Federal Court Rules AI Shopping Agents Can Violate Hacking Law-Even With User Permission
A federal court issued a preliminary injunction in March 2026 that reshapes how the law treats AI agents acting on behalf of users. In Amazon.com Services LLC v. Perplexity AI, Inc., the court found that an AI shopping agent may have violated federal hacking law, even though the user had expressly authorized the agent to act. The decisive factor: a merchant's express prohibition of agent access overrides user permission.
The ruling exposes a fundamental mismatch. Commerce law was built for human actors making conscious decisions. AI agents that browse, negotiate, select, and pay on a user's behalf break every assumption the legal system rests on.
The Shift From Recommendation to Execution
Agentic commerce describes the moment when AI moves past recommendations into execution. The agent no longer surfaces options-it selects, negotiates, and completes the transaction on the user's behalf.
This capability already exists in production systems. OpenAI launched Instant Checkout in ChatGPT on Stripe infrastructure. Amazon tested "Buy for Me," an agentic feature that purchases products from third-party brand sites without the customer leaving the Amazon app. These are not experimental prototypes.
The legal architecture they operate inside was not designed for them.
Six Pressure Points Where Law Is Cracking
- Identity and authentication: If a merchant cannot distinguish a bot from a human, who is actually "buying," and who bears legal consequence?
- Logging and evidence: How do you prove what happened in a transaction when the "witness" is a black-box AI system?
- Delegated authority: What scope of power does a user confer when they click "connect your account," and what happens when that grant conflicts with a merchant's terms?
- Assent and contract formation: Does a "click" by an agent constitute a binding contract for the human principal?
- Loss allocation: When an agent buys the wrong product, accepts the wrong terms, or acts outside its authorization, who pays?
- Infrastructure control: How are payment networks, platform gatekeepers, and merchant API rules becoming the de facto regulators of this market-ahead of courts and legislators?
Authority Is No Longer Implicit
In conventional e-commerce, authority is assumed. A logged-in user clicks "buy," and the merchant treats the action as authorized because the action, account, and person are tightly linked. Agentic commerce weakens that link.
An AI assistant may act under broad instructions, inferred preferences, spending limits, or delegated permissions. The Perplexity decision makes the problem concrete: a user can grant an agent permission to act, and a merchant can simultaneously prohibit that same agent's access-and the merchant's prohibition wins.
This creates a direct conflict between user-delegated authority and merchant-controlled access that existing legal frameworks do not cleanly resolve.
Authority in this setting is layered. It is not a binary state. Authority to browse differs from authority to compare, negotiate, spend, accept terms, renew, or substitute. These distinctions matter because the legal system cares whether the challenged act can be attributed to a person or entity in a way that supports enforcement, responsibility, and risk allocation.
Assent Becomes Harder to Prove
E-commerce law already devotes considerable attention to notice and assent. The standard playbook-present terms, capture a click, and log the event-is complicated by agentic systems.
If an agent accepts terms or modifies a cart under generalized instructions, the evidentiary record starts to look thinner and more contestable. In the Perplexity case, Amazon argued it was unable to distinguish the agent's activity from a human user because the agent failed to identify itself via a user-agent string.
This reflects a deeper legal tension about who owns the checkout moment, who presents the operative terms, who captures the evidence trail, and who is left defending the transaction later. A company may know its agent followed a sensible path, but that does not mean it can prove the user authorized the specific outcome in a form that survives a dispute.
Loss Allocation Will Trigger the First Real Conflicts
The first major legal pressure point is likely to be a wave of loss events: purchases made in error, unexpected renewals, or agents selecting the wrong product. When these disputes arise, every participant in the chain will try to move the loss elsewhere.
The Perplexity ruling suggests that if a merchant expressly revokes an agent's access, the agent's creator-and potentially the user-could face not just civil disputes, but potential criminal liability under hacking statutes.
Agentic commerce should be understood as a risk-allocation problem. If card networks and payment processors decide that certain forms of delegated purchasing are too risky or difficult to dispute fairly, they may end up shaping the market before courts or regulators do.
Design Decisions Become Legal Infrastructure
In traditional online commerce, lawyers often enter the picture after the interface has largely been set. In agentic commerce, that sequence will fail. A substantial share of the legal outcome will be determined upstream by the initial product design.
Four design protocols matter most:
- Delegation presentation: How is the authority to act presented to the user?
- Constraint controls: Can the user set spending limits, merchant preferences, or approval rules?
- Logging detail: Are logs detailed enough to reconstruct what the agent saw and why it acted?
- Identification: Does the agent identify itself to the merchant to ensure "authorized" access and avoid hacking claims?
These design decisions are not merely supportive of legal analysis. They are the legal analysis in operational form.
What Companies Should Do Now
Companies building or enabling agentic commerce do not need to wait for AI-specific legislation. The immediate task is clear.
Define authority with precision. Separate search authority from purchase, payment, substitution, and renewal authority. Recognize that user permission may not override a merchant's express prohibition.
Review transaction flows with dispute posture in mind. Ensure you can reconstruct what triggered an execution. Implement agent identification to mitigate risks under the Computer Fraud and Abuse Act.
Revisit terms and counterparty assumptions. Identify where existing documents are silent or tied to outdated models of authorization.
Examine the payments layer early. Ensure credentials are used in a way that reflects the user's actual authorization.
Bring cross-functional teams together. Legal, product, payments, and trust-and-safety teams must work from the same factual assumptions about how the product behaves.
Before anyone can argue about what an agent was authorized to do, the system has to know who is acting at all. That issue will define the next phase of agentic commerce disputes.
The takeaway for legal teams: agentic commerce changes who appears to act in the transaction, how assent is formed, and how losses are allocated. The companies best positioned for this shift will not treat legal review as a sign-off step, but as a core feature of the product itself.
Your membership also unlocks:
