FTC requires Amazon to pay $2.25M over identity-theft victims’ FCRA records requests
FTC says Amazon violated FCRA Section 609(e) by refusing or delaying identity-theft record requests. Proposed settlement: $2.25M + victim notice.
The Federal Trade Commission says Amazon mishandled identity-theft victims’ requests for certain application and business transaction records under Section 609(e) of the Fair Credit Reporting Act (FCRA). On June 30, 2026, the FTC announced a proposed resolution that would require Amazon to pay $2.25 million.
The related court papers were filed June 29, 2026. The FTC also asked the court to enter a stipulated order that, if approved, would include notice and outreach so eligible victims learn how to request the records and so some people who previously requested records can be reached with instructions.
What the FTC alleges Amazon did wrong under FCRA Section 609(e)
In its complaint, the FTC alleges Amazon refused to provide some covered records and, in other instances, failed to respond within the FCRA’s required 30-day timeframe. The FTC also alleges Amazon sometimes pointed to security or privacy reasons to deny requests—claims the FTC argues are not permitted under the Section 609(e) framework.
The key compliance deadline: 30 days
A major issue in the case is timing. The FTC’s complaint alleges Amazon did not provide application and business transaction records not later than 30 days after eligible identity-theft victims requested them.
What the proposed stipulated order would require (beyond payment)
According to the FTC’s proposed order documents, Amazon would have to:
- Provide website notice describing how identity-theft victims can request covered records
- Send records within 30 days after receiving qualifying requests (subject to the Section 609(e) process and verification requirements described in the court papers)
- Do outreach aimed at reaching eligible victims and certain people who previously requested records but did not receive them
As always in FTC enforcement announcements, readers should treat this as resolution of allegations through a proposed stipulated order—until the court enters an order on the terms described in the case packet.
Who’s affected—and what to watch next
The practical impact is on identity-theft victims trying to obtain application and business transaction records tied to fraudulent activity. The FTC’s focus is not just on broad privacy policy—it’s on whether companies follow the legally required records-request timing rules.
What to watch next:
- Whether and when the court enters the stipulated order on the FTC’s proposed terms
- Whether the FTC uses this case as a template for similar enforcement around Section 609(e) response-handling
If you are an identity-theft victim pursuing records under Section 609(e), a practical takeaway is to keep documentation of your request and dates—because this case underscores that federal regulators treat the 30-day response requirement as a core compliance obligation.
Sources
Discover more from Interactive News
Subscribe to get the latest posts sent to your email.