What did Amazon v. Perplexity actually decide?

On March 9, 2026 Judge Maxine Chesney of the Northern District of California granted Amazon's motion for a preliminary injunction against Perplexity's Comet agentic browser. The order rested on the Computer Fraud and Abuse Act, 18 U.S.C. 1030(a)(2), and California Penal Code 502(c)(7), holding that Comet accessed Amazon accounts with the user's permission but without authorization by Amazon. The Ninth Circuit issued an administrative stay on March 16, 2026; the district court then granted its own administrative stay on March 30, 2026 pending appellate review. As of April 24, 2026 the injunction is not in force, but the underlying district-court reasoning is the new floor for marketplace operators.

Why did the court rely on the CFAA instead of breach of contract?

Contract claims against an automated agent require proving the agent assented to the terms of service, which is doctrinally messy when the agent operates inside a logged-in user session. The CFAA route avoids that problem by treating platform authorization as separate from user consent. The court anchored its reasoning in Facebook v. Power Ventures (9th Cir. 2016), which held that a third party operating with user permission still acts without authorization once the platform owner revokes access. The court did not extend hiQ Labs v. LinkedIn, which had carved out access to public data. Amazon's product pages behind a logged-in account are not public data.

Does this ruling apply to all AI agents or only Comet?

The injunction names Perplexity's Comet specifically, but the legal reasoning applies to any agent that logs into a third-party platform on behalf of a user without explicit platform authorization. Comet's specific failure was that it presented as a standard Chromium browser without a distinct user agent, which the court treated as evidence of intent to evade. Agents that declare themselves through documented user agents like ChatGPT-User or Claude-Web sit in a different posture. The decision draws a line between declared and stealth agent traffic, not between all agents and human users.

How should a lead-gen marketplace decide whether to block agents?

The decision turns on whether the marketplace monetizes the consumer click or the consumer record. Marketplaces that sell exclusive leads to buyers and capture consent through TrustedForm or Jornaya should block agentic checkout because agent traffic breaks the consent chain and corrupts attribution. Marketplaces that sell research traffic or affiliate clicks can whitelist declared agents because the agent reading rates and disclosures is functionally equivalent to a researcher. The split is operational, not philosophical. A solar comparison site that hands leads to installers cannot prove TCPA-grade consent if Comet filled the form. A mortgage rate-comparison site that earns referral fees can.

What ToS language does Amazon's complaint suggest is enforceable?

Amazon's terms prohibited automated access without written authorization and reserved the right to revoke access. The court treated that language as adequate notice that platform authorization is required and that user consent does not substitute for it. Lead-gen operators should mirror this structure with three clauses: an automated-access prohibition with named exceptions for declared bots that respect robots.txt, an explicit revocation right tied to detection of stealth UAs, and a CFAA-style notice that unauthorized access generates loss above the $5,000 statutory threshold for purposes of mitigation expenditure. The template appears in the ToS section below.

What is the Stripe ACP and Anthropic MCP counter-play?

Agentic Commerce Protocol (Stripe) and Model Context Protocol (Anthropic) provide authenticated channels through which agents can transact with platform consent rather than through user-account hijacking. A marketplace can block stealth agent traffic at the front door while running an ACP or MCP endpoint that lets declared agents query inventory, post leads, or complete checkouts under platform-controlled terms. Thumbtack signed agent partnerships with OpenAI in October 2025 and Anthropic on April 23, 2026. Angi struck a deal with Amazon Alexa+ in December 2025. Those marketplaces are choosing the opposite of Amazon's posture: build the whitelisted pipe rather than block at the firewall.

How do operators detect a stealth agent like Comet?

Comet, OpenAI's Atlas, and Claude-for-Chrome present as standard Chromium and do not declare themselves in the user-agent header. Detectable signals include CFNetwork or Darwin fragments in the UA on macOS builds, Chromium extension-manifest gaps that reveal an unsigned wrapper, sub-second token velocity through the navigation flow, absence of font and CSS rendering requests typical of human page loads, HEAD-heavy request sequences before form POSTs, and missing client-side hashes from behavioral CAPTCHA challenges like Cloudflare Turnstile or hCaptcha. No single signal is conclusive. Operators stack three or four before triggering a block.

What changes after the Ninth Circuit appeal resolves?

