Amazon.com Inc. will pay 2.25 million dollars in civil penalties to resolve federal allegations that the company knowingly violated a federal law requiring it to hand over transaction records to identity theft victims, the Federal Trade Commission announced on June 30, 2026.

The settlement, filed as a stipulated order in the United States District Court for the District of Columbia, closes a case built on years of consumer complaints describing what regulators called a Kafkaesque cycle of denials. According to the FTC, Amazon routinely refused to provide the application and business transaction records that Section 609(e) of the Fair Credit Reporting Act (FCRA) entitles identity theft victims to receive, often citing "security" or "privacy" reasons that the law does not recognize as valid grounds for refusal.

Section 609(e) has existed since 2003. It requires any business entity that has entered into a transaction with someone who allegedly used another person's identity without authorization to provide the victim, or a law enforcement agency acting on the victim's behalf, with the relevant application and business transaction records. The law sets a firm deadline: records must arrive within 30 days of a written request. According to the complaint filed by the Department of Justice on June 29, 2026, Amazon had no written policy for responding to these requests until early 2025, and only adopted one after learning that the FTC was investigating its conduct.

What the FTC's complaint alleges

The Department of Justice complaint, filed at the FTC's request in Case No. 1:26-cv-2305, lays out a pattern that stretches back at least to 2022. Consumers who discovered fraudulent charges or fraudulent Amazon accounts opened in their names would contact the company seeking records showing how the fraud occurred. Instead of receiving those records, many were told the information could not be shared for security reasons, even when the requester was the victim asking about their own compromised identity.

One case detailed in the complaint illustrates the circular logic victims encountered. A consumer who contacted Amazon in June 2023 about unauthorized charges on a fraudulent account was told by a customer service agent that details could not be shared "for security reasons," but that the agent could confirm information if the victim guessed the name on the account, meaning the name of the person who had stolen their identity. The victim guessed more than 30 names before giving up. A supervisor later told the same victim that because the fraudulent account could not be authenticated, Amazon would not even remove the victim's credit card number from it.

A second consumer, also seeking records in June 2023 over unauthorized monthly charges, was asked at least half a dozen times to guess the names of friends and family members who might be the account holder behind the fraud. After escalating to a supervisor, the consumer was told that information about the fraudulent account could not be provided due to "security concerns." According to the complaint, the consumer responded: "Asking someone to GUESS a name to verify a suspected fraudulent account is absolutely ludicrous."

A third instance, involving a disputed Prime membership charge, produced a similarly pointed exchange. The consumer, frustrated after being asked to identify the person misusing their card, told the agent: "Do you understand how ridiculous that is? How can I provide the information for someone who possibly has my credit card information? The whole reason I contacted you was to find out what the charges to my credit card were. You have the information I need. I do not. I don't know the account. If I did, then I wouldn't need to contact you." A second agent then asked the consumer to "let me know every known name from your friend's [sic] or family" so the names could be checked against the account. The consumer guessed more than a dozen names without success, and the records were never released.

Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection, characterized the pattern in a statement accompanying the announcement. "Amazon often put identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to, records that could help victims protect themselves and recover from the fraudulent conduct," Mufarrige said. "The FTC will not allow companies to simply ignore their legal obligations, especially those designed to support and protect identity theft victims."

A pattern that extended to law enforcement requests

The complaint does not limit its allegations to individual consumers. According to the FTC, Amazon also refused, in some instances, to provide the same records to law enforcement agencies that had been authorized by identity theft victims to request the information on their behalf. In certain cases, the company reportedly demanded that officers first produce a subpoena, even though Section 609(e) does not require law enforcement to obtain legal process before receiving these records when acting with a victim's authorization.

Some consumers tried to resolve the standoff themselves. The complaint describes at least one consumer who, in March 2022, sent Amazon a letter citing Section 609(e) directly and enclosing a printout of the FTC's own business guidance titled "Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft." After receiving no response, the same consumer followed up in August 2022 with a second letter, again enclosing the FTC guidance. Two other consumers who had both requested records in March 2022 sent follow-up complaints in April 2022, each again enclosing printouts of the statute. According to the complaint, in a June 2023 email to Amazon's legal counsel, another consumer raised the same subpoena issue directly with the company's lawyers. None of these efforts, the complaint states, prompted Amazon to change its practices.

The complaint also documents instances in which Amazon eventually provided records but missed the 30-day statutory deadline by wide margins. One consumer who first sought records in March 2025 did not receive a denial notice, stating that no responsive records could be located, until August 2025. Another consumer who also filed a request in March 2025 did not receive the records themselves until August 2025, five months later.

