Businesses are often asked for user information through legal subpoenas, court orders, and warrants. By having a policy of disclosing user information only when required, your business can help shield itself from liability for illegal disclosure, avoid negative press, gain the trust of users, reduce the administrative costs of compliance, and help set legal precedents that will prevent costly litigation in the future.

• Comply with demands for information only where required by law. Reject any demand that lacks legal authority. If the law is uncertain, it is in your best interests, as well as those of your users, to challenge the legitimacy of a demand for information. Stronger, clearer privacy laws will make compliance easier in the future, and your users will reward you for fighting for their interests.

AT&T, Verizon:In 2006, news broke that these two massive telecommunications companies had been allegedly turning over the private calling records of millions of Americans to the National Security Agency. The companies were caught in a firestorm of bad publicity and hit by a barrage of costly class action lawsuits. The companies faced potentially "crippling" damages in the hundreds of billions of dollars and have spent massive amounts on attorney and lobbyist fees to try to sidestep liability.

Qwest: By resisting the NSA's request for telephone records, Qwest received a significant amount of positive media coverage. The New York Times described the company as "a gleaming touchstone and a beacon of consumer protection" and noted that many users had switched to Qwest purely on the basis of its principled stand against government surveillance. The Associated Press declared that Qwest was "squarely on the side of the little guy," and bloggers created online buttons reading "Qwest—NSA-Free: Who are you with?" As the New York Times pointed out, "Companies can’t buy that kind of buzz."

• Promptly notify the user and give the user an opportunity to respond. If you do receive a legitimate demand for information, notify the target of that request if possible. Inform the user about any legal options she might have to challenge the demand, such as a motion to quash a subpoena, and give the user adequate time (at least 30 days) to do so. Do not comply with the demand until any such challenge is decided.
• Disclose only required information. Companies often hand over far more information than is asked of them—for example, handing over months of call records when law enforcement has only requested them for a single week, or disclosing user transactions that are unrelated to the scope of the request. Excessive disclosures can lead to legal liability for your company and loss of user trust.

Google: When Google stood up for the privacy of its users by fighting an overbroad civil subpoena from the government that demanded millions of private search queries, the company reaped a bonanza of positive public and media attention. In the end, the court held that the government was only entitled to 50,000 URLs with no personal information.