Three outcomes are possible. The Ninth Circuit could affirm the injunction, which converts the district-court reasoning into binding precedent across the western United States and gives every marketplace a clean CFAA hook against stealth agents. The court could vacate, which sends marketplaces back to contract claims and the messier hiQ-versus-Power-Ventures line. Or the case could settle, leaving the district-court order as persuasive but unbinding. Operators should not wait. The detection infrastructure, ToS language, and ACP and MCP whitelist pipes take six to nine months to build. Starting after the appellate decision means operating from a structural disadvantage during the build.

Amazon v. Perplexity (Comet): The Lead-Gen Marketplace Decision Framework for Buyer-Side AI Agents

April 17, 2026 By Alex Paddington In Category Compliance 10 sources

Amazon’s injunction against Comet rewrote the question every lead-gen marketplace now has to answer: when an AI agent shows up holding a user’s password, who owns the authorization decision?

The Ruling That Reset the Floor

On November 4, 2025, Amazon.com Services LLC filed Amazon v. Perplexity AI Inc., 3:25-cv-09514, in the Northern District of California. The complaint followed a cease-and-desist letter dated October 31. Four months later, on March 9, 2026, Judge Maxine Chesney granted Amazon’s motion for a preliminary injunction against Perplexity’s Comet agentic browser. Perplexity filed an emergency stay motion on March 11; the Ninth Circuit issued an administrative stay on March 16, and the Northern District of California granted its own administrative stay on March 30 pending appellate review. A formal appeal followed in early April; Amazon’s response brief was due late April. As of April 24, 2026, the injunction is not in force and Comet is operationally permitted to access Amazon during the appeal — but the district-court reasoning is the new legal floor for any platform deciding whether to block buyer-side AI agents.

The ruling matters to lead-gen marketplaces for one reason that has nothing to do with Amazon’s retail business. Judge Chesney did not rest the injunction on contract law. She rested it on the Computer Fraud and Abuse Act, 18 U.S.C. 1030(a)(2), and California Penal Code 502(c)(7) — the federal and state criminal statutes against unauthorized computer access. The load-bearing holding ran one sentence: Comet accessed Amazon accounts with Amazon user’s permission, but without authorization by Amazon. User consent and platform authorization are separate gates. An agent that walks through the first does not automatically pass the second.

For the operators of insurance comparison sites, solar marketplaces, home-services aggregators, and mortgage-rate platforms — every business that sits between a consumer and a buyer network and monetizes the handoff — that single sentence reorganizes the operating playbook. Comet, OpenAI’s Atlas, Claude-for-Chrome, and the agents that follow them will arrive at marketplace forms holding consumer credentials. The CFAA route that worked for Amazon is now available against any of them. The strategic question is whether to use it.

Case Facts: What Amazon Proved

The complaint’s central allegation: Comet “disguised” itself as a standard Chrome browser. Perplexity’s product, a Chromium-based agentic browser launched commercially in 2025, logs into user accounts, parses pages, and completes checkouts on behalf of a human principal. Comet’s traffic to Amazon presented no distinct user-agent string. From the server’s perspective, it was indistinguishable from a human running Chrome — until behavior diverged. Page-load patterns, request sequences, and form-fill velocity gave it away.

Perplexity’s defense ran along familiar lines. The user owns the account. The user authorized the agent. The agent is doing what a human could do, only faster. The court rejected the framing. Citing Facebook v. Power Ventures, 844 F.3d 1058 (9th Cir. 2016), Judge Chesney held that a third party operating with user permission still acts without authorization once the platform owner has revoked access — and that Amazon’s terms of service, combined with the cease-and-desist letter, constituted revocation. Power Ventures had operated a service that aggregated user social networks across platforms with user consent. Facebook’s letter telling Power Ventures to stop, the Ninth Circuit ruled, ended any authorization theory. Comet’s situation tracked Power Ventures, not hiQ Labs v. LinkedIn — which had carved out a narrow exception for scraping public data. Account pages behind a login are not public data.

The CFAA also requires “loss” above $5,000 over a one-year period. Amazon cleared that threshold by documenting defensive-mitigation expenditure: detection engineering, blocking infrastructure, legal review. The number itself was unremarkable. The principle it established was not. Any platform that spends meaningful money defending against an agent has a CFAA loss claim. For lead-gen marketplaces running TrustedForm certificates, Jornaya call recordings, IP velocity rules, and bot-detection layers, the $5,000 floor is a footnote on the monthly bill.

