TL;DR

In March 2026, a federal judge granted Amazon a preliminary injunction blocking Perplexity's "Comet" agentic browser from accessing password-protected Amazon accounts on users' behalf. Separately, in the Southern District of New York, Judge Stein ruled that a robots.txt file is "not a barrier" in a legal sense. Put together, 2026's case law is drawing a sharp line — not around scraping in general, but around who is acting: an autonomous agent logging into your accounts and doing things versus a user-driven tool that extracts what you can already see.

ScrapeMaster sits on the user-driven side of that line by design: it runs in your browser, uses your normal session, extracts what's already rendered on your screen, does not act autonomously across multiple accounts, and stores everything locally. This post is a plain-English explainer of the 2026 landscape — not legal advice. For your situation, talk to a lawyer.

  • The new fault line: autonomous agent acting on your accounts vs. a user viewing a page and extracting the visible data.
  • Where ScrapeMaster lands: your session, your screen, local storage, no autonomous multi-account behavior, no login/paywall/CAPTCHA bypass.
  • If you want a free extractor that stays on the safe side of that line, ScrapeMaster is on the Chrome Web Store.

What actually happened in Amazon v. Perplexity

Perplexity shipped "Comet," an agentic browser — software that doesn't just show you a page but takes actions for you: navigating, logging in, clicking, buying. The pitch is "tell it what you want and it does the shopping." The problem, from Amazon's point of view, is what that means operationally: an AI agent logging into a customer's Amazon account and transacting inside Amazon's authenticated environment, at scale, without Amazon's authorization and outside the terms customers agreed to.

Amazon sued and, in March 2026, obtained a preliminary injunction — a court order, issued early in a case, telling Perplexity to stop the conduct while the litigation proceeds. Courts grant preliminary injunctions when the plaintiff shows it's likely to win and that it'll suffer irreparable harm otherwise. So this isn't a final ruling on the merits, but it's a strong signal about how at least one court views the conduct.

The crux was password-protected access by an autonomous agent. This wasn't about reading a public product page. It was about software authenticating into a private account area and operating there on the user's behalf, against the site operator's wishes and terms.

Why "who is acting" is the whole question

For years the scraping debates centered on public data — the hiQ v. LinkedIn line of cases, whether the Computer Fraud and Abuse Act (CFAA) reaches publicly accessible pages, and so on. The agentic-browser fight shifts the frame. The question is less "was this data public?" and more "was a human viewing their own screen, or was an autonomous system authenticating and acting inside a protected environment?"

That distinction has legal teeth:

  • Authorization. The CFAA is about "unauthorized access" to computer systems. Reading a page you were served in your own browser is different from software logging into an account area in a way the operator has explicitly disallowed.
  • Contract / terms of service. Most sites' terms restrict automated access to logged-in areas. An autonomous agent transacting inside your account can breach those terms in ways ordinary browsing doesn't.
  • Scale and intent. A single user extracting the rows on the page they're looking at reads very differently from a fleet of agents fanning out across many accounts.

The other 2026 signal: robots.txt is "not a barrier"

In the same broad window, Judge Stein in the SDNY addressed the perennial question of what robots.txt legally is. The takeaway: a robots.txt file is "not a barrier" — it's a published request to automated crawlers, not a technical access control and not, by itself, a legal wall. Ignoring it isn't automatically "unauthorized access" in the CFAA sense.

That cuts two ways, and it's important not to over-read it:

  • It does not mean "robots.txt is meaningless." It can still matter for a site's terms of service, for reputation, and as evidence of the operator's wishes. Courts weigh conduct holistically.
  • It does mean the presence or absence of a robots.txt line is not the on/off switch people sometimes treat it as. The heavier legal questions live in how you access (public vs. authenticated), at what scale, and whether you circumvented technical controls or violated a contract.

We wrote a fuller breakdown of the robots.txt and DMCA rulings, including the OpenAI/Snap/Meta threads, in this post. This article deliberately focuses on the agentic-browser angle, which is the genuinely new thing in 2026.

The line, drawn plainly

Here's the practical mental model 2026's cases suggest. None of this is legal advice — it's a way to think about where a given tool or workflow sits.

FactorAutonomous agent (risky end)User-driven extraction (safer end)
Who acts?Software authenticates and acts for youYou browse; the tool reads what's on your screen
Account accessLogs into accounts, sometimes manyUses your one existing, already-logged-in session
Data reachedCan go get data behind logins/paywallsOnly what's already rendered to you
CircumventionMay bypass access controls to complete a taskBypasses nothing — no paywall/login/CAPTCHA defeat
Scale patternFleet behavior across accounts/sitesOne human, human-paced
Where data goesOften the vendor's cloudCan stay entirely local

The Amazon injunction is the top-left cell. A user reading a page and copying the visible rows into a spreadsheet is the bottom-right.

Where ScrapeMaster sits — and where it doesn't pretend to sit

We build ScrapeMaster, so treat this as us describing our own design choices, not as a legal opinion about your use.

