On June 30, 2026, the Federal Trade Commission announced that Amazon.com, Inc. will pay a $2.25 million civil penalty — the largest ever secured under Section 609(e) of the Fair Credit Reporting Act — to resolve charges that it knowingly refused to provide identity theft victims with records of the fraudulent transactions made in their names.

The dollar figure is a rounding error for Amazon. The reason this settlement matters is the statute it enforces. Section 609(e) is one of the most obscure operative provisions in federal consumer protection law, and it does not apply to credit bureaus — it applies to ordinary businesses. Any company at which an identity thief opened an account or ran a transaction owes the victim copies of the relevant records, free, within 30 days of a proper request. Most retailers, marketplaces, lenders, telecoms, and subscription businesses have no written process for this at all. As of this week, the FTC has demonstrated that the gap is worth a seven-figure penalty and a compliance order — and that “we told the victim no for privacy reasons” is an aggravating fact, not a defense.

This article explains what the FTC alleged, what Section 609(e) actually requires, who is covered, and how to build the modest program that keeps a company off this particular enforcement list.

What the FTC Alleged

According to the FTC’s complaint and press release, consumers whose identities had been used to make fraudulent purchases or open accounts on Amazon contacted the company to obtain the transaction records — the paper trail victims need to dispute charges, correct credit reports, and support police reports.

The agency’s core allegations:

  • Refusals dressed up as privacy. Amazon customer service agents told victims the company could not provide the requested records for “security” or “privacy” reasons — inverting the statute, which exists precisely to give victims access to records about fraud committed in their own names.
  • An absurd verification demand. In one instance cited by the FTC, a consumer seeking records of the fraud committed against them was asked to guess the name of the identity thief before Amazon would locate the records.
  • No written policy for years. Amazon had no written policy for responding to Section 609(e) requests until early 2025 — and adopted one only after learning of the FTC’s investigation, despite prior outreach from FTC staff advising the company to review its compliance.

That last allegation is what converts a process failure into a knowing violation. The FCRA authorizes enhanced civil penalties where a company knowingly violates the statute, and the combination of direct agency outreach followed by continued non-compliance is close to a textbook record for “knowing.” It is the same escalation logic the Commission has applied across its recent docket — companies that were warned, and then did not move, draw the penalty rather than the closing letter.

Section 609(e): The Identity-Theft Records Rule

Section 609(e) of the FCRA, codified at 15 U.S.C. § 1681g(e), was added by the Fair and Accurate Credit Transactions Act of 2003. It is short, and its obligations are concrete.

Who is covered. Not consumer reporting agencies — “business entities.” The provision applies to any business that has provided credit, products, or services to, or accepted payment from, or otherwise entered into a transaction with a person who has allegedly made unauthorized use of the victim’s means of identification. In plain terms: if a fraudster used a stolen identity at your company, your company is covered. That reaches marketplaces, retailers, banks, card issuers, wireless carriers, utilities, BNPL providers, insurers, and subscription services alike.

What must be provided. Copies of the application and business transaction records related to the fraudulent transaction — the account application, order and payment records, delivery information, and similar documentation — provided at no charge to the victim, and, at the victim’s election, to any law enforcement agency or officer the victim authorizes.

The clock. Records must be provided within 30 days of receipt of a compliant request.

What the business may require. The statute lets a business condition disclosure on reasonable verification, and nothing more:

  1. Proof of identity — which the statute says may be satisfied by a government-issued ID, personal information matching what the business has on file, or similar;
  2. Proof of an identity theft claim — a copy of a police report and a completed FTC identity theft affidavit (or the business’s own affidavit form).

A business may decline in limited circumstances — for example, where it cannot verify the requester’s identity in good faith, or where the request is based on a misrepresentation. What it may not do is what the FTC alleged Amazon did: treat the victim as a stranger with no right to the file, cite “privacy” as a reason to withhold records of crimes committed against the very person asking, or impose verification hurdles the statute nowhere contemplates.

The design logic is worth stating because it explains the FTC’s posture. An identity theft victim is trying to prove a negative — I did not make this purchase — to credit bureaus, banks, and police. The transaction records held by the business where the fraud occurred are usually the only evidence of what happened: the shipping address the thief used, the device, the payment instrument. Congress decided in 2003 that victims should not need a subpoena to see them. A refusal does not protect anyone’s privacy; it protects the thief’s.