A complicating fact in the record: Perplexity also operates “Buy with Pro,” a sister product that launched in November 2024 through a PayPal partnership for whitelisted commerce. The court treated Buy with Pro as evidence that Perplexity knew how to do agentic commerce with platform authorization — and chose not to with Comet on Amazon. The contrast hardened the unauthorized-access finding.

What user-agent stealth actually meant

Comet’s missing UA distinction was not a technical accident. Browser-based agents present at minimum five behavioral fingerprints that diverge from human use: token velocity through the rendered DOM, absence of font and CSS asset requests typical of paint cycles, HEAD-heavy request sequences before form POSTs, missing behavioral hashes from CAPTCHA layers like Cloudflare Turnstile and hCaptcha, and Chromium extension-manifest gaps that reveal an unsigned wrapper. A declared user agent like Perplexity-User or ClaudeBot would have identified the traffic at the request line. Comet’s choice to omit one was, in the court’s reading, evidence of intent to evade — and intent to evade is what separates Power Ventures from hiQ.

The Doctrinal Anchor: Power Ventures, Not hiQ

The lead-gen industry’s instinct, when an agent shows up logged in, is to reach for breach of contract. The terms of service prohibit automated access. The agent triggered an automated access. Sue. The problem with that reflex is that contract claims against an agent require proving the agent assented to the terms — and an agent operating inside a logged-in user session has a plausible argument that the user assented on its behalf. The doctrine is messy. Damages are capped at actual loss. Statutory hooks are absent.

The CFAA route avoids the assent problem entirely. It treats access as the predicate. Once authorization is revoked through ToS language plus a cease-and-desist, every subsequent access is unauthorized — regardless of who clicked the button. Power Ventures established the rule. Amazon v. Perplexity confirmed it applies to AI agents. Operators reading the ruling for the first time should internalize one structural fact: contract is the wrong layer. The CFAA is the right layer.

That choice matters for what marketplaces have to do today. Contract claims require detection plus a counterparty plus a litigation budget. CFAA claims require revocation language that survives plain-meaning review, plus documented loss above $5,000, plus a defensible theory of intent. The first costs litigation dollars. The second costs ToS language and a detection log. The asymmetry is large enough to redesign around.

The doctrinal story also clarifies what hiQ does and does not do. The Ninth Circuit’s hiQ Labs v. LinkedIn decision held that the CFAA does not reach scraping of public data — pages accessible without a login. Some commentary after Amazon v. Perplexity tried to read hiQ as a broader carve-out for AI agents. The court rejected that reading. Account pages, lead forms behind auth, ping-post auction surfaces, and broker portals are not public data. hiQ does not reach them. Power Ventures does.

What Comet Did Wrong: The Stealth-UA Theory

The Comet decision draws a line that lead-gen operators should memorize: declared agent traffic is in a different legal posture from stealth agent traffic. Comet failed because it presented as Chrome. An agent that declares itself through a documented user agent — ChatGPT-User, OAI-SearchBot, GPTBot, PerplexityBot, Perplexity-User, ClaudeBot, Claude-Web, anthropic-ai, GoogleOther, Google-Extended, Amazonbot, Bytespider, or CCBot — sits at a different gate. The platform can block it (robots.txt, WAF rule), allow it (whitelist), or negotiate (API authorization). The platform owns the decision.

A stealth agent removes that decision. It presents as a human, and the platform’s only options are server-side fingerprinting and litigation. Power Ventures and Amazon v. Perplexity together establish that the second option works — but the first option is cheaper. Cloudflare’s July 1, 2025 default-block policy for new domains blocking known AI crawlers is the same logic at infrastructure scale. If the agent declares, route it. If it stealths, drop it.

For lead-gen marketplaces, the stealth-versus-declared frame replaces the older bot-versus-human frame. Bot-versus-human assumed adversarial intent; the answer was always block. Declared-versus-stealth assumes mixed intent; the answer depends on what the marketplace sells.

The Lead-Gen Vertical Decision Matrix

The Amazon ruling does not answer the question marketplaces actually face: should this specific agent be allowed to fill this specific form? The answer turns on whether agent-completed transactions preserve or destroy the marketplace’s revenue mechanics. Four vertical patterns dominate the U.S. lead economy. Each maps to a different default posture.

