Guide · Transparency Reporting
A transparency report is a company's public accounting of the government and law enforcement requests it received for user data over a period, and how it responded. For fifteen years, publishing one was a choice companies made to earn trust. That era is ending: transparency reporting is becoming a legal obligation in the EU and a baseline expectation everywhere else, and the report turns out to be the easy part. The hard part is having tracked anything worth reporting.
The core of every transparency report is the same set of facts: how many requests for user data the company received, from which governments, under what legal process, and what happened to each one. Complied in full, complied in part, rejected.
Google published the first one in 2010. Adoption grew slowly until the Snowden disclosures in 2013, after which the number of companies publishing grew 367% within a year. Today, somewhere near ninety companies publish them, from Apple and Meta down to mid-size SaaS companies whose entire report is one page and a table. The thin ones count too. A one-page report that says we received 14 requests and complied with 9 does the whole job: it tells users, regulators, and journalists that the company knows what's moving through it.
In the US, no. Publishing is voluntary, and always has been. But the direction of travel is one way.
So the honest answer for a company with EU users: transparency reporting started as public relations and is finishing as compliance. The companies that built the habit voluntarily now have a head start on a legal requirement.
Reports vary widely, which is the field's longest-standing criticism: numbers that can't be compared across companies or even across one company's years. The core taxonomy that makes a report useful:
Define each category once, publish the definitions alongside the numbers, and never change a definition without saying so. A report whose categories shift year to year isn't transparency, it's noise with a publication date.
Almost everything, with one carve-out: US national security process.
Ordinary criminal legal process, subpoenas, warrants, court orders, can be reported in exact counts. National security letters and FISA orders cannot. Under the USA FREEDOM Act, companies may report those only in aggregate bands, in increments of 100, 250, 500, or 1,000 depending on the reporting format chosen, sometimes with a mandatory delay. That's why every major report has a table that reads 0-249 national security letters. It's not coyness. It's the maximum the law allows.
Here is the operational truth most guides skip: a transparency report can't be written, it has to be accumulated. The report is a byproduct of how requests were handled all year. You can't report what you didn't track.
Companies with a real request management process produce a report in an afternoon, because every request that arrived was verified, classified by process type, and resolved with a recorded outcome. The report is a query. Companies without one assign a paralegal to a year of inbox archaeology, reconstructing counts from email threads and hoping the shared mailbox wasn't cleaned out in March.
For a company publishing its first report with a small team, the minimum viable version:
Then fix the pipeline so report two is a query, not a project. How request management works end to end.
Annual is the floor and the norm for a first report; the major platforms publish semiannually. The DSA requires annual publication for services in scope, biannual for the largest platforms. Pick the cadence you can sustain, because a report that appears once and never again reads worse than no report at all.
For calibration on volume: Coinbase reported 12,716 law enforcement requests in its most recent reporting year, up 19%, with 53% from outside the US. Verizon reported 61,919 subpoenas in a single half-year. Your numbers will be smaller. Publish them anyway; the point of the report is the accounting, not the size.
On Kodex, the report is the byproduct it should be. Every request arrives verified, classified by legal process type, jurisdiction, and outcome, so transparency-report metrics fall out of data the team already has. No reconstruction, no archaeology, no March mailbox problem. See how request management works.
Are transparency reports legally required?
Not in the US, where publishing remains voluntary. In the EU, the Digital Services Act requires intermediary services to publish transparency reports at least annually, including counts of government orders received.
Can a company report exactly how many national security letters it received?
No. US law permits reporting national security process only in aggregate bands, such as 0-249, with the band size depending on the reporting format chosen under the USA FREEDOM Act.
What is a warrant canary?
A published statement that a company has not received secret legal process, designed to be removed if that changes. Its legal effectiveness has never been tested in court.
What should a first transparency report include?
At minimum: requests received in a defined period, broken out by legal process type, with outcomes (complied, partially complied, rejected) and the definitions used for each category.
Which companies publish transparency reports?
Roughly ninety, including Google, Apple, Meta, Microsoft, major telecoms like Verizon and AT&T, and crypto exchanges like Coinbase and Kraken. Access Now maintains the most complete public index.