The US Federal Trade Commission has ordered Amazon to pay USD 2.25 million to settle allegations that it violated the Fair Credit Reporting Act.
The complaint, filed by the Department of Justice (DOJ) on the FTC's referral, centred on Amazon's handling of requests from identity theft victims seeking records of fraudulent transactions carried out using their personal information.
Allegations under Section 609(e)
According to the FTC, Amazon repeatedly failed to comply with Section 609(e) of the FCRA, a provision requiring companies to provide identity theft victims with application and business transaction records related to fraudulent activity within 30 days of a request. The complaint stated that Amazon had no written policy for handling such requests until early 2025, after the company became aware of the FTC's investigation, despite earlier warnings from FTC staff about its compliance obligations.
The FTC alleged that consumers who contacted Amazon to report fraud were frequently told by customer service representatives that records could not be shared for 'security' or 'privacy' reasons. In one instance cited in the complaint, a consumer was asked to correctly guess the name used by the identity thief on a fraudulent account before Amazon would release related records, an attempt the consumer failed to complete after 30 tries. The complaint further stated that Amazon declined similar requests submitted by law enforcement agencies acting on behalf of identity theft victims, and that in some cases where records were eventually provided, Amazon did not meet the 30-day statutory deadline.
Terms of the settlement
Beyond the financial penalty, described by the FTC as the largest imposed to date for a Section 609(e) violation, the proposed order requires Amazon to comply with the provision going forward and to supply requested records to identity theft victims and authorised law enforcement agencies. Amazon must also notify consumers of their rights to request records under the FCRA and contact individuals who sought records since April 2024 but did not receive them, informing them that additional records may be available.
The case was brought under authority the FTC has used only once before, in a 2020 action against Kohl's Department Stores Inc., marking the second instance of enforcement under this specific FCRA provision. The Commission voted 2-0 to refer the complaint to the DOJ, which filed both the complaint and the final stipulated order in the US District Court for the District of Columbia. Once signed by the presiding judge, the order will carry the force of law.
Regulatory context
The action reflects continued FTC scrutiny of how large consumer-facing platforms handle data access obligations tied to identity theft protections. Section 609(e) was designed to give fraud victims a mechanism to obtain documentation needed to dispute unauthorised transactions and support recovery efforts. The settlement signals that the FTC intends to enforce these obligations against major online retailers, alongside its existing focus on data privacy and consumer protection compliance more broadly.