Vertical	Examples	Default Posture	Why
Insurance comparison	TheZebra, EverQuote, Insurify, MoneyGeek, Compare.com, QuoteWizard	Selective whitelist	TrustedForm and Jornaya certificates require human-confirmed consent. Agents break the chain unless the agent signs the certificate. Whitelist only declared agents that integrate with consent vendors.
Solar marketplaces	EnergySage, SolarReviews, Modernize	Block by default; API whitelist	Lead price is high ($60-$220), buyer return rates are sensitive to quality, and agent-filled forms generate refund disputes. Run a documented API for declared agents that pre-qualify with installer SLAs attached.
Home services	Angi, Thumbtack, Porch, HomeAdvisor	Whitelist aggressively	Affiliate and matching economics survive agent traffic. The agent reading reviews and booking a pro behaves like a researcher. Thumbtack signed OpenAI in October 2025 and Anthropic on April 23, 2026; Angi signed Alexa+ in December 2025.
Mortgage marketplaces	LendingTree, Bankrate, NerdWallet	Block agentic checkout; whitelist research	Rate-table research traffic is fine. Agent-driven loan-application submission breaks Reg Z disclosures and lender pull-through assumptions. Split the funnel at the application boundary.

The pattern across all four: the question is not about the agent. It is about what step of the funnel the agent reaches. Research and discovery surfaces tolerate agents. Conversion surfaces — anything that triggers a TCPA-grade consent capture, a TrustedForm certificate, a credit pull, a CMS-regulated Medicare scope-of-appointment, or a routed phone call — do not. The marketplace’s job is to draw the boundary explicitly, in code, before an agent does it for them.

Insurance comparison marketplaces operate under TCPA and state mini-TCPA exposure that other verticals do not face at comparable severity. A consumer who clicks “Get my quotes” on TheZebra triggers a sequence: TrustedForm or Jornaya certificate generation, multi-carrier consent disclosure, phone capture, downstream call delivery to the buyer. Each step assumes a human is reading and clicking. An agent that fills the form invalidates the certificate’s evidentiary value — the certificate documents a human session, not an agent session. Buyers paying $40-$120 per lead will not pay for agent-generated leads, and the marketplace’s TCPA exposure rises because the consent record does not survive a litigator’s discovery.

The selective-whitelist posture means: block stealth agents, allow declared agents only when those agents complete the consent capture themselves through an authenticated channel. The carrier networks have not yet built that channel. Until they do, insurance marketplaces should default to block and document the reason in their terms of service.

For deeper context on consent mechanics, the TrustedForm versus Jornaya comparison walks through how each vendor handles automated traffic, and the agentic commerce overview maps the broader transformation underway.

Solar: the unit-economics problem

Solar lead prices range from $60 for shared leads to $220 for exclusive. Installer return rates run 18-32% in normal conditions. An agent-filled form drops conversion to installation by an order of magnitude — the consumer never made a real decision, and the call-back finds a confused homeowner. Solar marketplaces that allow stealth agent traffic absorb the return cost while the agent operator captures whatever value the discovery represented.

The block-by-default, API-whitelist posture lets the marketplace negotiate terms. A declared agent like Perplexity or ChatGPT can pull rate-card data through a documented endpoint, return curated installer matches, and post leads only when the human principal explicitly confirms intent through the agent UI. EnergySage’s market position — between consumers and a curated installer network — makes this the natural architecture.

Home services: the agent-friendly case

Angi, Thumbtack, Porch, and HomeAdvisor sit at the opposite end of the spectrum. Their economics rest on matching density, not consent capture. A consumer who books a deck repair through an agent is functionally identical to one who books through the website. The marketplace earns its match fee, the pro fills a slot, the consumer gets the repair. Agent traffic, declared and authenticated, expands the surface rather than corrupting it.

Thumbtack’s October 2025 OpenAI deal and April 23, 2026 Anthropic deal show the pattern. Both partnerships route declared agent traffic through an authenticated channel — the agent identifies itself, the marketplace books the job, the human principal confirms. Angi’s December 2025 Alexa+ integration follows the same logic on Amazon’s voice surface. The home-services posture is not “block agents.” It is “build the pipe.”

