, block unauthorized agents, and build their own AI (Rufus) to mediate the shopping experience. The merchant-platform relationship stays centralized.
- The Walmart/Target model: Platforms participate in open protocols, allow multiple AI agents to surface their products, and compete on product quality and price rather than platform lock-in.
For independent merchants, the cooperative model is clearly better. Open protocols give you visibility across multiple AI agents. The litigation model gives platforms leverage over which agents can reach which products.
What merchants should do
1. Review your terms of service. This ruling gives terms of service real teeth against AI agents. If your terms don’t address automated access, consider updating them. A clear prohibition on unauthorized bot access gives you legal standing if an AI agent starts shopping your site without permission.
2. Know the difference between authorized and unauthorized agents. Not all AI agents are Comet. Agents that interact through ACP or UCP endpoints are operating with your explicit consent - you opted in by implementing the protocol. Agents that scrape your site or log into customer accounts are operating without it.
3. Monitor for proxy purchases. Watch for orders with patterns suggesting automated checkout: rapid form completion, unusual user-agent strings, or payment methods associated with proxy services. These may indicate an unauthorized AI agent is purchasing from your store.
4. Decide your agent policy. The broader question from our Buy for Me coverage still applies: what is your policy on AI agents purchasing from your store? This ruling gives you more tools to enforce that policy, but you need to have one first.
5. Keep investing in structured data for authorized channels. The protocols that work through consent - ACP, UCP - are the ones building long-term value for merchants. The agents that circumvent consent are the ones getting sued. Put your energy into the channels that respect your participation.
The European angle
This case is playing out in US federal court, but the principles map directly onto European regulation.
GDPR already distinguishes consent from authorization. European data protection law has spent years defining when consent is valid, who controls data processing, and what constitutes authorized access. An AI agent using customer credentials to access a platform raises data controller questions that GDPR was built to answer.
The Digital Markets Act (DMA) adds another layer. The DMA constrains how gatekeepers leverage market position. If this ruling encourages platforms to block all external AI agents while running their own, European regulators will notice. The asymmetry - Amazon blocking Perplexity while running Buy for Me - is exactly the kind of self-preferencing the DMA targets.
Europe’s first live AI agent payment just happened. Santander and Mastercard completed Europe’s first live AI agent payment in a regulated bank. The infrastructure for authorized, consent-based AI commerce is arriving in Europe through the banking system, not through agents that bypass merchant permissions.
European merchants should watch this case carefully. The consent-vs-authorization framework that US courts are building will likely influence how European regulators approach the same questions - and GDPR gives European merchants stronger tools to enforce their preferences.
What happens next
Perplexity appealed the next day. The preliminary injunction could be overturned, upheld, or modified. A full trial would take months.
But regardless of the appeal outcome, the line has been drawn. AI agents that access platforms through authorized protocols (ACP, UCP) operate in clear legal territory. AI agents that access platforms by masking as humans and using customer credentials do not.
For merchants, the practical conclusion is straightforward. The open protocols exist. They work through consent. They give you control. The agents that try to bypass that control are the ones ending up in court.
Your products should be easy for AI to find - through structured data, clean feeds, and protocol participation. They should be hard for AI to exploit - through clear terms of service and monitoring for unauthorized access.
Both of those things are in your control today.
Sources
- Amazon wins court order to block Perplexity’s AI shopping agent - CNBC
- Amazon Injunction Could Change the Future of Agentic Commerce - PYMNTS
- Amazon Wins Court Order to Halt Perplexity’s AI Shopping Bots - Bloomberg
- Santander and Mastercard Complete Europe’s First Live AI Agent Payment - Mastercard
- New agentic commerce AI tools, protocol for retailers and platforms - Google