Amazon to pay $2.25M in civil penalties

Body

WASHINGTON, D.C. – Online retail giant Amazon will be required to pay $2.25 million to resolve Federal Trade Commission charges that the company knowingly violated the Fair Credit Reporting Act.

On June 30, the FTC posted a press release alleging that Amazon “routinely denied requests from identity theft victims seeking records of fraudulent transactions made with their personal data.”

The $2.25 million civil penalty is a record for a Section 609(e) violation of the Fair Credit Reporting Act, which allows identity theft victims to request and obtain business records related to fraudulent transactions at no cost, within 30 days of a proper request, according to the FTC.

The case against Amazon is the second case the FTC has brought using its authority under Section 609(e) of the FCRA. The first case was filed in 2020 against Kohl’s Department Stores Inc.

“Amazon often put identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to - records that could help victims protect themselves and recover from the fraudulent conduct,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “The FTC will not allow companies to simply ignore their legal obligations, especially those designed to support and protect identity theft victims.”

In addition to requiring Amazon to provide records lawfully requested by identity theft victims and law enforcement agencies acting on the consumers’ behalf, the FTC order also requires the company to provide notice about how identity theft victims can request records under the FCRA. Amazon must contact consumers who had requested records since April 2024 but did not receive them.

According to the complaint, which was filed by the Department of Justice upon notification and referral from the FTC, “Amazon had no written policy to respond to Section 609(e) requests until early 2025, after it learned of the FTC’s investigation, despite prior outreach from FTC staff advising the company to review its compliance with Section 609(e).”

Guessing game

One consumer reported to the FTC that an Amazon company representative said “they could not share details about the other account that had used the consumer’s credit card for “security reasons” unless the consumer guessed the name on the account (the name used by the identity thief), which the consumer was unable to do after making 30 attempts.”

In other instances, the FTC complaint alleged that many consumers who contacted Amazon to report fraud were told by its customer service agents that they could not provide the requested records for “security” or “privacy” reasons. Amazon even refused, the press release said, “to provide application and business transaction records to law enforcement agencies who had been authorized to submit requests to Amazon on behalf of consumers.”

In some instances where Amazon ultimately provided requested records, the FTC complaint alleged, the company failed to respond to consumers within the 30-day timeframe required by the FCRA. The DOJ filed the complaint and final order on behalf of the Commission in the U.S. District Court for the District of Columbia. Stipulated final orders have the force of law when approved and signed by the District Court judge.