Mortgage: the regulated-transaction split

Mortgage marketplaces face a different boundary. Rate-table research traffic — the consumer comparing 30-year fixed quotes across LendingTree, Bankrate, and NerdWallet — survives agent automation cleanly. The disclosures are static. The data is published. An agent reading the table is functionally a search engine.

Loan application submission is the opposite. Reg Z TILA disclosures, pull-through rate assumptions, and lender SLAs all assume a human session. An agent that fills the application form breaks every downstream model. Mortgage marketplaces should split the funnel: whitelist research, block agentic checkout. The boundary is the application form, not the homepage.

The Operator Decision Tree

Four questions resolve most marketplace agent decisions. Operators run them in order. The first negative answer determines the posture.

Question 1: Does the agent traffic touch a regulated consent capture?

If the form generates a TrustedForm certificate, a Jornaya LeadiD, a TCPA prior-express-written-consent record, a CMS scope-of-appointment, a Reg Z disclosure, or any state-mini-TCPA equivalent — block. The consent infrastructure assumes human session. Agents invalidate the record. The exposure is downstream litigation, not lost revenue.

Question 2: Does buyer pricing depend on the lead being human-originated?

Insurance, solar, and home-services exclusive leads price on the assumption that a human filled the form. Buyers will not pay for agent-originated leads at human-originated prices, and discovering the difference after delivery generates return spikes and broken buyer relationships. If the answer is yes, block stealth agents and require declared agents to flag the agent-originated status.

Question 3: Is the marketplace’s revenue model affiliate or matching?

Affiliate marketplaces (rate comparison, review sites with referral fees) and matching marketplaces (home services with per-job booking fees) survive agent traffic because the revenue mechanics do not depend on consent capture. Whitelist declared agents through an ACP or MCP endpoint and treat stealth agents as the only block category.

Question 4: Has the marketplace published declared-agent terms?

If the marketplace has not yet drafted ToS language addressing declared and stealth agents, default to block until the language ships. Operating without terms means operating without enforcement leverage. Amazon’s CFAA case worked because the terms revoked authorization explicitly. A marketplace that wants the same hook needs the same language.

The four questions cascade into three operator postures: full block (insurance, solar, mortgage application surfaces), conditional whitelist (home services, mortgage research, affiliate comparison), or hybrid (most multi-product marketplaces). The wrong answer is “no decision yet.” Stealth agents arriving without a posture create either lost revenue or compliance exposure, depending on the vertical.

Detection: Declared Versus Stealth Signals

Detection runs in two layers. The first identifies declared agents through the user-agent header. The second identifies stealth agents through behavioral fingerprints. Operators stack signals; no single one is conclusive.

Signal	Declared Agent	Stealth Agent (Comet, Atlas, Claude-for-Chrome)
User agent	`ChatGPT-User`, `OAI-SearchBot`, `GPTBot`, `PerplexityBot`, `Perplexity-User`, `ClaudeBot`, `Claude-Web`, `anthropic-ai`, `GoogleOther`, `Google-Extended`, `Amazonbot`, `Bytespider`, `CCBot`	Standard Chromium UA, sometimes with CFNetwork or Darwin fragments on macOS builds
Robots.txt respect	Documented behavior; declared agents honor disallow	None; stealth agents ignore robots.txt entirely
Token velocity through DOM	Variable, often slow on render-heavy pages	Sub-second navigation through DOM trees
Asset request pattern	Often skips font and CSS rendering requests by design	Skips font and CSS rendering requests typical of human paint cycles
Request sequence shape	Read-heavy, rare form POST	HEAD-heavy sequences before form POST
CAPTCHA behavioral hash	Often handled through declared API channel	Missing client-side hash from Cloudflare Turnstile or hCaptcha
Chromium extension manifest	N/A	Gaps revealing unsigned wrapper

The declared-agent column is straightforward: maintain a list, route by header, log every request. The stealth column is harder. Three or four signals stacked together reach actionable confidence. A single signal does not. Operators running a single-signal block produce false positives that cost real conversion.

The infrastructure cost of stealth detection is non-trivial. Cloudflare bot management, Akamai Bot Manager, DataDome, and Kasada all offer behavioral fingerprinting at the edge. Build-versus-buy depends on traffic volume and engineering depth. Marketplaces under 1M monthly sessions typically buy. Marketplaces above 10M sessions typically build a hybrid. The middle zone is where most of the bad decisions happen — operators try to build, run out of engineering bandwidth, and ship a half-built detection layer that produces noise.

