The Stopping Grinch Bots Act of 2025 makes it unlawful to bypass technological controls on websites and online services that retailers use to enforce posted purchasing limits or to manage inventory. The bill also bars selling or offering for sale, in interstate commerce, products acquired through such circumvention when the seller either participated in or could control the circumvention or knew (or should have known) the goods were acquired improperly.
Enforcement is civil: the Federal Trade Commission will treat violations as unfair or deceptive acts under the FTC Act and can pursue remedies with its full statutory powers; state attorneys general may bring parens patriae actions subject to notice and limited coordination with the FTC. The bill contains a narrowly worded exception for security research and for tools used to investigate, enforce, or defend against alleged violations.
At a Glance
What It Does
The bill prohibits (1) circumventing security measures that enforce purchasing limits or manage inventory on internet sites or services, and (2) offering for sale interstate products obtained through that circumvention when the seller participated in or controlled the circumvention or knew/should have known of the illegality. It carves out exceptions for bona fide security research and for software used to investigate or defend alleged violations.
Who It Affects
Online marketplaces, resale platforms, ticket and limited-quantity retailers, bot and automation software developers, and sellers operating across state lines. Security researchers and vendors of security products are explicitly given limited exceptions.
Why It Matters
It converts bot-enabled scalping into a civil violation enforceable by the FTC and states, changing how platforms and resellers manage risk. The act shifts legal exposure toward secondary-market actors and toolmakers and raises compliance questions about what constitutes knowledge or control of circumvention.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill targets software and other technical means used to bypass an online retailer’s controls that are posted on a website or service to limit purchases or manage inventory. That includes scripts, bots, or any technological method that defeats rate limits, CAPTCHAs, purchase caps, or inventory holds.
A person who circumvents those controls commits an unlawful act under the bill.
The prohibition has two parts: first, the act of circumvention itself; second, selling or offering for sale products obtained through circumvention in interstate commerce when the seller either directly participated in or could control the wrongful conduct, or when the seller knew or should have known the goods were acquired via circumvention. That makes both direct bot operators and some downstream sellers potentially liable.
The bill defines “posted” as clearly and conspicuously published on an internet website, which anchors obligations to visible retailer notices.Enforcement is civil and centered on the Federal Trade Commission. The bill treats violations as unfair or deceptive acts under the FTC Act and gives the FTC the same investigation and enforcement powers it already has — injunctive authority, administrative remedies, and the penalties and immunities provided by the FTC Act.
In parallel, state attorneys general can sue as parens patriae for injunctive relief, restitution, and damages, but must notify the FTC before filing and the FTC may intervene or preempt state suits while its own action is pending.Finally, the bill contains an explicit, limited exception for creating or using software to investigate or to further enforcement or defense of alleged violations, and for research to identify security flaws or to help develop security products. Those activities are lawful if their purpose is to advance security knowledge or create security tools; the exception does not extend to using research as a pretext to evade retailer controls.
The Five Things You Need to Know
The bill makes it unlawful to circumvent technological measures that enforce posted purchasing limits or manage inventory on internet websites or services.
It bars interstate sale or offer to sell items obtained through such circumvention when the seller participated in, could control, or knew (or should have known) the items were acquired via circumvention.
Security research and tools used to investigate, enforce, or defend alleged violations are expressly exempted if the work advances computer security knowledge or helps develop security products.
Violations are treated as unfair or deceptive acts under the FTC Act, giving the Federal Trade Commission full authority to enforce with its statutory powers.
State attorneys general can bring parens patriae suits for injunctive relief, restitution, or damages but must notify the FTC at least 10 days before filing (with narrow exceptions) and the FTC may intervene.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Provides the Act’s official name: the Stopping Grinch Bots Act of 2025. This is purely nominal but signals the bill’s focus on automated resale and equitable access to limited-quantity goods.
Core prohibition on circumvention
Makes it unlawful to circumvent security measures, access-control systems, or other technological controls on internet sites or services used to enforce posted purchasing limits or manage inventory. Practically, that targets bots and automation designed to defeat retailer controls, but the text covers any technological means of circumvention rather than naming specific methods, leaving room for courts to define the scope.
