The Stopping Grinch Bots Act makes it unlawful to bypass technological controls on websites or online services that retailers use to enforce purchase limits or manage inventory, and it bars selling goods obtained through that bypass where the seller participated in or knew (or should have known) about the circumvention. The bill includes a carve‑out for tools used for security research or for investigating alleged violations.
Enforcement is assigned to the Federal Trade Commission under the FTC Act (treating violations as unfair or deceptive acts or practices) and it preserves state attorneys general’ ability to sue on behalf of residents, subject to notice and coordination rules. The statute is targeted at aftermarket scalpers and bot operators, but its standards (notably the "knew or should have known" test and the scope of the research exception) will drive litigation and compliance interpretation for platforms, resellers, and security teams.
At a Glance
What It Does
The bill outlaws creating or using software or other means to defeat posted purchase limits or inventory-management controls on internet sites, and it forbids offering for sale products acquired through that defeat when the seller was involved in or should have realized the product was illicitly obtained. It expressly exempts research and investigative tools used to improve security or enforce the law.
Who It Affects
Primary targets are automated bot developers, reseller operations that stockpile limited-quantity goods, and secondary-market platforms that list those products. Online retailers that deploy controls will see a new legal backstop; security researchers and vendors of defensive tools gain a limited safe harbor only when their work fits the research or enforcement purposes in the exception.
Why It Matters
This law channels enforcement through the FTC’s unfair‑or‑deceptive framework, meaning remedies and investigatory powers under the FTC Act apply. For compliance officers it creates new exposure for marketplaces and sellers in interstate commerce and raises questions about how to operationalize the "should have known" standard and the research exception.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The core of the bill is simple: you cannot build, use, or sell tools that defeat online controls retailers put in place to keep products available and limit purchases. That covers common scalping behavior — scripts or bots that bypass per‑customer caps, queue systems, or inventory locks — and it reaches not only the bot operator but also sellers who traffic in goods acquired through such circumvention if they took part in the circumvention or knew (or reasonably should have known) the goods were improperly obtained.
The sponsor anticipated legitimate uses of automated tools, so the bill creates a narrow exception for research and law-enforcement or compliance investigations. That exception is limited to activities that either (a) advance computer security knowledge or (b) help develop security products, or that investigate or support enforcement or defense of alleged violations.
The safe harbor therefore favors recognized security research and enforcement work — but it does not function as a broad license for automation for business purposes.Enforcement sits primarily with the Federal Trade Commission: violations are treated as unfair or deceptive acts under the FTC Act, giving the FTC its existing investigative tools and remedies. States keep a meaningful role: attorneys general can bring parens patriae actions and other authorized state consumer protection officials can sue, but they must notify the FTC before filing and the FTC can intervene or preclude state actions while its own case is pending.
The bill also clarifies venue and service rules for state suits and defines "posted" to mean "clearly and conspicuously published" on a website.Taken together, the measure arms regulators against scalping ecosystems but leaves several implementation choices to be worked out in enforcement and litigation — including how factfinders should apply the constructive-knowledge standard, how courts will interpret the research exception, and what operational steps platforms must take to demonstrate they used ‘‘posted’’ controls reasonably and conspicuously.
The Five Things You Need to Know
The statute bars selling or offering for sale in interstate commerce products obtained by defeating online purchasing limits when the seller either participated in the circumvention or "knew or should have known" the acquisition violated the access controls.
Violations are treated as unfair or deceptive acts under the FTC Act, meaning the FTC enforces with its full investigatory powers and can seek the remedies available under that statute.
The bill’s exception allows creation or use of circumvention tools for (A) investigating or supporting enforcement or defense of alleged violations, and (B) security research aimed at advancing knowledge or developing security products — the exception is purpose-limited, not categorical.
State attorneys general may sue on behalf of residents (parens patriae), but must notify the FTC at least 10 days before filing and provide the complaint; the FTC can intervene and may preclude the state suit while its own enforcement action is pending.
The bill defines "posted" as "clearly and conspicuously published" on a website and expands venue/service options for state suits, allowing service where a defendant is an inhabitant or may be found.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Provides the act’s name: the "Stopping Grinch Bots Act of 2025." This is purely titular but signals the bill’s focus on automated scalping and resale practices that defeat retailer controls.