For the broader infrastructure picture, see the llms.txt and AI crawler optimization guide, which covers the declared-agent discovery layer that sits upstream of detection.

The Terms-of-Service Clause Template

Amazon’s complaint pointed to specific ToS language as the basis for revocation. Lead-gen operators should mirror the structure with three clauses. The template below is a starting point, not legal counsel — every marketplace should run it past TCPA and CFAA-experienced counsel before shipping. The structure is what matters.

Section X.1 — Automated Access. No automated system, software, agent, or process may access this Service without prior written authorization from the operator. Authorization may be granted to declared agents that identify themselves through documented user-agent strings (including but not limited to ChatGPT-User, GPTBot, PerplexityBot, ClaudeBot, anthropic-ai, GoogleOther, and Amazonbot), respect this Service’s robots.txt directives, and operate within rate limits published in our agent-access documentation. Access by undeclared agents, agents that misrepresent their identity in HTTP headers, and agents that circumvent rate limits or behavioral controls is prohibited and constitutes unauthorized access for purposes of 18 U.S.C. 1030 and analogous state law including California Penal Code 502.

Section X.2 — Revocation. The operator reserves the right to revoke authorization for any agent or class of agents at any time, with or without notice, by updating this Section, by transmitting a written notice (including email or HTTP response code), or by adjusting robots.txt or WAF configuration. Continued access after revocation constitutes unauthorized access regardless of any user permission, account credentials, or session token presented. User consent does not substitute for operator authorization.

Section X.3 — Loss and Mitigation. The operator’s defensive expenditure on detection, blocking, and legal review of unauthorized agent access constitutes loss for purposes of 18 U.S.C. 1030(e)(11). The operator’s documented mitigation cost exceeds $5,000 in any rolling twelve-month period. Unauthorized agent access also constitutes interference with contractual relations between the operator and its buyer network and may be enforced through tort claims independent of statutory remedies.

The three clauses do specific work. X.1 establishes the declared-agent allowlist and explicitly invokes the CFAA framework. X.2 creates the Power Ventures revocation hook — operator authorization is separable from user permission. X.3 documents the $5,000 loss threshold preemptively, eliminating the proof gap that has tripped up CFAA plaintiffs in earlier scraping cases.

The ToS language is half the work. The other half is documentation. Operators need to log every blocked request, maintain a dated revocation log, and preserve detection signal traces. CFAA cases turn on documentation. Amazon won the injunction because Amazon documented; Perplexity faced the injunction because Perplexity could not credibly contest the documentation. Lead-gen operators deciding whether to invoke the framework need the same evidence base.

The ACP and MCP Counter-Play: Building the Pipe

Blocking is one half of the strategic posture. The other half is building the whitelisted channel through which declared agents transact under platform terms. Two protocols dominate the emerging stack: Stripe’s Agentic Commerce Protocol (ACP) and Anthropic’s Model Context Protocol (MCP).

ACP standardizes authenticated agent payments. An agent that needs to complete a checkout queries an ACP endpoint, receives a signed authorization, and submits the transaction with platform-controlled rate limits and consent flows. The platform owns the authorization decision, the agent identifies itself, and the consumer’s consent is captured through the agent’s UI rather than the platform’s form. Stripe published ACP documentation in 2025 and several payment processors have implemented it.

MCP standardizes structured data access. Anthropic’s open protocol lets agents query inventory, lead types, eligibility rules, and pricing through documented servers. MCP does not handle payment; ACP does. The two protocols sit at different layers — MCP at discovery and configuration, ACP at transaction. A lead-gen marketplace that wants to whitelist declared agents builds both: an MCP server exposing lead types and quote rules, an ACP endpoint handling lead-purchase transactions and consent attestations.

Thumbtack’s posture exemplifies the counter-play. Rather than blocking OpenAI and Anthropic agents at the firewall, Thumbtack signed partnerships that route agent traffic through documented endpoints. The agent identifies itself, the marketplace books the job, the human principal confirms through the agent UI, and Thumbtack earns its match fee. The economics work because matching is the revenue mechanic, not consent capture. The legal posture works because every step is platform-authorized.

