Amazon Ruling Marks New Era of Personal Liability for Execs

10 minute read | October.20.2025

This article was originally published in Law360. Reprinted with permission.

A Sept. 17 summary judgment decision in Federal Trade Commission v. Amazon.com Inc. from the U.S. District Court for the Western District of Washington, in finding that two Amazon executives could be personally liable for violations of the FTC Act and the Restore Online Shoppers' Confidence Act, or ROSCA, has reverberated to the top of the same company. ^[1]

Shortly after the decision was announced, the company and the individuals agreed to settle with the FTC to avoid trial, with the company agreeing to pay $2.5 billion, including a $1 billion civil penalty — the largest in FTC history.

The summary judgment decision that preceded the multibillion-dollar settlement also has sent shock waves through the industry. The FTC proceeded under a dark patterns theory, alleging that the defendants deceived customers into signing up for the company's online services while employing design choices that made it very difficult for them to cancel.

This appears to mark the first time a court has held that individual executives of a large publicly traded company could be held personally liable for alleged consumer protection violations by the company.

This development represents a significant departure from historical practice and reaffirms the approach advanced more recently by former FTC Chair Lina Khan during the Biden administration.

Historically, the FTC has pursued individual executives at smaller entities, but generally has not taken individual actions against public company executives for violations of consumer protection statutes. However, Khan highlighted her intention to include individual executives in consumer protection enforcement matters while leading the FTC.

This ruling may encourage the FTC to pursue such individual claims in the future and may also further encourage other regulators — such as the Consumer Financial Protection Bureau, U.S. Securities and Exchange Commission, U.S. Commodity Futures Trading Commission, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, Federal Reserve and others — to assert consumer protection claims against individuals.

For example, less than a week after the settlement, on Sept. 29, the U.S. Department of Justice levied similar allegations against Iconic Hearts Holdings and its CEO in a personal capacity — in U.S. v. Iconic Hearts Holdings Inc. in the U.S. District Court for the Central District of California — indicating that across agencies, there may be an effort to assert personal claims against executive officers. ^[2]

The Enforcement Landscape: From Small Fish to Big Game

Traditionally, personal liability under consumer protection statutes has been the province of enforcement actions against closely held businesses and smaller companies.

In practice, the decision-making and operations of these companies are so dominated by their principals that the corporate veil provides little meaningful protection. In these contexts, the FTC's leverage is substantial, and individual defendants often lack the resources to mount vigorous defenses against the agency's demands.

The dynamics change dramatically when dealing with large public companies. These entities typically maintain robust compliance programs and have multilayered corporate decision-making structures. As a result, there are more protections for senior executives when making decisions, and enforcement agencies are less readily able to establish that a single individual was the cause of a particular corporate decision.

In addition, directors and officers insurance and executive indemnification agreements have historically provided executives with some degree of protection against personal liability.

The court's decision further disrupts this established framework. By holding that two executives could be personally liable as a result of the company's actions under both the FTC Act's prohibition on unfair or deceptive acts or practices, and ROSCA's requirements for online negative option features, the court signaled that senior officers at major corporations are at risk.

The Legal Framework: Expanding Individual Accountability

In the recent summary judgment decision, the federal district court in Seattle employed the U.S. Court of Appeals for the Ninth Circuit's two-pronged test for individual liability under the FTC Act, which requires the government to demonstrate that an individual: (1) participated directly in, or had authority to control, the allegedly unlawful acts or practices at issue; and (2) had actual knowledge of the misrepresentations involved, was recklessly indifferent to their truth or falsity, or was aware of a high probability of fraud and intentionally avoided learning the truth.

The court applied this standard to both the FTC Act and ROSCA claims, and held that there was no genuine dispute as to any material fact that both executives held senior positions with direct responsibility over the marketplace's subscription program.

The court pointed to internal company documents that demonstrated the executives' involvement in product design decisions, receipt of consumer complaint data and awareness of regulatory concerns. Perhaps most significantly, the court held that these executives had received memoranda from internal teams suggesting consumer confusion and unintended enrollments in the subscription program.

In so doing, the court also rejected the defendants' three defenses.

