The U.S. Federal Trade Commission (FTC) has reached a $2.25 million civil penalty settlement with Amazon over charges that the company systematically blocked identity theft victims from obtaining records of fraudulent transactions made in their names, in violation of federal law.

What the Law Requires

Section 609(e) of the Fair Credit Reporting Act (FCRA) gives identity theft victims the right to request transaction records from businesses within a 30-day window. According to a complaint filed with the Department of Justice, Amazon failed to meet this obligation in multiple ways:

  • Customer service agents denied requests by citing privacy or security concerns, with no legal basis to do so.
  • In cases where records were eventually provided, Amazon missed the 30-day statutory deadline.
  • Agents told some consumers they were simply unable to access the requested records.
  • Amazon refused to furnish records even to law enforcement agencies that had been authorized by victims to submit requests on their behalf.

The FTC noted that some consumers, in frustration, resorted to sending Amazon printed copies of the FCRA and FTC guidance in an attempt to compel compliance. Amazon still failed to act.

Terms of the Settlement

Under the proposed order, Amazon must pay the $2.25 million penalty and come into full compliance with the FCRA going forward, including providing requested records to victims and law enforcement within 30 days. The company is also required to notify consumers who submitted records requests since April 2024 but never received a response, informing them that they may submit new requests.

Context and Prior Penalties

This is not Amazon’s first regulatory fine related to consumer protection. In July 2023, Amazon paid $25 million to settle allegations of children’s privacy violations tied to its Alexa service. More recently, in September 2025, the company paid $2.5 billion to resolve a lawsuit alleging it used deceptive design patterns to enroll users in Prime memberships and obstruct cancellations.

The FCRA identity-theft records issue is not unique to Amazon. Kohl’s Department Stores paid a $220,000 fine under similar circumstances after refusing to provide fraud transaction records to identity theft victims.

For security and compliance professionals, the case is a reminder that incident response obligations extend to third-party platforms that may hold transaction data relevant to fraud investigations, and that refusal to cooperate carries regulatory consequences.