Insurance comparison sites cannot copy Thumbtack’s model directly because TCPA and TrustedForm constraints do not bend. But the architectural lesson translates: build an authenticated channel for agents that complete the consent capture themselves, even if no agent currently does. The channel exists before the agents that use it. EnergySage and Modernize on the solar side, LendingTree and Bankrate on the mortgage research side, can ship MCP and ACP endpoints in 2026 and capture the agent traffic that will route through them by 2027.

The MCP protocol overview and the agentic enterprise operations analysis cover the build mechanics in more depth. The strategic point is that block-only is a losing position. Block stealth, whitelist declared, build the pipe — that is the three-part posture Walmart and Target adopted publicly in early 2026 and that lead-gen marketplaces will need by mid-2026.

What Changes After the Ninth Circuit Rules

The Ninth Circuit appeal will resolve along one of three paths. Each generates a different operator response.

Path 1: The Ninth Circuit affirms the injunction. The district-court reasoning becomes binding precedent across the western United States. Every marketplace gains a clean CFAA hook against stealth agents. The ToS template above becomes the standard. Detection investment accelerates. Stealth-agent operators face an existential litigation risk — Comet, in particular, has to reach a settlement or wind down U.S. account access. Probability is meaningful but not dominant; the Ninth Circuit’s stay suggests at least skepticism about the injunction’s scope.

Path 2: The Ninth Circuit vacates. The CFAA route narrows. Marketplaces fall back on contract claims, which require proving agent assent — the doctrinally messy path. hiQ’s public-data carve-out gets tested for an extension to authenticated sessions, which would be a significant doctrinal expansion. Operators that built ToS, detection, and ACP/MCP infrastructure during the appeal still hold a working playbook; they just lose the criminal-statute hammer. The whitelist counter-play remains viable.

Path 3: The case settles. Likely involves Perplexity agreeing to declared-agent identification and a payment channel, mirroring the Amazon-Buy with Pro arrangement. The district-court order becomes persuasive but unbinding. Other marketplaces use the order as a citation in their own ToS and complaints, but the legal floor is softer. Most strategic, because it leaves the framework available without binding either side.

The waiting game is the wrong move under any of the three paths. The detection infrastructure takes six to nine months to build. The ToS language takes legal review. The ACP and MCP endpoints take engineering quarters. Marketplaces that wait for the appellate decision before starting the build operate from structural disadvantage during the build period — which is exactly when stealth agent traffic is rising fastest. Perplexity reported approximately 15 million monthly active users in March 2025, per Wired’s reporting; the trajectory through 2026 has not slowed. Comet-on-Amazon usage volume is not publicly reported, but the broader Perplexity user base is the relevant denominator for marketplace agent exposure.

The structural reality is that 2026 is the build year regardless of how the appeal lands. Operators that ship detection, ToS, and ACP/MCP endpoints in the next two quarters will have working agent infrastructure before the precedent question resolves. Operators that wait will have the precedent question and no infrastructure. The decision is not whether to act. It is which posture — block, whitelist, or hybrid — to act on, and that posture comes from the four-question decision tree, not from the appellate court.