First, the defendants argued that they lacked "acute, subjective awareness" of the deceptive nature of the business's practices and did not intend to violate the law. The court disagreed, holding that the defendants' "high degree of involvement" in the business established their awareness, and that intent is not a necessary element to establish personal liability.

Second, the defendants argued that they could not be held personally liable since authority for the program at issue was spread across multiple teams and decentralized. The court held that the FTC need not establish that a defendant has "sole authority to control to establish personal liability."

Third, the defendants argued that they were not in charge when the allegedly deceptive practices were implemented, so they could not be liable under either the FTC Act or ROSCA. The district court disagreed, holding that an individual who has authority to control a preexisting deceptive practice can be found liable, even if they were not involved in its creation.

Finally, the court considered similar claims against a third individual defendant, but ultimately declined to hold at summary judgment that this defendant would be liable for any alleged violations of the FTC Act or ROSCA.

Unlike the first two individuals, there was no evidence that the third individual was involved in the decisions that the FTC alleged to be violations of these two laws. Because this person had "less involvement in the operations" of the company, a reasonable jury could find that there was no personal liability in this instance, and the court allowed this claim to proceed to a jury. This individual was not a party to the settlement with the FTC.

The court's willingness to find personal liability based on this evidence reflects a broad interpretation of executive accountability. Rather than requiring direct participation in deceptive conduct, the decision emphasizes the responsibilities that flow from authority, oversight and knowledge. This approach aligns with the FTC's increasingly aggressive enforcement posture and suggests that senior executives can no longer rely solely on corporate structures to shield them from personal exposure.

Dark Patterns: an Evolving Theory Meets Judicial Approval

Particularly notable here is the willingness of the court to endorse the use of a so-called dark patterns theory to find personal liability.

In the stipulated order, the FTC Act claims in this case centered on dark patterns — that is, "manipulative design elements that trick users into making decisions they would not otherwise have made."

FTC guidance from 2022 suggests that dark patterns can include confusing website or app layouts, hiding or delaying the disclosure of material information, and the use of multiple screens and attempts to reenroll consumers seeking to cancel a subscription.

Dark patterns are an evolving standard for deception claims, and to date, most dark patterns guidance has not been subject to rigorous judicial scrutiny, but rather comes either from state and federal regulatory agencies through publications or consensual enforcement actions.

The fact that these dark patterns claims were made under the FTC Act's broad prohibition of unfair and deceptive acts or practices creates further concern. By making a summary judgment decision after filtering claims through the subjective lenses of both dark patterns and unfair and deceptive acts or practices, the court effectively imposed personal liability based upon its own subjective assessments of user experience design and consumer psychology.

The amorphous nature of these standards makes compliance challenging and increases the risk of enforcement actions for individuals and corporations alike.

Practical Implications for Corporate Officers

Not only does this decision illustrate that courts are willing to entertain — and potentially approve — enforcement claims against executives at large, publicly held corporations, but it also demonstrates the power of the FTC as the apparent lead consumer protection regulator under the Trump administration.

The FTC's ability to conduct comprehensive investigations, combined with its ability to bring cases, provides significant advantages in pursuing individual executives.

Going forward, public company executives may reconsider their personal liability under the FTC Act, ROSCA and similar statutes that can impose personal liability. For example:

Product design decisions should not be viewed as purely operational matters insulated from regulatory risk. The court's analysis of user interface elements as potential unfair and deceptive acts or practices violations means that executives involved in product development should consider consumer protection implications alongside business objectives.

Awareness of consumer complaints or regulatory concerns can serve as an important risk factor for executives. The decision emphasizes that knowledge of problems, combined with authority to address them, may result in a finding of personal liability.

Internal communications regarding consumer experience and retention strategies may become evidence of knowledge or intent in future enforcement actions. Companies should carefully consider how they document product decisions and consumer impact assessments.

Traditional risk mitigation strategies — including directors and officers insurance and indemnification agreements — may provide less protection than previously assumed. Companies should scrutinize their coverage and consider whether additional protections are warranted because not all policies cover government-initiated consumer protection claims.

In an internal investigation about these issues, company counsel should give fulsome Upjohn warnings. Companies understandably want cooperation from employees, but employees also must have a clear understanding that the attorney represents the company, the scope of the attorney-client privilege and the company's right to waive that privilege.