Timing and the settlement's terms

According to the FTC, the Commission first raised concerns about Amazon's Section 609(e) compliance in June 2023, after receiving a credible consumer complaint. FTC staff advised Amazon's counsel at that time to review the company's practices. Despite that outreach, the same identity theft victim who prompted the original complaint attempted again several months later to obtain records and was again refused. According to the complaint, Amazon did not provide the requested records until after the FTC formally notified the company in January 2025 that it was investigating Amazon's compliance with the statute. Only then, in early 2025, did Amazon implement a written policy governing how it would respond to these requests going forward. The FTC's filings note that facts uncovered during the investigation raised concerns that Amazon continued denying certain requests for improper reasons even after adopting the new policy.

The proposed stipulated order, filed alongside the complaint and signed for Amazon by Alexis Collins, Vice President of Amazon Legal, Enterprise Risk, on May 8, 2026, sets out several obligations beyond the monetary penalty. Amazon must pay the 2.25 million dollar civil penalty to the Treasurer of the United States within seven days of the court's entry of the order. The company is permanently enjoined from failing to provide the required records to identity theft victims or their authorized law enforcement representatives within 30 days of a properly submitted request, subject to identity verification standards spelled out in the order itself.

Beyond the injunction, Amazon must post a notice on its website within 30 days of the order's entry explaining how identity theft victims can request transaction records, and must maintain that notice for three years. The company also has to conduct what the order calls a reasonable search for what it terms "Eligible Identity Theft Victims," meaning consumers who requested records between April 1, 2024, and the date of the order but did not receive them. Amazon must notify these consumers, within 120 days of the order, that additional records may exist and explain how to request them, then certify within 180 days that it has sent the records to consumers who follow up with the required documentation. The order remains in effect for ten years after entry, with detailed recordkeeping and compliance reporting requirements that extend for portions of that decade, including personnel records, complaint logs, and training materials related to Section 609(e) compliance.

The Commission voted 2-0 to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed order. The Department of Justice filed both the complaint and the proposed final order on the Commission's behalf. Because Amazon neither admits nor denies the FTC's allegations under the terms of the settlement, except for jurisdictional facts, the case closes without a judicial finding of liability. Lead attorneys on the matter for the FTC's Bureau of Consumer Protection are Whitney Moore, Gorana Neskovic, and Jamie Hine.

The second case of its kind

According to the FTC, this marks only the second enforcement action the agency has brought specifically under Section 609(e) of the FCRA since the provision was added to the statute in 2003. The first came in 2020, against Kohl's Department Stores Inc. The rarity of these cases makes the size of the penalty notable within its narrow legal category: the FTC describes the 2.25 million dollar figure as a record for a Section 609(e) violation, even though it is modest by comparison to penalties the agency has secured in unrelated consumer protection cases. The Federal Civil Penalty Inflation Adjustment Act of 1990, as amended, currently authorizes penalties of up to 4,983 dollars per violation for conduct occurring after January 17, 2025, and the complaint alleges that each instance of noncompliance constitutes a separate violation for penalty purposes.

The case adds to a run of FTC actions over the past year touching e-commerce and marketplace operators over consumer protection and disclosure obligations. The agency applied a similar consumer-disclosure lens to online marketplace operator Temu in September 2025, when it secured a 2 million dollar settlement, the first enforcement action under the INFORM Consumers Act, a law requiring marketplaces to verify and disclose information about high-volume third-party sellers. Mufarrige, the same Bureau of Consumer Protection Director quoted in the Amazon case, commented then that "online marketplaces" bear responsibility for complying with federal disclosure statutes and that violations "can result in serious consequences, including civil penalties."

Amazon's broader regulatory exposure

The Section 609(e) settlement arrives while Amazon faces separate and unrelated federal scrutiny over its advertising business. In September 2025, the FTC's consumer protection unit opened investigations into both Amazon and Googleexamining whether the companies properly disclosed reserve pricing and auction mechanics to advertisers buying search placements. That inquiry, distinct from the identity theft records case, centers on whether Amazon adequately informed advertisers about the minimum prices required to win certain search advertising slots.

The Commission's enforcement priorities for the coming years were formalized in its FY 2026-2030 Strategic Plan, published April 3, 2026, which sets consumer protection, antitrust enforcement, and competition promotion as core objectives and explicitly references the Amazon and Google ad-pricing probe as part of the backdrop against which the plan's priorities were drafted. The strategic plan does not name Section 609(e) enforcement specifically, but its consumer protection goal aligns with the kind of disclosure-focused case brought against Amazon this week.