Key Takeaways

The CFAA is the right legal layer, not contract. Amazon v. Perplexity established that platform authorization is separable from user permission under 18 U.S.C. 1030(a)(2) and California Penal Code 502(c)(7). Lead-gen operators should write ToS and detection logs that build the CFAA case, not just the contract case — the asymmetry in damages and proof burden is large.
Declared versus stealth is the operative distinction, not bot versus human. Agents that identify themselves through documented user agents (ChatGPT-User, PerplexityBot, ClaudeBot, and the rest) sit at a different gate from agents that present as Chrome. The decision tree treats them as two different categories with two different default postures.
Insurance and solar marketplaces should block by default. TrustedForm and Jornaya certificates assume human sessions; agents break the consent chain. Buyer pricing assumes human-originated leads; agents invalidate the assumption. The block posture protects both consent infrastructure and unit economics. Selective whitelisting waits until declared agents complete consent capture themselves.
Home services should whitelist aggressively. Thumbtack-OpenAI (October 2025), Thumbtack-Anthropic (April 23, 2026), and Angi-Alexa+ (December 2025) demonstrate that matching-based marketplaces survive agent traffic cleanly. Build the ACP and MCP pipe before competitors do.
Mortgage marketplaces split at the application boundary. Rate-table research is agent-friendly; loan application submission breaks Reg Z disclosures and lender pull-through models. The boundary is operational, not philosophical — draw it in code.
The ToS template has three clauses. Automated access prohibition with declared-agent allowlist, explicit revocation right with CFAA invocation, $5,000 loss threshold documentation. Each clause does specific work the others cannot do; missing any one weakens the enforcement posture.
Build the whitelist pipe regardless of appellate outcome. Stripe ACP and Anthropic MCP let declared agents transact under platform-controlled terms. Walmart and Target adopted block-stealth, whitelist-declared, build-the-surface posture in early 2026. The infrastructure takes six to nine months; the appellate decision will arrive faster than the build.
Detection requires stacked signals, not single rules. User agent, robots.txt respect, token velocity, asset request pattern, request sequence shape, CAPTCHA behavioral hash, and Chromium extension manifest gaps each contribute. Three or four signals together reach actionable confidence. Single-signal blocks produce false positives that cost real conversion revenue.
Cloudflare’s July 1, 2025 default-block for new domains is the infrastructure analog. The same logic — declared agents allowed, stealth agents blocked — operates at the edge layer. Marketplaces that align ToS, detection, and edge configuration produce coherent enforcement. Marketplaces that misalign one of the three layers produce gaps that attorneys and stealth operators both find.
The waiting game loses under all three appellate outcomes. Affirm, vacate, or settle, the operator playbook is the same: detect stealth, declare a posture, build the whitelist pipe. Operators who start in Q2 2026 have working infrastructure by Q4 2026. Operators who start after the appeal have the precedent question and an empty infrastructure.

Sources

Amazon.com Services LLC v. Perplexity AI Inc., No. 3:25-cv-09514, Complaint, U.S. District Court for the Northern District of California, November 4, 2025. CourtListener docket.
Amazon.com Services LLC v. Perplexity AI Inc., Order Granting Preliminary Injunction (Chesney, J.), N.D. Cal., March 9, 2026.
United States Court of Appeals for the Ninth Circuit, Order Granting Administrative Stay (March 16, 2026); N.D. Cal., Order Granting Administrative Stay Pending Appellate Review (March 30, 2026).
Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016).
hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).
CNBC, “Amazon Sues Perplexity Over Comet AI Browser,” November 4-5, 2025.
Bloomberg Law, “Court Grants Amazon Preliminary Injunction Against Perplexity,” March 2026.
Lexology, “Ninth Circuit Stays Comet Injunction Pending Appeal,” March 2026.
Cloudflare Blog, “Content Independence Day: No AI Crawl Without Compensation,” July 1, 2025.
PYMNTS, “Thumbtack and OpenAI Partner on Agentic Commerce,” October 2025.
PYMNTS, “Thumbtack-Anthropic Partnership Announcement,” April 23, 2026.
Stripe Documentation, “Agentic Commerce Protocol,” 2025.
Anthropic, “Model Context Protocol Specification,” 2024-2025.
CyberScoop, “What Comet Did Wrong: Stealth User Agents and CFAA Risk,” March 2026.
Search Engine Journal, “Agent Block or Whitelist: The Marketplace Decision,” April 2026.
Wired, “Perplexity’s Growth and the AI Search Race,” March 2025 (15 million MAU figure).
18 U.S.C. § 1030 — Computer Fraud and Abuse Act.
California Penal Code § 502 — Comprehensive Computer Data Access and Fraud Act.

The Comet injunction and its Ninth Circuit stay are the leading edge of a longer transition. Buyer-side AI agents will not stop at Amazon — they will arrive at every lead-gen marketplace surface that monetizes the consumer handoff. The operators that read the Power Ventures lineage correctly, write the ToS language that revokes authorization explicitly, ship detection that distinguishes declared from stealth traffic, and build ACP and MCP endpoints for the agents they want to keep, will own the next two years of marketplace economics. The operators that wait for the appellate court to decide for them will discover that the appellate court is not the binding constraint. Engineering velocity is.

The Podcast

Industry Conversations.

Candid discussions on the topics that matter to lead generation operators. Strategy, compliance, technology, and the evolving landscape of consumer intent.

Listen on Spotify