Kohl’s settles with FTC over its alleged FCRA violation

562
SHARE
Kohl's Drive up
Image credit: Kohl's Department Stores, Inc.

Kohl’s Department Stores, Inc. agreed to settle a complaint by the Federal Trade Commission (FTC), alleging that it violated the Fair Credit Reporting Act (FCRA).

In the complaint, the FTC alleged that Kohl’s refused to provide complete records of transactions to consumers who were victims of an identity thief.

According to the Commission, Kohl’s started refusing consumers’ requests after it changes policy for responding to FCRA (609)(e) in February 2017 and August 2018.

FCRA Section (609)(e) requires companies to provide all transaction records not later than 30 days after the date of receipt of a request by consumers whose personal information was used by identity thieves.

FTC accuses Kohl’s of knowingly engaging in unlawful business practices

“As a result of Kohl’s February 2017 and August 2018 Policies, many victims of identity theft were unable to obtain application and business transaction records related to the identity theft they suffered. Specifically, Kohl’s informed victims that it was not permitted to share such information with anyone other than law enforcement,” wrote the FTC in the complaint.

The Commission added that Kohl’s failed to respond to victims on several occasions—even to issue a denial of their request—within 30 days. Victims repeatedly complained to the company about its inaction and even sent a copy of the language of the FCRA FCRA Section (609)(e) and the FTC business guidance regarding the matter. Their efforts did not encourage the retailer to change its policy.

The FTC alleged that “Kohl’s knowingly engaged in its unlawful acts and practices for more than two years (February 2017 through March 2019), Kohl’s continued its unlawful acts or practices despite knowledge of numerous complaints from victims of identity theft.”

The company “only stopped its unlawful conduct six months after it received a Civil Investigative Demand from the FTC.”

Kohl’s agrees to pay a civil penalty of $220,000

To resolve the allegations of the FTC, Kohl’s agreed to pay a penalty of $220,000 and to provide identity thief victims with access to business transactions related to the theft within 30 days.

The company will only give access to victims who provide valid verification of their identity and identity theft.

Additionally, Kohl’s agreed to post a notice on its website about the process in which identity theft victims can obtain records related to the identify theft and to certify that it has reached out to victims who were unlawfully denied access to such records in the past.

In a statement, FTC Bureau of Consumer Protection Director Andrew Smith said, “If someone stole your identity, it’s your right to get the records related to the theft – and that’s a right the FTC takes seriously. This case is a warning to other companies: We will hold you responsible if you fail to give identity theft victims the required business records.”