Amazon to pay $2.25 million to settle FCRA charges
Amazon must pay $2.25 million to settle FTC FCRA violations. The filing states the Department of Justice filed the complaint after notification from the FTC, accusing Amazon of knowingly violating Section 609(e) of the Fair Credit Reporting Act by refusing to provide transaction records to identity theft victims within the required 30 days. The filing states Amazon had no written policy to respond to 609(e) requests until early 2025, despite prior outreach from FTC staff.
Consumers who reported fraud found that Amazon’s customer service would not release business records tied to fraudulent transactions, with officials citing security or privacy concerns. In one case documented in the filing, a victim said Amazon demanded that they identify the thief before it would release the records the law entitles them to. The agency frames these refusals as preventing victims from obtaining documentation that could help them protect themselves and recover from fraud.
FTC Director Christopher Mufarrige described the victims’ ordeal as Kafkaesque, noting that records the law entitles fraud victims to obtain can be crucial for disputing charges, restoring accounts, and rebuilding financial health. The complaint ties these refusals to long delays and a lack of a formal process, undermining the purpose of 609(e), which is to empower victims with timely access to their own information. The DOJ’s involvement, triggered by the FTC’s outreach, underscores the severity with which authorities treat material noncompliance in cases of identity theft.
The settlement also marks a clear enforcement signal to other large platforms that consumers harmed by fraud must receive prompt access to the data tied to fraudulent activity. While the penalty is focused on Amazon, the broader implication is that companies with financial data and identity verification responsibilities should review and tighten their own processes to avoid similar enforcement actions. The decision comes at a time when identity theft remains a persistent risk for consumers who rely on online marketplaces for purchases and payments, heightening the importance of robust, timely access to transaction records for victims.
From a compliance perspective, there are several practical takeaways. First, build and codify a written 609(e) response policy that explicitly controls the 30 day timeline and the exact records to be released, to prevent ad hoc refusals and inconsistent handling. Second, design a clear internal workflow that separates privacy protections from the victim’s rights to their information, with a process for securely verifying identity without creating unnecessary barriers for legitimate requests. Third, train frontline agents to recognize 609(e) requests as urgent and to escalate properly when records are needed for fraud recovery, rather than blocking them for nontechnical reasons. Fourth, implement ongoing monitoring and regular audits of 609(e) requests to catch drift from policy and ensure consistent compliance across customer service channels. Taken together, the case elevates the operational cost of compliance for firms whose services touch consumer data and identity verification, while offering a roadmap for how to align privacy safeguards with statutory rights.
- FTC Requires Amazon to Pay $2.25 Million to Resolve Charges It Knowingly Violated the Fair Credit Reporting ActFTC Consumer Protection Press Releases / Primary source / Published JUN 30, 2026 / Accessed JUN 30, 2026