Amazon threatens Perplexity over AI shopping agent, sparking a fight for your cart

Amazon's legal warning to Perplexity spotlights the next big fight: AI agents on retail platforms

Perplexity says it received a legal threat from Amazon demanding that its Comet browser agent stop shopping on Amazon on a user's behalf. Perplexity pushed back, framing it as an attempt to limit competition and control how users interact with the store.

Amazon's position: the experience delivered by third-party agents is degraded, and apps making purchases should operate openly and respect a business's decision to opt out. The dispute isn't just PR. It tees up a concrete set of legal questions that in-house teams will need to confront as agentic tools move from experiments to daily use.

The core legal issues counsel should map

• Authorization and Terms of Use: If an AI agent automates clicks and purchases on logged-in flows, does that exceed authorized access under site terms? Contract claims (breach of ToS) are the first line of attack. CFAA exposure turns on "without authorization" or "exceeds authorized access" arguments, which get fact-heavy when the user has credentials and intent to transact.
• Trespass to Chattels/Anti-bot Theories: Classic claims (think eBay v. Bidder's Edge) resurface if automated activity imposes load or bypasses technical measures. Even low-volume agent traffic can trigger cease-and-desist letters if it ignores robots rules or anti-automation controls.
• Tortious Interference: If the agent circumvents APIs, paywalls, or explicit prohibitions, expect interference claims tied to seller, marketplace, or affiliate contracts.
• Consumer Protection and Agency: Who is responsible for misorders, returns, and disclosures if an agent "decides" to purchase? If the UX obscures material terms or creates confusion, UDAP risk follows. Clear user authorization and receipts matter.
• Privacy and Security: Perplexity says credentials stay local. That reduces breach blast radius but doesn't end risk. You still need secure local storage, phishing resistance, session handling, and clear data processing notices.
• Antitrust Optics: Perplexity casts this as a dominant platform restricting independent assistants while building its own tools ("Buy For Me," "Rufus"). Refusal-to-deal and self-preferencing theories may be explored, but platforms generally retain broad discretion to enforce access terms-especially absent a duty to deal.
• Payments and Identity: If an agent places orders using the user's account, Amazon remains merchant of record. Still, the intermediary could face claims over unauthorized transactions, chargebacks, or failure to honor disclosures.

How courts might frame access and authorization

Public vs. gated matters. In hiQ v. LinkedIn, the Ninth Circuit was skeptical of using the CFAA to block scraping of public pages. Logged-in purchase flows are different: they're contractual, credentialed, and often guarded by specific prohibitions on automation.

The Supreme Court narrowed "exceeds authorized access" in Van Buren v. United States, focusing on system-based permissions rather than use restrictions. But where a site draws hard lines against automation, and deploys technical measures, plaintiffs still have tools-contract, trespass, and state computer abuse claims-to police bot-driven transactions.

What this means for legal teams on both sides

• Update ToS and Developer Policies: Say plainly whether automated purchasing is allowed, under what conditions (e.g., via approved APIs only), and the consequences for violating those rules.
• Pair Policy with Technical Signals: Use bot detection, rate limits, device attestation, and token-based session rules. Legal arguments are stronger when policies align with technical barriers.
• Design for Consent: If you ship agents, require explicit, revocable user authorization for each merchant, with clear logs, receipts, and order review. Make it easy to trace who approved what, when.
• Use Official Interfaces Where Possible: Favor APIs or partner programs. Emulating the web UI is legally noisier and operationally brittle.
• Clarify Role and Liability: Spell out whether the agent is acting as the user's authorized agent, a recommender, or an independent service. Align this with indemnities and error-handling.
• Privacy Hygiene: If credentials are local, document storage, encryption, and recovery. If anything touches your servers (logs, tokens, telemetry), reflect that in notices and DPAs.
• Antitrust Check: For large platforms, tie restrictions to quality, security, and fraud. For startups, preserve records showing user benefit and open access efforts. Keep rhetoric in sync with evidence.

Practical playbook if you're a retailer

• Publish an explicit "automation and agents" section in your ToS and merchant policies.
• Offer a limited, monitored purchasing API for vetted agents, with revocation rights and clear SLAs.
• Tie enforcement to measurable harms: failed orders, fraud rates, return spikes, or support load.
• Stage remedies: notice, technical throttling, account-level blocks, and, only if needed, litigation.

Practical playbook if you're building an AI agent

• Default to partner integrations; avoid "headless checkout" that violates posted rules.
• Require granular user prompts for high-risk actions (checkouts, returns, cancellations).
• Keep immutable audit trails; they'll decide your fate in any dispute.
• Detect and honor robots directives and merchant preferences. Offer a merchant opt-out channel.

What to watch next

• Whether Amazon escalates from demand letters to contract or computer misuse claims.
• Any regulator interest in agent transparency and consumer disclosures.
• Convergence on an "agent access standard": OAuth-style approvals, scoped permissions, and event hooks for receipts and returns.

Bottom line: AI agents are colliding with platform rules that were written for humans and APIs. The fastest path to certainty is consent-based access, logged authority from the user, and contracts that match the code.