Guide · Law Enforcement Data Requests
Law enforcement data request management is the process a company uses to verify, track, and respond to the subpoenas, court orders, search warrants, and emergency requests it receives from government agencies seeking user data. This guide is for the companies on the receiving end: the legal, compliance, and trust and safety teams that hold the data. If you're looking for records software for police agencies, this isn't that. This is what happens on the other side of the request.
Every request that arrives moves through the same lifecycle, whether the company has built a process around it or not.
Most companies handle steps two through four and skip the rest. The first one, verification, is the step that's become dangerous to skip.
In the US, the Stored Communications Act (18 U.S.C. § 2701 et seq.) sets a ladder: the more sensitive the data, the more legal process the government needs.
Each rung has its own validity requirements, response norms, and objection paths, which is why classifying process type correctly at intake matters more than any other triage decision.
Subpoenas are the highest-volume rung by far, and handling them at scale is its own discipline: what subpoena management software does and who needs it.
This is the step the old way never had an answer for, because for decades nobody needed one. A request arrived on letterhead, from a .gov address, and that was that.
Then criminals figured out that a compromised police email account is the power of subpoena. In 2022, hackers used forged emergency requests from hacked agency accounts to pull user data out of Apple, Meta, and Discord. In November 2024, the FBI warned that compromised government email credentials from more than two dozen countries were being sold on criminal forums, explicitly marketed for sending fraudulent EDRs. There are roughly 18,000 law enforcement jurisdictions in the US alone. Checking that an email came from one of them tells you almost nothing about who was typing.
Letterhead and a .gov address were the whole check. That's not verification, that's typography.
Real verification means confirming three things independently: the agency exists, the investigator is who they claim to be, and this request fits the pattern of their legitimate work. No single company sees enough requests to make that third judgment alone, which is why verification works as a network: 15,000 government agencies and 150,000 investigators, each verified once, with behavior visible across every company they contact. See how Kodex verifies requesters.
Deadlines are where informal processes fail quietly and expensively.
A company handling a handful of requests a month can track this in a spreadsheet. The companies that actually get requests don't get a handful. Verizon reported 61,919 subpoenas in the first half of 2023 alone; Coinbase reported 12,716 requests in its most recent reporting year, up 19% year over year.
Default practice at companies that take user trust seriously: yes, notify the account holder before producing, so they can seek their own legal remedy. The exception is a § 2705(b) non-disclosure order, and the exception has become the rule; most US requests to major platforms now carry one.
The obligations run in both directions. Disclose under a gag and you've violated a court order. Fail to track when a time-limited gag expires and you're silent when you no longer have to be. Microsoft sued the government over indefinite gag orders in 2016 and won a policy change: non-disclosure orders are now supposed to be limited in duration. Someone still has to track the duration.
Yes, and most companies don't. Under 18 U.S.C. § 2706, a government entity that obtains records under the SCA shall pay the provider a fee for the costs reasonably necessary and directly incurred in searching for, assembling, and reproducing the records. Parallel state statutes set their own rates.
Compliance at volume is a real cost center: legal review hours, engineering time, production work. The reimbursement statute exists precisely because Congress recognized that. Companies leave the money unclaimed because invoicing thousands of agencies one at a time costs more than it returns. That's a workflow problem, not a legal one. See how cost recovery works on Kodex.
Cross-border requests used to be slow enough to ignore. That's over.
The practical consequence: a US company's request queue is no longer a US queue. Requests arrive under different legal standards, in different languages, on different clocks, and the process that handled a domestic subpoena in two weeks has eight hours for an EU emergency order. What the EU e-Evidence Regulation requires.
The output end of the lifecycle. A transparency report is a company's public accounting of the requests it received and how it responded: counts by legal process type, by country, and by outcome. Google published the first one in 2010; today it's standard practice for platforms, telecoms, and exchanges, and under the EU's Digital Services Act it's becoming a legal requirement rather than a voluntary one.
The operational truth about transparency reports: they're a byproduct. Companies with a real request management process produce one in an afternoon, because every request was classified and counted on arrival. Companies without one spend weeks reconstructing a year of inbox archaeology. What to publish and how.
The checklist, distilled:
Some companies build this themselves. Zoom built a full law enforcement request system in-house, and if you have Zoom's volume and Zoom's engineering budget, you can too. What you can't build alone is the verification layer, because verification is only as good as the network of agencies and investigators behind it.
Kodex is the network where law enforcement data requests get handled the way they should. 15,000 government agencies and 150,000 verified investigators submit requests through Kodex; the companies that hold the data verify, triage, and respond in one place. Every requester is verified before they can submit. Every request lands in one queue with its process type, jurisdiction, and deadline attached. Production happens over an encrypted channel, cost recovery is a built-in step, and transparency reporting falls out of data you already have.
Coinbase cut the time its team spent verifying law enforcement requesters by 99.9% on Kodex. Read the customer story.
Do companies have to comply with every law enforcement request?
No. A company must comply with valid legal process, and may challenge process that is invalid, overbroad, or improperly served. Emergency data requests are voluntary by law: a company may disclose under § 2702(b)(8), but nothing compels it.
What's the difference between a subpoena, a court order, and a search warrant?
The data each can reach. A subpoena reaches basic subscriber information, a § 2703(d) court order reaches transactional records and metadata, and only a search warrant, issued on probable cause, reaches the content of communications.
What is a preservation request?
A demand under 18 U.S.C. § 2703(f) that a provider preserve specified records for 90 days, extendable once by 90 more, while the agency obtains legal process. It requires holding the data, not producing it.
Can we object to an overly broad request?
Yes. For US federal civil subpoenas, written objections are due before the earlier of the stated compliance date or 14 days after service; objections not raised in time are generally waived. Warrants and court orders are challenged by motion.
Does the CLOUD Act apply to data stored outside the US?
Yes. Since 2018, US legal process served on a US provider reaches data in the provider's possession, custody, or control regardless of where it's stored.
What is a law enforcement response team?
The function inside a company, usually in legal, compliance, or trust and safety, that receives, verifies, and responds to law enforcement data requests. At large platforms it's a dedicated team; at most companies it's part of someone's job, which is exactly when process and tooling matter most.