ARTICLE
3 July 2026

When “Just Send The Records” Isn’t Simple: Lessons From The FTC’s Amazon FCRA Settlement

KD
Kelley Drye & Warren LLP

Contributor

Kelley Drye & Warren LLP is an AmLaw 200, Chambers ranked, full-service law firm of more than 350 attorneys and other professionals. For more than 180 years, Kelley Drye has provided legal counsel carefully connected to our client’s business strategies and has measured success by the real value we create.
The Fair Credit Reporting Act (“FCRA”) is often thought of as a credit-reporting statute, but its reach is far broader—and its compliance demands far more nuanced—than many businesses may appreciate.
United States Consumer Protection
Kelley Drye & Warren LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring, Antitrust/Competition Law and Privacy topic(s)

The Fair Credit Reporting Act (“FCRA”) is often thought of as a credit-reporting statute, but its reach is far broader—and its compliance demands far more nuanced—than many businesses may appreciate. The FTC’s recent settlement with Amazon regarding how companies respond to consumer requests to access transaction records in connection with potential identity theft illustrates this point.

Narrow Duty with Broad Consequences

The Amazon settlement relates to Section 609(e) of the FCRA, 15 U.S.C. § 1681g(e), which requires a business that has potentially transacted with someone who fraudulently used a consumer’s identity to provide the identity-theft victim with the application and business transaction records of the fraudulent transaction. The statute permits a business to require proof of identity and proof of the identity-theft claim, and it allows a business to refuse the request only in narrowly defined circumstances.

According to the complaint, Amazon routinely declined to furnish identity-theft records, citing “security” or “privacy” grounds that the statute does not recognize as valid bases for refusal. The complaint alleges that consumers were forced to navigate a “Kafkaesque” loop to obtain records they were entitled to under Section 609(e): in some instances, customer service agents allegedly would not release records about a fraudulent account unless the victim could first name the identity thief—information available only in the very records being withheld. One victim reportedly guessed more than 30 names before giving up. The FTC also alleged that Amazon refused records to authorized law enforcement absent a subpoena and missed the FCRA’s 30-day deadline in numerous instances.

Compliance Lessons

What makes this settlement instructive is that Amazon’s alleged day-to-day practices, which included identity-verification scripts, escalation protocols, and well-intentioned “fraud prevention” efforts, did not meet the letter of the FCRA. Even after the FTC identified the issue to Amazon’s counsel in 2023, the FTC contends that the company did not implement a required written policy until 2025, after learning it was under investigation.

The parties’ resolution underscores the stakes. Amazon agreed to a $2.25 million civil penalty, detailed injunctive relief, multi-year website-notice requirements, affirmative outreach to “Eligible Identity Theft Victims,” and a decade of compliance reporting and recordkeeping. The order sunsets in 10 years.

Sophisticated Guidance Matters

The Amazon settlement illustrates that even well-intentioned compliance efforts can falter when they fail to account for the FCRA’s highly specific requirements. The statute imposes precise obligations, measured in days, triggered by specific requests, and subject to carefully delineated exceptions. These obligations intersect with other regulatory regimes, such as the Gramm-Leach-Bliley Act and state law.

Businesses that touch consumer data, payments, fraud response, or identity verification need experienced counsel who understand both the letter of the FCRA and how the Commission develops and resolves these cases.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More