Amazon FTC Penalty Exposes India’s Identity-Theft Records Gap
The FTC fined Amazon $2.25 million after alleging the company failed to give identity-theft victims fraudulent-transaction records required under Section 609(e). India’s DPDPA 2023 and IT Act do not contain a direct equivalent, leaving platform-disclosure rights unresolved.

FTC Says Amazon Withheld Fraudulent-Transaction Records
The Federal Trade Commission fined Amazon $2.25 million after alleging that customer-support failures blocked identity-theft victims from obtaining fraudulent-transaction records.
The FTC complaint alleged that Amazon refused to provide victims with records of fraudulent transactions.
The agency said one support agent would not provide records for a fraudulent account unless the victim could identify the person who opened it.
Under Section 609(e) of the Fair Credit Reporting Act, a business entity must provide identity-theft victims with application and business transaction records showing fraudulent transactions within 30 days of a request.
The complaint said Amazon routinely failed to provide those records before February 2025.
The FTC complaint described one victim who had to make more than 30 attempts at identifying the person behind a fraudulent account.
The complaint said Amazon still did not remove that victim’s credit-card information from the fake account.
Amazon Added A Policy Only After The Investigation
The complaint said Amazon refused in several cases to share details about another account that had used a victim’s credit card, citing privacy and security reasons.
The FTC said Section 609(e) does not allow Amazon to deny requests for identity-theft transaction records on those grounds.
Amazon did not have a written policy for responding to Section 609(e) requests until early 2025, according to the FTC complaint.
The company implemented the policy after learning that the FTC was investigating its compliance with the law.
The FTC investigation still raised concerns that Amazon continued to deny certain Section 609(e) requests for unlawful reasons despite the new policy.
The agency said those denials kept some victims from obtaining records needed to document fraudulent transactions.
India Lacks A Direct Equivalent To FCRA 609(e)
The case has a digital-policy angle for India because the Digital Personal Data Protection Act 2023 and the IT Act do not contain a direct, actionable equivalent to FCRA 609(e).
The Indian framework does not name a mechanism that lets identity-theft victims compel e-commerce platforms to disclose application and transaction records for a fraudulent account.
Some key DPDPA provisions are not yet in force.
Indian platform users therefore remain dependent on broader data-protection and cybercrime processes rather than a specific disclosure right matching the US records rule.
India’s Guidelines for Prevention and Regulation of Dark Patterns, 2023, were also cited in relation to Amazon’s app practices.
Those guidelines address deceptive interface design, but they do not create the same record-disclosure pathway that Section 609(e) gives identity-theft victims in the United States.
The FTC order did not name an Indian enforcement action, an equivalent Indian platform-records rule, a direct disclosure deadline for e-commerce identity-theft victims or an Amazon India penalty tied to the same conduct.
















