Orders start arriving August 18, 2026

Guide · Law Enforcement Data Requests

Law enforcement data request management: what it is and how it works

Law enforcement data request management is the process a company uses to verify, track, and respond to the subpoenas, court orders, search warrants, and emergency requests it receives from government agencies seeking user data. This guide is for the companies on the receiving end: the legal, compliance, and trust and safety teams that hold the data. If you're looking for records software for police agencies, this isn't that. This is what happens on the other side of the request.

Request a demoSee how Kodex verifies requesters, tracks deadlines, and responds securely.

What does law enforcement data request management involve?

Every request that arrives moves through the same lifecycle, whether the company has built a process around it or not.

  1. Verification. Confirming the request comes from a real agency and a real investigator, not a criminal with a compromised police email account.
  2. Intake and triage. Getting the request out of a shared inbox and into a queue, classified by legal process type, jurisdiction, and deadline.
  3. Legal review. Deciding whether the request is valid, overbroad, or objectionable, and whether the law compels a response at all.
  4. Response. Producing the data, and only the data, the legal process actually covers, through a channel that isn't email or fax.
  5. User notice. Telling the account holder their data was requested, unless a court has ordered you not to.
  6. Cost recovery. Billing the government for the cost of complying, which federal law says it must pay.
  7. Transparency reporting. Publishing what you received and how you responded, in aggregate, once a period.

Most companies handle steps two through four and skip the rest. The first one, verification, is the step that's become dangerous to skip.

What types of legal process can a company receive?

In the US, the Stored Communications Act (18 U.S.C. § 2701 et seq.) sets a ladder: the more sensitive the data, the more legal process the government needs.

  • Subpoena. The lowest rung. Reaches basic subscriber information: name, address, connection records, means of payment. No judge is involved in issuing most of them.
  • Court order under § 2703(d). Reaches transactional records and metadata beyond basic subscriber info. A judge must find specific and articulable facts showing the records are relevant and material to an ongoing investigation.
  • Search warrant. The top rung, and the only process that reaches content: message bodies, file contents, stored photos. Requires probable cause. Since Carpenter v. United States (2018), historical cell-site location data requires a warrant too.
  • Emergency data request (EDR). Not legal process at all. Under § 2702(b)(8), a company may voluntarily disclose data when it believes in good faith that someone faces danger of death or serious physical injury. No judge, no signature, no waiting. That speed saves lives, and it's also exactly what criminals now exploit with fraudulent EDRs.
  • Preservation request under § 2703(f). Requires you to hold data for 90 days, extendable once by another 90, while the agency obtains legal process. Preservation is not production; nothing leaves the building yet.
  • Non-disclosure order under § 2705(b). A gag: a court order barring you from telling the user about the request. These are routine, not rare. Meta reported that 76.6% of US requests in the second half of 2024 arrived with one attached.

Each rung has its own validity requirements, response norms, and objection paths, which is why classifying process type correctly at intake matters more than any other triage decision.

Subpoenas are the highest-volume rung by far, and handling them at scale is its own discipline: what subpoena management software does and who needs it.

How do you verify a law enforcement request is real?

This is the step the old way never had an answer for, because for decades nobody needed one. A request arrived on letterhead, from a .gov address, and that was that.

Then criminals figured out that a compromised police email account is the power of subpoena. In 2022, hackers used forged emergency requests from hacked agency accounts to pull user data out of Apple, Meta, and Discord. In November 2024, the FBI warned that compromised government email credentials from more than two dozen countries were being sold on criminal forums, explicitly marketed for sending fraudulent EDRs. There are roughly 18,000 law enforcement jurisdictions in the US alone. Checking that an email came from one of them tells you almost nothing about who was typing.

Letterhead and a .gov address were the whole check. That's not verification, that's typography.

Real verification means confirming three things independently: the agency exists, the investigator is who they claim to be, and this request fits the pattern of their legitimate work. No single company sees enough requests to make that third judgment alone, which is why verification works as a network: 15,000 government agencies and 150,000 investigators, each verified once, with behavior visible across every company they contact. See how Kodex verifies requesters.

What are the deadlines?

Deadlines are where informal processes fail quietly and expensively.

  • Civil subpoenas (US federal). Under Rule 45, written objections are due before the earlier of the compliance date or 14 days after service. Miss the window and objections are generally waived, including the ones you had every right to make.
  • Preservation. The 90-day clock under § 2703(f) starts when the request arrives, whether or not anyone logged it.
  • EU production orders. From August 18, 2026, the EU e-Evidence Regulation lets an authority in any member state serve orders directly on any provider with users in the EU: ten days to produce in standard cases, eight hours in emergencies, with penalties up to 2% of global annual turnover.

A company handling a handful of requests a month can track this in a spreadsheet. The companies that actually get requests don't get a handful. Verizon reported 61,919 subpoenas in the first half of 2023 alone; Coinbase reported 12,716 requests in its most recent reporting year, up 19% year over year.

Do you have to tell the user?

Default practice at companies that take user trust seriously: yes, notify the account holder before producing, so they can seek their own legal remedy. The exception is a § 2705(b) non-disclosure order, and the exception has become the rule; most US requests to major platforms now carry one.