The Settlement Terms

Under the proposed order filed by the Department of Justice on the FTC’s behalf, Amazon must:

  • Pay $2.25 million in civil penalties — the largest Section 609(e) recovery to date;
  • Provide records lawfully requested by identity theft victims and by law enforcement acting with victim authorization, within the statutory timeframe;
  • Notify consumers about how to request records under the FCRA — making the right visible rather than discoverable only by consumers who happen to know the statute; and
  • Go back and make it right: contact consumers who requested records since April 2024 but never received them.

The retrospective remediation deserves attention. The FTC is increasingly building look-back cure obligations into orders — the message to other companies is that delay does not just risk a penalty for future conduct, it creates a backlog of past refusals that an order will force you to reopen.

Why This Fits the FTC’s 2026 Pattern

This is the third FTC action in five weeks aimed at unglamorous, operational consumer-protection failures rather than novel technology theories. In early June, the Commission put Illuminate Education under a twenty-year information-security order for an edtech breach (our analysis); in late June it finalized the Kochava settlement banning the sale of sensitive location data without opt-in consent (our analysis). The Amazon matter continues the theme: the agency is enforcing the specific, mechanical obligations that already exist in statute, against companies large enough that the failure cannot be attributed to ignorance of the law.

There is also a quieter signal in the choice of statute. FCRA civil-penalty actions require referral to the Department of Justice, and the “largest ever” framing under a provision with almost no enforcement history tells the market that the FTC has been inventorying underused authorities. Section 609(e) requests are about to increase — identity-theft assistance services, consumer attorneys, and the FTC’s own IdentityTheft.gov materials will route victims to this right far more often now that a headline enforcement action exists.

The Compliance Playbook

For most companies, full Section 609(e) compliance is a small program. That is exactly why the FTC’s tolerance for non-compliance is low.

  • Adopt a written 609(e) policy. Define what qualifies as a request, the verification you will require (track the statute: identity proof plus police report/FTC affidavit — no more), the 30-day clock, and who owns fulfillment. Amazon’s central failure was not having one.
  • Create an intake channel and route it. Victims will surface through general customer service, fraud teams, and legal. Front-line agents need a recognition script: a consumer reporting identity theft and asking for transaction records is exercising a federal right, not making a discretionary service request. Escalate to a trained queue.
  • Train the front line explicitly against the “privacy” refusal. The instinct to withhold account records from a third party is correct in every other context — that is what makes this failure mode so common. Agents must be taught that a verified identity theft victim is not a third party to the fraudulent transaction records.
  • Build the fulfillment package. Decide in advance which records constitute “application and business transaction records” for your business — account application data, order details, payment instrument (appropriately truncated), shipping/delivery data, device and session information where relevant — and how they are exported.
  • Support law enforcement disclosure. The victim can direct records to an investigating agency; your process should handle that authorization without treating it as a subpoena requirement.
  • Log everything. Requests received, verification collected, dates, what was produced. If a regulator asks, the difference between “no policy until the investigation” and a clean production log is the difference between a penalty and a closed inquiry.
  • Mind the adjacent obligations. A 609(e) request is usually accompanied by an FCRA Section 605B block request to credit bureaus and disputes under the FCBA/EFTA. If you furnish data to credit bureaus, the same fact pattern triggers your furnisher duties — including not re-reporting information the victim has identified as resulting from identity theft.

Conclusion

Amazon’s $2.25 million penalty will not change its financial statements, but it should change other companies’ risk registers. Section 609(e) has sat in the FCRA for more than two decades, applying to essentially every consumer-facing business, enforced almost never. The FTC has now established the template: identify a mechanical statutory duty, document that the company was told and did nothing, obtain a “knowing violation” penalty and a corrective order with retrospective cleanup.

The provision itself asks very little — a policy, a trained intake path, a records package, a 30-day turnaround. Companies that handle fraud disputes at any volume should assume that 609(e) requests are already arriving, mislabeled as ordinary customer-service contacts and answered, as Amazon’s were, with well-intentioned refusals. Finding and fixing that failure mode this quarter is dramatically cheaper than becoming the second-largest Section 609(e) penalty in history.

This article is provided for informational purposes only and does not constitute legal advice.