Amazon separately remains locked in litigation over its AI shopping tools. The company sued Perplexity AI in November 2025 alleging that the Comet browser's shopping assistant violated computer fraud statutes by accessing Amazon accounts, a dispute that reached the Ninth Circuit Court of Appeals in April 2026 after Perplexity challenged a preliminary injunction. None of these matters bears directly on the identity theft records case, but together they illustrate a company navigating multiple, simultaneous regulatory and legal fronts in the United States even as its advertising segment continues to expand.

Why this matters for advertisers and platforms

The case carries direct relevance for anyone in retail media, e-commerce, or platform operations, not because it touches advertising technology directly, but because it demonstrates how the FTC treats statutory compliance deadlines once a violation pattern is established. Section 609(e) applies broadly to any business entity that extends credit, accepts payment, or otherwise transacts with someone later alleged to have committed identity theft using another person's information. That definition covers a wide swath of companies operating loyalty programs, subscription services, marketplaces, and payment processing systems, categories that overlap heavily with the retail media and commerce infrastructure that PPC Land covers regularly.

The order's requirement that Amazon proactively contact consumers who requested records since April 2024 but did not receive them sets a remediation template that other companies facing similar statutory violations may need to anticipate. Retroactive consumer notification, rather than a simple forward-looking injunction, adds operational cost and compliance burden beyond the headline penalty figure. For companies operating large-scale customer service operations across marketplaces, subscription commerce, or financial services adjacent to advertising, the case is a reminder that boilerplate "security" or "privacy" justifications for withholding legally mandated records do not satisfy statutory defenses, which under Section 609(e) require a good-faith determination based on specific criteria such as inability to verify identity or evidence the information requested is internet navigational data.

The rarity of Section 609(e) enforcement, only two cases since 2003, also means most companies have had limited guidance on what compliant practices look like in day-to-day customer service operations. This settlement, alongside the earlier Kohl's case, now stands as one of the only detailed public records describing what the FTC considers a violation versus a permissible denial under the statute's specific carve-outs.

Timeline

  • 2003: Section 609(e) is added to the Fair Credit Reporting Act, requiring businesses to provide transaction records to identity theft victims within 30 days of a request.
  • 2020: The FTC brings its first enforcement case under Section 609(e), against Kohl's Department Stores Inc.
  • March 2022: A consumer sends Amazon a letter citing Section 609(e) directly, enclosing FTC guidance; a second letter follows in August 2022 after no response.
  • April 2022: Two additional consumers who requested records in March 2022 send follow-up complaints to Amazon, again citing the statute.
  • June 2023: A consumer files a complaint with the FTC after Amazon fails to provide required records; FTC staff advises Amazon's counsel to review its Section 609(e) compliance. Multiple identity theft victims report being asked to guess the name of the person who stole their identity in order to receive records.
  • January 2025: The FTC formally notifies Amazon that it is investigating the company's compliance with Section 609(e).
  • Early 2025: Amazon implements its first written policy for responding to Section 609(e) requests.
  • March 2025: Two separate consumers file new record requests with Amazon; one does not receive a denial notice until August 2025, and the other does not receive the requested records until August 2025.
  • May 8, 2026: Alexis Collins, Vice President of Amazon Legal, Enterprise Risk, signs the proposed stipulated order on Amazon's behalf.
  • May 12, 2026: Amazon's outside counsel, Benjamin M. Mundel of Sidley Austin LLP, signs the proposed order.
  • June 29, 2026: The Department of Justice files the complaint and proposed stipulated order in the U.S. District Court for the District of Columbia.
  • June 30, 2026: The FTC publicly announces the 2.25 million dollar settlement.

Summary

Who: The Federal Trade Commission and the U.S. Department of Justice brought the case against Amazon.com Inc. Lead FTC attorneys were Whitney Moore, Gorana Neskovic, and Jamie Hine. Amazon was represented by Benjamin M. Mundel and Taylor G. Bragg of Sidley Austin LLP, with Alexis Collins, Vice President of Amazon Legal, Enterprise Risk, signing on the company's behalf.

What: Amazon agreed to pay 2.25 million dollars in civil penalties and accept a ten-year injunction after the FTC alleged the company knowingly violated Section 609(e) of the Fair Credit Reporting Act by routinely refusing to provide transaction records to identity theft victims within the legally required 30-day window.

When: The Department of Justice filed the complaint and proposed order on June 29, 2026. The FTC announced the settlement on June 30, 2026. The underlying conduct described in the complaint spans from at least 2022 through early 2025.

Where: The case was filed in the U.S. District Court for the District of Columbia as Case No. 1:26-cv-2305.

Why: According to the FTC, Amazon had no written policy for responding to Section 609(e) requests until early 2025, and only adopted one after learning the agency was investigating its practices, despite prior consumer complaints and direct FTC outreach in June 2023 advising the company to review its compliance.