Amazon Just Paid $2.25 Million for Stonewalling Identity Theft Victims — California Law Gives You an Even Stronger Tool

By: Joshua B. Swigart

Swigart Law Group, APC | Consumer Protection Blog | San Diego, California 

If your identity has ever been stolen, you know the frustration. Someone opens an account in your name, and when you contact the company to find out what happened, you hit a wall: “We can’t share that for privacy reasons.” “We can’t verify you’re the account holder.” You are left trying to clean up a fraud you never committed — without the very records that would prove it. Federal law says companies cannot do that. And on June 30, 2026, the Federal Trade Commission made an example of one of the largest companies in the world. 

The FTC’s Record $2.25 Million Settlement Against Amazon 

Amazon agreed to pay $2.25 million in civil penalties — a record for this type of violation — to resolve allegations that it knowingly violated Section 609(e) of the Fair Credit Reporting Act (FCRA) by refusing to give identity theft victims the transaction records the law entitles them to. According to the government’s complaint, Amazon routinely denied victims’ requests for records of fraudulent transactions, telling them it couldn’t share records for “security” or “privacy” reasons. In one striking example, Amazon told a victim it would not release details about a fraudulent account unless the victim could guess the name the identity thief had used — which the victim could not do after 30 attempts. 

Amazon even refused requests submitted by law enforcement acting on victims’ behalf, and had no written policy for handling these requests at all until early 2025, after learning of the FTC’s investigation. The FTC’s Bureau of Consumer Protection described the ordeal as “Kafkaesque.” In addition to the penalty, the court order requires Amazon to comply with Section 609(e) going forward, notify consumers of their right to request these records, and re-contact consumers whose requests it ignored since April 2024. 

What Section 609(e) Requires Companies to Give You 

Section 609(e) of the FCRA (15 U.S.C. § 1681g(e)) is one of the most important — and least known — tools available to identity theft victims. It requires any business that transacted with an identity thief using your information (a retailer, bank, utility, cell phone carrier, or lender) to provide you, free of charge and within 30 days of a proper request, copies of the application and business transaction records related to the fraud. 

Those records matter enormously. They show what information the thief used, when and where the account was opened, what was purchased, and where items were shipped. They are the raw evidence victims need to dispute fraudulent accounts with credit bureaus, block fraudulent information from their credit reports, stop debt collectors, and assist law enforcement. 

The Catch: You Usually Cannot Sue Under Section 609(e) 

Here is the problem. Unlike most of the FCRA, Section 609(e) does not give consumers a private right of action. If a company ignores your request or stonewalls you the way Amazon allegedly did, you cannot sue that company under Section 609(e) itself. Enforcement is left to the FTC — and the FTC has brought exactly two of these cases in the statute’s history (the first was against Kohl’s in 2020). For most victims, waiting for a once-in-a-decade federal enforcement action is not a realistic remedy. 

California’s Better Answer: Penal Code § 530.8 

California law fills the gap — and then some. California Penal Code § 530.8 gives identity theft victims their own directly enforceable right to these records. 

If you discover that an unauthorized person filed an application or opened an account in your name — with a bank, credit union, credit card issuer, lender, public utility, cell phone carrier, or mail-forwarding service — the business must provide copies of all records related to the fraudulent account, free of charge, within 10 business days of your request. That is three times faster than the federal deadline. And California puts real teeth behind it: 

•  You can petition the superior court for an order compelling release of the records, and the court must hold a hearing within 10 court days. 

•  You can bring your own civil action for damages, injunctive relief, and a civil penalty of $100 per day of noncompliance, plus reasonable attorney’s fees. 

In California, a company that stonewalls a victim the way Amazon allegedly did isn’t just risking a rare FTC action — it is exposing itself to a lawsuit from the victim directly, with the penalty meter running every day it fails to comply. 

How Do I Request My Fraud Records Under Penal Code § 530.8? 

To exercise your rights under Section 530.8, present the business with: 

•  A police report documenting the identity theft (California Penal Code § 530.6 requires your local police department to take your report even if the crime occurred elsewhere), or a signed FTC Identity Theft Report completed at IdentityTheft.gov; and 

•  Identifying information matching what the thief used to open the account (for example, your name, address, Social Security number, or date of birth as they appeared on the fraudulent application). 

Submit your request in writing to the business, keep copies of everything, and keep proof of delivery. The 10-business-day clock starts when the business receives your request and documentation. 

Frequently Asked Questions About Identity Theft Records 

How long does a company have to give me my identity theft records in California? 

Under California Penal Code § 530.8, a business must provide copies of all records related to a fraudulent application or account within 10 business days of receiving your written request and supporting documentation. That is significantly faster than the federal deadline under FCRA § 609(e), which gives companies 30 days. The 10-business-day clock begins when the business actually receives your request, so keeping proof of delivery is important. If the deadline passes and the company still refuses, California law allows you to petition the court and seek a $100-per-day penalty for every day of noncompliance. 

Can I sue a company that refuses to give me my fraud records? 

In California, yes. While federal law (FCRA § 609(e)) has no private right of action — meaning only the FTC can enforce it — California Penal Code § 530.8 gives you your own directly enforceable remedy. You can petition the superior court for an order compelling the business to release the records, and you can bring a civil action for actual damages, injunctive relief, a civil penalty of $100 per day of noncompliance, and reasonable attorney’s fees. This means a company that stonewalls you in California faces real, escalating exposure — not just a rare federal enforcement action. 

What do I need before I can request identity theft records? 

You will need two things. First, proof of the identity theft — either a police report (California Penal Code § 530.6 requires your local police department to take your report even if the fraud happened in another city or state) or a signed FTC Identity Theft Report, which you can complete for free at IdentityTheft.gov. Second, identifying information that matches the categories the thief used to open the fraudulent account — for example, your name, address, Social Security number, or date of birth as they appeared on the fraudulent application. Submit both in writing to the business that opened the account. 

Does it cost anything to get my identity theft records? 

No. Both California Penal Code § 530.8 and federal FCRA § 609(e) require the business to provide these records free of charge — the company cannot bill you for producing them.  

How do these records actually help my identity theft case? 

Fraudulent account records are frequently the foundation of a successful consumer protection claim. They establish what information the thief used, when and where the account was opened, and what was charged — the evidence needed to dispute the debt, block the fraudulent information from your credit reports, and stop collectors from pursuing you. Records obtained under Section 530.8 and Section 609(e) often support broader claims under the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Rosenthal Act, and California’s Identity Theft Act (Civil Code § 1798.93), which allows for up to $30,000 in statutory damages for a willful violation. 

Protect Your Credit With the Help of a Fair Credit Reporting Act Attorney 

Almost everyone relies on their credit — to buy a home, finance a car, secure a credit card, or even pass a background check for a new job. Yet the accuracy of the information in your credit file is largely in the hands of companies that do not always take the care the law requires. A single error, a mixed file, or a debt that was never yours can quietly cost you thousands of dollars in higher interest rates or lost opportunities. 

The Fair Credit Reporting Act offers consumers a series of protections against these harms, and it specifically allows consumers to bring legal action against credit reporting agencies and furnishers that fail to follow the law. An FCRA attorney from Swigart Law Group can help you understand the options available to you and how your situation might be remedied. Contact us today for a free consultation: 866-219-3343. 

This post is attorney advertising and is provided for general informational purposes by Joshua Swigart – Swigart Law Group, APC located in San Diego, CA; it is not legal advice and does not create an attorney-client relationship. Past results do not guarantee future outcomes; each case differs.  

Contact us today for a free consultation. “Call 866-219-3343 or email us at IntakeSLG@swigartlawgroup.com”