If They Ignore You

Companies are legally required to respond to data requests. Many don't. Here is what to do.

Step 1: Wait for the legal deadline

GDPR (EU/EEA/UK): 30 days from receipt. Extendable to 90 days for complex requests, but they must notify you within the first 30 days.

CCPA (California): 45 days from receipt. Extendable to 90 days with notice.

Other US states: Varies — typically 45–60 days. Check your state's law on the Your Rights page.

Give them a few business days past the deadline before escalating. Some companies are slow; not all silence is bad faith.

Step 2: Send a follow-up request

Send a second email referencing your original request, the date you sent it, and the legal deadline. State that you will file a complaint with the relevant regulator if you do not receive a response within 14 days. Our follow-up template is ready to copy.

Step 3: File a complaint

If the second request is also ignored, file a formal complaint. Regulators are slow, but complaints create records and lead to enforcement actions over time. Your complaint also helps build the case against companies that systematically ignore requests.

Where to complain

California: California Privacy Protection Agency (CPPA) — file online at cppa.ca.gov
EU — find your authority: European Data Protection Board member list — select your country
UK: Information Commissioner's Office (ICO)
Other US states: Your state Attorney General's office. Search "[state] attorney general privacy complaint."
FTC (US, general): reportfraud.ftc.gov — for deceptive practices

What to include in a complaint

The date you sent your original request
The method you used (email, online form, mail)
A copy of your original request
The date of your follow-up (if any)
Any response you received (even a refusal)
The legal deadline and confirmation it has passed

When you might need a lawyer

Most data requests do not require a lawyer. Consider consulting one if: the company has your data and is actively profiting from it, you have suffered actual harm from their refusal (financial, reputational, or safety-related), or you are in the EU and the company has ignored both your request and a regulator investigation.

For EU residents, consumer protection organizations in many countries provide free legal assistance with GDPR complaints.

Keep records

Save every email, form confirmation, and response. Screenshot confirmation pages. Note dates. If you escalate, you will need this documentation.