The obligations run in both directions. Disclose under a gag and you've violated a court order. Fail to track when a time-limited gag expires and you're silent when you no longer have to be. Microsoft sued the government over indefinite gag orders in 2016 and won a policy change: non-disclosure orders are now supposed to be limited in duration. Someone still has to track the duration.

Can you recover the cost of complying?

Yes, and most companies don't. Under 18 U.S.C. § 2706, a government entity that obtains records under the SCA shall pay the provider a fee for the costs reasonably necessary and directly incurred in searching for, assembling, and reproducing the records. Parallel state statutes set their own rates.

Compliance at volume is a real cost center: legal review hours, engineering time, production work. The reimbursement statute exists precisely because Congress recognized that. Companies leave the money unclaimed because invoicing thousands of agencies one at a time costs more than it returns. That's a workflow problem, not a legal one. See how cost recovery works on Kodex.

What about requests from other countries?

Cross-border requests used to be slow enough to ignore. That's over.

  • MLAT. The mutual legal assistance treaty process routes a foreign agency's request through the US Department of Justice and a US court. It averages months to a year, which is why everyone involved has spent a decade building ways around it.
  • CLOUD Act. Since 2018, US legal process reaches data US providers store anywhere in the world. The same law created executive agreements, like the US-UK agreement in force since October 2022, that let partner-country authorities serve US providers directly.
  • EU e-Evidence. The biggest change yet. From August 18, 2026, production and preservation orders from any EU member state can be served directly on providers, EU-based or not. If you have users in the EU, you're in scope, wherever you're incorporated.

The practical consequence: a US company's request queue is no longer a US queue. Requests arrive under different legal standards, in different languages, on different clocks, and the process that handled a domestic subpoena in two weeks has eight hours for an EU emergency order. What the EU e-Evidence Regulation requires.

What goes in a transparency report?

The output end of the lifecycle. A transparency report is a company's public accounting of the requests it received and how it responded: counts by legal process type, by country, and by outcome. Google published the first one in 2010; today it's standard practice for platforms, telecoms, and exchanges, and under the EU's Digital Services Act it's becoming a legal requirement rather than a voluntary one.

The operational truth about transparency reports: they're a byproduct. Companies with a real request management process produce one in an afternoon, because every request was classified and counted on arrival. Companies without one spend weeks reconstructing a year of inbox archaeology. What to publish and how.

What should a request management program include?

The checklist, distilled:

  • Verification before anything else. Confirmed agency, confirmed investigator, visible history. Not an email-domain check.
  • One queue for every process type. Subpoenas, warrants, § 2703(d) orders, EDRs, preservation requests, foreign orders. Requests that live in three inboxes die in three inboxes.
  • Deadline tracking by jurisdiction. Rule 45 windows, preservation clocks, e-Evidence SLAs, each with escalation before the deadline rather than after.
  • Secure production. Data leaves through an encrypted channel to a verified recipient, never as an email attachment to whoever asked.
  • Notice and gag tracking. Who was told, who legally couldn't be, and when each gag expires.
  • Cost recovery built in. Invoicing as a step in the response, not an annual project someone proposes and nobody does.
  • Reporting as output. Transparency numbers that fall out of the system, not a spreadsheet reconstruction.

Some companies build this themselves. Zoom built a full law enforcement request system in-house, and if you have Zoom's volume and Zoom's engineering budget, you can too. What you can't build alone is the verification layer, because verification is only as good as the network of agencies and investigators behind it.

How Kodex handles it

Kodex is the network where law enforcement data requests get handled the way they should. 15,000 government agencies and 150,000 verified investigators submit requests through Kodex; the companies that hold the data verify, triage, and respond in one place. Every requester is verified before they can submit. Every request lands in one queue with its process type, jurisdiction, and deadline attached. Production happens over an encrypted channel, cost recovery is a built-in step, and transparency reporting falls out of data you already have.

Coinbase cut the time its team spent verifying law enforcement requesters by 99.9% on Kodex. Read the customer story.

Common questions

Do companies have to comply with every law enforcement request?

No. A company must comply with valid legal process, and may challenge process that is invalid, overbroad, or improperly served. Emergency data requests are voluntary by law: a company may disclose under § 2702(b)(8), but nothing compels it.

What's the difference between a subpoena, a court order, and a search warrant?

The data each can reach. A subpoena reaches basic subscriber information, a § 2703(d) court order reaches transactional records and metadata, and only a search warrant, issued on probable cause, reaches the content of communications.

What is a preservation request?

A demand under 18 U.S.C. § 2703(f) that a provider preserve specified records for 90 days, extendable once by 90 more, while the agency obtains legal process. It requires holding the data, not producing it.

Can we object to an overly broad request?

Yes. For US federal civil subpoenas, written objections are due before the earlier of the stated compliance date or 14 days after service; objections not raised in time are generally waived. Warrants and court orders are challenged by motion.

Does the CLOUD Act apply to data stored outside the US?

Yes. Since 2018, US legal process served on a US provider reaches data in the provider's possession, custody, or control regardless of where it's stored.

What is a law enforcement response team?

The function inside a company, usually in legal, compliance, or trust and safety, that receives, verifies, and responds to law enforcement data requests. At large platforms it's a dedicated team; at most companies it's part of someone's job, which is exactly when process and tooling matter most.