Prohibition on circumvention and resale of illicitly obtained goods
Creates the substantive offense: it is unlawful to circumvent technological controls that enforce posted purchasing limits or manage inventory. It also separately prohibits selling or offering for sale goods in interstate commerce when those goods were obtained by such circumvention and the seller either participated in the circumvention or "knew or should have known" of it. Practically, this creates dual liability: for the actor who built or ran the circumvention and for downstream sellers who traffick in the results if they meet the participation or knowledge tests.
Security‑research and investigative exception
Carves out lawful uses: the statute permits creation or use of software to investigate or aid enforcement/defense of alleged violations and to perform research to identify vulnerabilities or to develop security products, provided the activities are conducted to advance security knowledge or product development. That carve‑out is purpose‑based and will require courts and regulators to scrutinize the intent and framing of research or investigative projects when a defendant invokes it.
FTC enforcement and remedies
Treats violations as unfair or deceptive acts under section 18 of the FTC Act, bringing the full panoply of FTC powers to bear — administrative enforcement, civil litigation, subpoenas, and remedies available under the FTC Act. The bill also states violators are subject to the penalties, privileges, and immunities provided in the FTC Act and confirms the FTC’s existing authority is preserved. For defendants this means potential administrative proceedings and civil penalties/remedies in addition to state suits.
State enforcement, coordination rules, and definitions
Grants state attorneys general (and other authorized consumer protection officials) the authority to sue as parens patriae for injunctive relief, restitution, or damages, but requires a written notice to the FTC 10 days before filing (with an exception for infeasible notice). The FTC may intervene in state suits and the statute bars state actions against defendants named in an FTC enforcement while that federal action is pending. The provision also addresses venue and service-of-process rules and defines "posted" as "clearly and conspicuously published" on a website — a small definitional clause with outsized practical importance for compliance and litigation.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Online consumers seeking fair access to limited‑quantity goods: the bill targets automated stockpiling and resale that artificially denies ordinary shoppers the chance to purchase at retail.
- Retailers that deploy purchase limits and inventory controls: they gain a statutory prohibition and an enforcement mechanism (FTC and state AGs) to back up technical controls and reduce aftermarket leakage.
- Public-interest and security researchers (conditionally): researchers who are clearly working to advance security knowledge or develop defensive products have an express exception they can invoke when their work would otherwise touch the prohibited conduct.
Who Bears the Cost
- Automated bot operators and professional scalpers: they face direct liability for creating or using circumvention tools and for the sale of items acquired through them.
- Secondary-market platforms and resellers: marketplaces that list limited-supply goods will need stronger compliance, monitoring, and provenance checks because listings may create exposure under the statutory resale prohibition.
- Platform security and legal teams: they shoulder the compliance burden of documenting controls (to show items were "posted" and limits enforced) and evaluating when research or enforcement activities fall inside the narrow exception; this increases operational and legal costs.
Key Issues
The Core Tension
The central dilemma is balancing consumer fairness against operational and research freedom: the bill aims to stop automated stockpiling that harms shoppers, but a broad enforcement standard and a narrowly tailored research exception risk either undercutting legitimate security work and business automation or forcing platforms and small sellers into costly compliance regimes to avoid liability.
The bill leaves important interpretive questions that will determine real-world impact. First, the "knew or should have known" standard introduces a negligence-like layer of liability that is fact‑intensive: enforcement actions will turn on marketplace practices, seller disclosures, and what a reasonable seller would have done to verify provenance.
That standard may prompt platforms to adopt aggressive verification and recordkeeping practices to avoid exposure, potentially raising costs for legitimate small sellers.
Second, the research exception is purpose-limited rather than actor-limited. Courts will have to assess researcher intent and project design to determine whether an activity "advances the state of knowledge" or aids security product development — a subjective inquiry that could chill legitimate security research unless the FTC or courts adopt clear bright-line guidance.
Third, because enforcement is routed through the FTC’s unfair-practices regime, remedies and procedures will follow the FTC Act rather than a tailored statutory penalty schedule; that gives flexibility to regulators but also leaves uncertainty about civil penalties, damage calculations, and private enforcement paths. Finally, the statute does not reconcile potential overlap with other federal laws that criminalize unauthorized access or circumvention (e.g., the Computer Fraud and Abuse Act or DMCA anti‑circumvention rules), leaving unresolved questions about preemption, cumulative liability, and enforcement coordination.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.