Agent Provocateur: How AI Shopping Bots Are Testing Retail Legal Boundaries

A new wave of artificial intelligence-powered shopping tools is changing how consumers buy online and creating fresh legal exposure for retail brands. In what the industry calls “agentic commerce,” AI assistants do not merely recommend products; they autonomously search, compare, and complete purchases on a consumer’s behalf, often without the consumer ever visiting the retailer’s website. Google, OpenAI, and Amazon.com have all released or expanded these capabilities in recent months, and new industry-wide technical standards are being developed to let AI agents transact across the internet at scale.

Morgan Stanley projects 10 percent to 20 percent of U.S. e-commerce spend could be AI agent-driven by 2030; other analysts cited by Deloitte put the global figure as high as 25 percent. This evolution of consumer shopping patterns comes with material legal and operational risks for retailers that in-house counsel should be evaluating now.

Key Legal Issues

Agentic commerce touches nearly every aspect of the retailer-consumer relationship, from how products are discovered and purchased to how disputes are resolved and customer data is collected. For in-house counsel, that means familiar legal frameworks — contract formation, consumer protection, data privacy, and unauthorized access — are being stretched in unfamiliar ways.

1. Disintermediation and Loss of Customer Relationship

AI shopping agents are inserting themselves between retailers and customers. Adobe data shows AI traffic to retail sites surged 4,700 percent year-over-year in mid-2025. Amazon’s “Buy for Me,” for example, can complete a purchase on a third-party brand’s site without the consumer ever visiting it. Gartner forecasts a 25 percent drop in traditional search volumes, and some platforms are already charging merchants commissions on agent-completed sales. In all, this means fewer customer touchpoints, less control over presentation, and weaker direct relationships.

The strategic question is shifting from “How do we rank in search results?” to “How do we become the product an AI agent recommends?” Staying visible means restructuring product data for AI consumption, which means sharing more with third-party platforms and creating new data governance issues.

2. Scraping and Third-Party Use of Proprietary Data

AI shopping agents routinely “scrape” product names, descriptions, images, pricing, and real-time inventory from retailers’ public sites. The volume is significant — HUMAN Security reported AI agent traffic grew 7,851 percent in 2025 — and can strain retailer infrastructure as sites designed for consumer use are misused by bots.

Scraping of consumer-facing websites can create legal issues — and defenses — for retailers, including claims for breach of website terms, copyright infringement, and unfair competition, particularly where proprietary retailer data is being used by third parties to create comparison engines or competing services. Some agentic platforms also redistribute retailer inventory and pricing within their AI environments, further eroding the retailer’s control over how its catalog and prices appear to consumers.

3. Unauthorized Access to Password-Protected Accounts

Some AI agents go further, using a consumer’s login credentials to access password-protected areas of a retailer’s site without the retailer’s knowledge. Litigation has followed. In Amazon.com Services LLC v. Perplexity AI, Inc., Amazon obtained a preliminary injunction against Perplexity’s Comet browser agent. The court found Amazon likely to succeed under the federal Computer Fraud and Abuse Act (CFAA) and a California computer fraud statute because Comet accessed accounts “with the Amazon user’s permission, but without authorization by Amazon.” Amazon also alleged Perplexity disguised Comet as a Chrome session, ignored multiple warnings, and pushed an update within 24 hours to circumvent Amazon’s technical block. The Ninth Circuit later stayed the injunction pending appeal, but the case underscores a key takeaway: user consent doesn't substitute for the site operator’s authorization.

Major AI companies are also building “browser agent” tools, such as Amazon’s Nova Act and Google’s Project Mariner to remotely control a user’s browser, increasing the risk that third-party agents reach password-protected retailer environments unnoticed.

The pattern is not new: in hiQ Labs, Inc. v. LinkedIn Corp., courts confirmed that even where automated access to public data may not violate the CFAA’s criminal provisions, platforms retain significant power to control access through terms of service and technical measures. Agentic commerce raises a higher-stakes version of that dispute because the agent is not merely collecting information. Agents are completing purchases and triggering payment and fulfillment.

For retailers, the practical takeaway is that controlling agent access is both a legal right and an operational necessity. Once an agent is logged into a customer account, it can see order history, saved payment methods, stored addresses, and loyalty data, raising privacy, PCI, and account-takeover concerns regardless of whether the consumer technically “authorized” the agent. Retailers should make clear in their terms that credential sharing with third-party agents is prohibited, deploy bot- and session-detection tools to identify disguised agent traffic, and preserve evidence of warnings and circumvention so they can act, as Amazon did, if an agent ignores cease-and-desist notices or works around technical blocks.

4. Checkout and Payment Ambiguity

When an AI agent clicks “buy,” it raises a basic question: Who is the purchaser, and how does the retailer know the transaction was authorized by the human buyer? Tools range from assistants that surface options for human approval to fully autonomous agents acting within preset parameters (e.g., “buy these sneakers if the price drops below $150”), each raising different authorization and liability issues.

Agentic commerce splits the decision to buy from the moment of payment, making it harder to prove the payer authorized the specific transaction. Consumer laws and regulations as well as credit and debit card network rules may leave retailers with an increased burden to resolve disputed payments stemming from agentic purchases. Regulation E, which governs electronic fund transfers and ACH payments, which are frequently used by emerging “pay-by-bank” checkout tools, offers no clear framework when an agent exceeds or misinterprets a consumer’s instructions (e.g., wrong item or quantity). Expect more chargebacks that are difficult for merchants to effectively contest, and some merchants simply blocking agent-initiated transactions.