On the user-driven side by construction:

  • It runs in your browser via the Chrome Side Panel API. There's no separate headless bot farm. It sees the page exactly as you see it — including JS-rendered React/Vue/Angular apps — because it is your browser.
  • It uses your normal session. ScrapeMaster does not create or juggle accounts. It doesn't authenticate on your behalf. If you're logged in, it sees what your logged-in self sees; if you're not, it doesn't.
  • It extracts only what's already rendered. ScrapeMaster does not bypass paywalls, login walls, or CAPTCHAs. It cannot fetch data that isn't on your screen. This is a hard limit, not a setting.
  • It is not an autonomous agent. It doesn't navigate to complete goals, doesn't transact, doesn't fan out across accounts. "Follow detail" opens each listed item's own link in a background tab to merge visible fields — that's you clicking through rows faster, not an agent pursuing objectives across a site's private areas.
  • Data stays local. Extracted rows live in your browser's IndexedDB and are never uploaded. The single network call is auto-detect, which sends the page's HTML structure (not its content) to suggest columns. Your data doesn't go to a cloud you don't control.

What it honestly is not: ScrapeMaster does not rotate proxies or fingerprints, so heavy, rapid use against aggressive anti-bot sites (LinkedIn, Cloudflare-fronted sites) can still get you blocked. And it's a neutral tool — sitting on the "user-driven" side of the design line does not make every use lawful. Legality depends on what you extract, from where, at what scale, and under whose terms. A user-driven tool pointed at personal data at volume still triggers data-protection duties.

What this means for how you collect data in 2026

A few practical takeaways, none of them legal advice:

  1. Prefer viewing to authenticating-on-your-behalf. If your workflow needs software to log into accounts and act, you're near the risky end. If it only reads what a human already sees, you're near the safer end.
  2. Public vs. protected still matters — a lot. The robots.txt ruling loosened one old assumption, but authenticated/protected areas are where injunctions land. Extracting public, visible data is a materially different posture than reaching into logged-in account environments programmatically.
  3. Respect terms of service. "Not a barrier" for robots.txt doesn't mean terms don't bind you. Many sites' terms restrict automation; violating them carries contract risk even when CFAA doesn't apply.
  4. Personal data carries its own duties. GDPR/CCPA obligations attach to personal data regardless of how public it was. See our social media scraping rules and LinkedIn legality guide.
  5. Keep the data close. Local storage reduces one category of risk (third-party data exposure). It's not a legal shield, but it's a sensible default.

Frequently asked questions

Does the Amazon v. Perplexity injunction make all web scraping illegal?

No. It's a preliminary injunction targeting a specific behavior: an autonomous agent accessing password-protected Amazon accounts on users' behalf without authorization. It doesn't declare "scraping" illegal, and it says little about a user reading a public page and extracting the visible data. It's a signal that autonomous agents authenticating into protected accounts draw serious legal fire.

Is ScrapeMaster an agentic browser like Comet?

No. ScrapeMaster is a user-driven extractor. It doesn't navigate to complete goals, doesn't log into accounts on your behalf, doesn't transact, and doesn't operate across multiple accounts. It reads what's already rendered in your own browser session and puts it in a spreadsheet. That's a different category from an autonomous agent.

If robots.txt is "not a barrier," can I scrape anything?

No — that reading is too broad. The ruling means robots.txt isn't, by itself, a technical access control or an automatic legal wall. But terms of service, authentication requirements, anti-circumvention, scale, and data-protection law all still apply. robots.txt is one signal among many, not the on/off switch.

Does ScrapeMaster bypass logins or paywalls to get more data?

No, and it can't. ScrapeMaster extracts only what's already rendered on your screen — including content behind your own login that you can already see. It does not defeat paywalls, login walls, or CAPTCHAs. If it's not visible to you, ScrapeMaster can't produce it.

Is storing data locally legally safer?

Local storage reduces one specific risk — exposing extracted data to a third-party cloud — but it isn't a legal shield. If you extract personal data, data-protection obligations (GDPR, CCPA) attach regardless of where you store it. Local-first is a good default, not a get-out-of-compliance card.

Is this article legal advice?

No. This is a plain-English explainer of 2026 developments for general understanding. Case law is evolving and facts matter enormously. For your specific situation, consult a qualified attorney.

Bottom line

The 2026 rulings didn't outlaw data collection — they clarified where the risk concentrates: autonomous agents authenticating into protected accounts, not humans reading and extracting what's on their own screen. ScrapeMaster was built for the second world: your browser, your session, your visible data, stored locally, no autonomous account behavior, no paywall or CAPTCHA bypass. That design keeps it on the user-driven side of the line — though it doesn't make every use lawful, and heavy use can still be blocked. Neutral tool, honest limits.

If a local, user-driven extractor fits how you want to work, install ScrapeMaster free from the Chrome Web Store. And again: not legal advice — when in doubt, ask a lawyer.