Prohibition on selling goods obtained via circumvention
Prohibits offering for sale in interstate commerce products or services obtained by circumvention where the seller either directly participated in or had the ability to control the wrong, or where the seller knew or should have known the goods were acquired improperly. This creates downstream liability for resellers and marketplaces, keyed to participation, control, or a knowledge standard rather than strict liability.
Research and enforcement exception
Carves out exceptions allowing software creation or use for investigating or furthering enforcement or defense of alleged violations and for bona fide research into system vulnerabilities or development of security products. The exception requires the activities to advance security knowledge or product development, which narrows but does not precisely define the line between legitimate research and misuse.
Enforcement by the FTC and by States with coordination rules
Treats violations as unfair or deceptive acts under the FTC Act and gives the Commission full enforcement powers and penalties that come with the FTC’s statutory toolbox. States can bring parens patriae actions but must notify the FTC before filing, may be precluded from acting while the FTC's action is pending, and are subject to FTC intervention rights — creating a dual enforcement regime with procedural coordination.
Key definitions
Defines 'Commission' as the Federal Trade Commission and 'posted' as clearly and conspicuously published on an internet website. These narrow definitions anchor enforcement to visible retailer notices and confirm the FTC as the primary federal enforcer.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers seeking equitable access to limited-quantity goods — retailers’ posted purchase limits gain stronger legal protection against automated circumvention, which can reduce bot-driven shortages and increase chances for individual buyers.
- Retailers and brands that deploy purchasing limits and inventory controls — the bill gives them a clear legal basis to challenge circumvention and to push marketplaces to police sales.
- Security researchers and vendors of security products — the statute creates a narrowly defined exemption allowing bona fide research and development work to continue without automatically triggering liability.
Who Bears the Cost
- Resellers and scalpers using bots — the prohibition and downstream-sale liability directly target actors who buy in bulk via circumvention and then resell on secondary markets.
- Secondary marketplaces and platforms that host listings — marketplaces may face increased exposure if they list goods obtained via circumvention and could need to invest in provenance checks, take-down processes, or risk assessment to avoid 'knew or should have known' liability.
- Software developers and vendors of automation tools — creators of bot software may face legal risk, especially where their tools make circumvention easier or they distribute to bad actors, potentially chilling tool development outside the research exception.
- State consumer protection offices — states gain enforcement authority but will likely incur investigatory and litigation costs, especially given the notice-and-coordination rules with the FTC.
Key Issues
The Core Tension
The bill balances two legitimate goals—protecting ordinary buyers and retailers from automated scalping, and preserving legitimate security research and commerce—but does so by imposing civil liability built on imprecise standards of 'ability to control' and 'knew or should have known.' That creates a trade-off: strong rules to curb robots and secondary-market harm versus legal uncertainty and potential overreach that could chill legitimate platform operations, research, and lawful resale.
The bill turns technical circumvention into a civil enforcement matter under the FTC Act, but its language leaves several implementation gaps. The 'knew or should have known' standard for downstream sellers imports a negligence-like inquiry that will force courts and regulators to develop tests for constructive knowledge in online resale contexts — e.g., how many red flags must a marketplace see before liability attaches. 'Had the ability to control the conduct' is similarly vague: platforms that merely provide listing services but lack direct operational control could still face litigation over whether they had 'ability' to prevent circumvention.
Those uncertainties create compliance costs and litigation risk for platforms and small sellers.
The research exception is intentionally narrow but also ambiguous. It permits activity that 'advances the state of knowledge' or 'assists in development' of security products, yet the bill does not establish procedural safeguards (such as registration, disclosures, or ethics review) to distinguish legitimate security research from pretextual circumvention.
That opens the door to disputes where defendants claim research as a defense, complicating enforcement. Additionally, the bill does not expressly coordinate with other statutes that already address unauthorized computer access (for example, the CFAA), so defendants and prosecutors could face overlapping or inconsistent legal theories.
Finally, while the statute empowers the FTC, it leaves courts to define remedies and evidentiary standards for proving circumvention and downstream knowledge, so the practical enforcement regime will emerge slowly through litigation and agency rulemaking.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.