Consumer protection law adds uncertainty. Existing rules generally require consumers to understand key terms, like cancellation rights and return policies. It's unclear whether disclosing these terms to an AI agent rather than the human satisfies the retailer’s obligations.

AI systems are not legal persons and cannot themselves contract. An agent’s purchase must be attributed to the human or entity it acts for under traditional agency principles, though proving the scope of that authority after the fact can be difficult, and the retailer may bear the cost of disputed transactions in the meantime. UETA and the federal E-SIGN Act already recognize contracts formed by automated systems, and courts are likely to extend those frameworks here. However, retailers shouldn't assume every agent-initiated transaction will be enforceable against the consumer behind it.

Agentic commerce also introduces new fraud risks. “Prompt injection” attacks are becoming more prevalent, where agents are directed to add unauthorized items to a cart or to send a gift card to the attacker. Automated refund fraud is another concern: if agents can trigger refunds, bot networks could generate thousands of fraudulent returns in an hour.

Recommended Actions

The legal landscape is still developing, but in-house teams can take concrete steps now.

Strengthen Terms and Conditions

Update website terms of service to address AI agents directly: prohibit automated scraping, data harvesting, and downstream commercial use of site content; restrict third-party agents acting for users without authorization; and confirm the retailer’s ownership of product data with express limits on reuse.

The enforceability of those terms against AI agent-initiated transactions, where no human ever clicked “I agree,” remains an open question, making proactive treatment important.

Refresh privacy policies, data handling and retention procedures, and data subject request workflows to reflect new agentic data flows. Vendor management matters too: agentic systems involve layered chains of model developers, tool vendors, hosting platforms, and integrators, where an upstream change can shift downstream agent behavior unnoticed. Build in audit rights, transparency obligations, and change-management provisions, and ensure vendors have a plan to manage the risks and opportunities presented by agents.

Monitor and Control Bot Activity

Work with technology teams to detect and manage automated traffic, and to implement rate-limiting behavioral analysis for nonhuman patterns and CAPTCHA-style challenges. Industry groups are also developing “Know Your Agent” (KYA) standards to help retailers distinguish legitimate consumers from authorized agents and unauthorized bots.

Keep detailed logs of automated activity to support enforcement or litigation, and update fraud, dispute and return policies for the higher speed and volume of AI-driven transactions.

Develop Controlled Access Channels

Defense alone may not be enough. Going on the offensive may allow retailers to capture the opportunities presented by agentic commerce channels. Create structured, authorized pathways for approved AI platforms to access product information and check out under clear contractual terms, such as controlled data feeds or partner APIs.

Some retailers are already there: Carrefour has integrated grocery shopping into ChatGPT, but completed baskets are handed off to the retailer's own site for payment and delivery. Shopify and Google have partnered on the Universal Commerce Protocol (UCP), an open standard for structured, secure agent-to-merchant transactions.

Design these controlled pathways alongside strong legal terms that impose technical access restrictions (who connects, how much data, how quickly), along with clear, enforceable contractual provisions.

Harden Authentication and Transaction Controls

Harden defenses against unauthorized agent activity, including “credential stuffing” using stolen or shared logins. Amazon v. Perplexity confirms a retailer’s independent right to control access to its password-protected systems even where the consumer voluntarily shared credentials. Enhanced identity verification and anomaly detection at checkout are essential given prompt injection attacks that can hijack agent behavior mid-transaction.

On payments, card networks and payment processors are rolling out tools that help retailers distinguish trusted agents from bad ones. Visa’s Trusted Agent Framework, Mastercard’s Agent Pay, and Cloudflare’s Web Bot Auth all aim to verify that an agent is authorized to act for a real consumer. Retailers should evaluate and adopt these tools as they mature.

Prepare for Enforcement

Be positioned to take legal action when needed. Available claims include CFAA actions for unauthorized access to password-protected systems, breach of terms of service, copyright infringement, and unfair competition. Amazon v. Perplexity is an early, significant precedent for unauthorized access enforcement.

Internally, align legal, security, and product teams on escalation protocols and evidence preservation. Update incident response and business continuity plans for agentic-specific scenarios, like prompt injection attacks or an agent exceeding scope and triggering a wave of erroneous transactions. NIST’s AI Agent Standards Initiative may offer useful reference points.

The practical rules of agentic commerce are being set now, largely by the companies building the technology. Retailers should not wait. Setting and adopting internal “agent participation policies,” defining practices for agent identification, permitted transaction types, spending limits, authentication, and dispute resolution, is one concrete step. Access restrictions should be grounded in legitimate safety and fraud concerns and distinguished from those driven by competitive considerations.

Bottom Line

Agentic commerce is here and scaling quickly. The legal questions are novel in scale and autonomy, but the underlying principles are familiar. The architecture of agentic commerce will be built before the law catches up. Brands that move now by updating terms, deploying technical safeguards, building controlled access channels, and preparing for enforcement will be best positioned to protect their data and their customer relationships.

Adam Maarec is counsel at Ballard Spahr, co-leading the firm's Fintech and Payment Solutions Team.

Meegan Brooks is a partner at Ballard Spahr. She has spent her career advising and defending retailers, e-commerce companies, and manufacturers.