The investigation revealed that Amazon had no written policy for responding to Section 609(e) requests until early 2025, despite prior outreach from FTC staff recommending compliance review. When Amazon did eventually provide records, it frequently missed the 30-day statutory deadline. The company's employees systematically denied requests based on vague security rationales while claiming they lacked access to information the law required them to produce.
The settlement carries broader implications for corporate compliance. At $2.25 million, this represents a record penalty for a Section 609(e) violation, signaling intensified regulatory enforcement around identity theft protections. Amazon must now notify consumers about their rights to request records under the FCRA and contact individuals who submitted unsuccessful requests since April 2024, informing them additional records may be available. For in-house counsel, the case underscores that statutory compliance obligations cannot be subordinated to internal security protocols, and that systemic process failures—not just isolated incidents—trigger significant regulatory exposure.