Companies must consider whether (and when) employees require individual counsel. Given the government's expectations that companies disclose information that may lead to the outing of wrongdoers, at the first indication of wrongdoing, counsel must decide whether individual representation is appropriate for certain employees.

Looking Forward: A New Enforcement Paradigm

This decision may signal a fundamental shift in how consumer protection laws may be enforced against large public companies. By extending personal liability to senior executives for design-driven violations of broad consumer protection statutes, the court may have opened new avenues for regulatory enforcement.

This development aligns with broader trends at federal agencies, including an increased focus on individual accountability and expanded theories of corporate liability. As regulators continue to develop expertise in digital commerce and user experience design, companies should expect enforcement agencies to evolve, explore new legal theories and expand the universe of those they may hold liable.

This also builds on the priorities advanced by Khan during the Biden administration — notably, Khan's push for the inclusion of individual executives as part of consumer protection settlements during her time leading the commission.

For instance, in announcing a 2022 settlement with Drizly, an online alcohol delivery platform, Khan stated, "[t]he FTC has a role to play in making sure a company's legal obligations are weighed in the boardroom [and the] settlement sends a very clear message: protecting Americans' data is not discretionary [as] it must be a priority for any chief executive."

In the wake of the Amazon decision, the message for corporate executives is indeed clear: Personal liability for consumer protection violations is not a theoretical risk reserved for individuals associated with smaller companies. In an era of expanded regulatory authority and judicial willingness to hold individuals accountable, the corporate veil may provide less protection than many have assumed.

^[1] Federal Trade Commission v. Amazon.com Inc. et al., case number 2:23-cv-00932.

^[2] United States of America v. Iconic Hearts Holdings Inc. et al., case number 2:25-cv-09310.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

Authors

Sasha Leonhardt パートナー, Financial & Fintech Advisory, Strategic Advisory and Government Enforcement

Washington DC

See my bio

D:+1 202 349 7971
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory and Government Enforcement
Cyber, Privacy & Data Innovation
Fintech
政府による調査および強制措置

vCard

See full bio

Sasha Leonhardt パートナー

Washington DC

Sasha also has substantial experience advising clients on the Servicemembers Civil Relief Act (SCRA), Military Lending Act (MLA), Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), and Fair Debt Collection Practices Act (FDCPA). He advises companies, non-profits and industry associations with consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule and state and federal laws that address data privacy and information security.

In addition to representing clients, Sasha has published numerous articles on various aspects of consumer financial services law and practice, including data privacy, class action litigation, white collar litigation, whistleblower lawsuits and recent trends in regulation and enforcement. He also maintains an active pro bono practice and serves as a member of the Legal Counsel for the Elderly’s Young Lawyers Alliance. A frequent speaker on a variety of legal topics, Sasha has taught at Duke University School of Law and American University Washington College of Law, and was previously a Professorial Lecturer in Law at the George Washington University Law School.

Prior to joining Orrick, Sasha was a partner at Buckley LLP. He also previously served as Deputy Press Secretary to Maryland Governor Martin O’Malley. He is accredited as a Privacy Law Specialist, a Fellow of Information Privacy, a Certified Information Privacy Manager (CIPM/US), and a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Bradley Marcus パートナー, White Collar, Investigations, Securities Litigation & Compliance, Strategic Advisory and Government Enforcement

Washington DC

See my bio

D:+1 202 349 8021
E: [email protected]

Practice:

White Collar, Investigations, Securities Litigation & Compliance
Strategic Advisory and Government Enforcement

vCard

See full bio

Bradley Marcus パートナー

Washington DC

Brad’s practice includes performing case investigations, developing successful case themes, strategies, and defenses and preparing and defending key witnesses. He has significant experience managing complex litigation, handling pre-trial motions, including overseeing successful summary judgment and motion to dismiss briefings, taking and defending critical fact and expert depositions and managing complex and cross-border e-discovery matters.

In the past few years, he has been involved in a number of cutting-edge cases in the FCPA arena spanning a variety of industries, including financial services, gaming, telecommunications and commodities trading.

Prior to joining Orrick, Brad was a partner at Buckley LLP. From 1999 to 2002, Brad covered Navy football and men’s college lacrosse as a reporter for the Washington Times.