FTC Fines Amazon 2.25 Million for FCRA Violations
Amazon must pay 2.25 million dollars to settle FTC charges that it knowingly violated the Fair Credit Reporting Act by blocking identity theft victims from getting fraud records about fraudulent transactions in their names.
The FTC says Amazon refused to provide transaction and application records within the 30 day window required by the FCRA Section 609(e), a provision designed to help crime victims verify what happened and take steps to recover. The case, which the Department of Justice filed after the FTC raised the flag, centers on Amazon’s handling of requests from people whose personal information had been used by identity thieves to commit fraud. The agency alleges the company did not have a written policy to respond to these 609(e) requests until early 2025, despite multiple outreach attempts by FTC staff urging a compliance review. In the agency’s view, the lapse meant victims faced unnecessary delays and hurdles to access records that could help them protect themselves and pursue remedies.
The complaint highlights a pattern where Amazon customer service representatives told victims they could not provide records for what they described as security or privacy reasons, effectively blocking access to documents that could verify fraudulent activity. The FTC describes such refusals as creating a Kafkaesque ordeal for victims who were trying to understand who stole their information and how to stop ongoing fraud. The situation underscores a friction point between privacy controls and the legal obligation to furnish data that could facilitate fraud recovery.
The enforcement action signals how seriously federal regulators take the balance between consumer privacy and consumer rights in the aftermath of identity theft. The FTC chair and agency leadership have repeatedly warned that companies cannot sidestep their legal duties under the FCRA, especially when those duties are meant to support victims. The DOJ’s involvement in filing the complaint reinforces the intent to ensure that critical consumer records are accessible when needed to thwart ongoing fraud.
For compliance officers and tech leaders, the decision is a reminder of two concrete realities. First, 609(e) requests come with a hard 30 day clock, and systems must be there to locate, assemble, and deliver the right documents quickly. Second, the policy and process must be clear and documented; ad hoc discretion around what can be shared or withheld exposes an organization to penalties and reputational risk. The settlement also demonstrates that regulators will press for concrete policy changes rather than vague assurances, and they will insist on timely adherence even in the wake of a corporate investigation.
Two to four practitioner takeaways emerge from the case. One, implement and codify a formal 609(e) response workflow that assigns ownership, defines data identifiability, and sets an auditable timeline for fulfillment. Two, train front line teams to distinguish legitimate privacy or security concerns from lawful disclosure obligations, avoiding the trap of wishing away records on vague grounds. Three, build a documented escalation path for problematic requests so that more sensitive cases are promptly routed to compliance leadership rather than stakeholders who may misinterpret policy. Four, prepare for external scrutiny by logging requests, responses, and reasoning in a centralized, inspectable system so regulators can verify that the 30 day requirement is met consistently.
- FTC Requires Amazon to Pay $2.25 Million to Resolve Charges It Knowingly Violated the Fair Credit Reporting ActFTC Consumer Protection Press Releases / Primary source / Published JUN 30, 2026 / Accessed JUL 02, 2026