FTC orders Amazon to pay $2.25 million over FCRA identity-theft records failures
Companies holding transaction records must give identity-theft victims their application and business-transaction records within FCRA's 30-day limit — the FTC fined Amazon $2.25m for refusing
- — Amazon customer-service and compliance teams must produce the application and business transaction records that identity-theft victims request within the FCRA's 30-day deadline and must not condition release on the victim identifying the thief or on "security"/"privacy" objections — the stipulated order makes such refusal a court-enforceable violation.
- — Amazon must contact every consumer who requested records since April 2024 without receiving them to tell them additional records may be available — failing to give that notice breaches the order and exposes Amazon to court enforcement.
- — Compliance teams at other companies holding application and transaction records under FCRA Section 609(e) — including e-commerce marketplaces — must respond to identity-theft victims' records requests within 30 days, because the FTC treated the absence of a written response process and missed deadlines as the basis for a record penalty.
- — Amazon customer-service and compliance teams handling identity-theft records requests
- — Compliance teams at e-commerce marketplaces and other companies subject to FCRA Section 609(e)
This is the part most alerts miss — who's affected, what moves first, what to watch. Create a free account to keep your decision trail and get the next relevant change in your inbox.