Vercel will avoid civil penalties after confessing it failed to fully comply with a federal search warrant. The data the FBI wanted was never actually deleted, it was sitting in a deletion queue the company's own tools couldn't reach.
Vercel, the cloud hosting company behind the popular Next.js framework, has avoided civil penalties in a contempt of court case brought by the US government. The catch: it had to admit it got things wrong and rebuild the internal systems it uses to respond to law enforcement demands.
The case offers a revealing look at how the gap between "we deleted that data" and "that data is gone" can land a company in front of a federal judge, and why the difference matters for anyone who trusts a provider to handle their information.
What happened
In August 2025, the FBI obtained a federal search warrant directed at Vercel, seeking records tied to an unidentified individual's account. By the time the company moved to act on the warrant, the account had already been routed for deletion. Vercel believed the associated data was gone and handed over only a partial set of records, falling short of what the warrant actually demanded.
The data wasn't gone, though. It was sitting in what Vercel calls a deletion queue. These queues are a common feature at data-heavy organizations. Rather than wiping a user account and all its associated information the instant a deletion is requested, the system stages the records and removes them in a controlled, batched process. This keeps the live production database from being disrupted by large erasure operations and helps ensure deletions complete cleanly. The practical consequence is that "deleted" data can linger in an intermediate state for some period before it is truly purged.
Vercel's own response tooling, however, could not see into that queue. Its Trust and Safety team was unable to locate, preserve, or produce the content the warrant covered, both for certain material generally and specifically for anything held in the deletion queue. So the company told the court it didn't possess records that, in fact, it still held.
The legal basis
A search warrant is not a polite request. When a federal court issues one, the recipient is legally obligated to comply, and partial or delayed compliance can expose the company to a contempt finding.
That is exactly the path this case took. On February 2, Vercel representatives attended a hearing to determine whether the company should be held in civil contempt for its non-compliance. Magistrate Judge Carson found that the US government had established a prima facie case for civil contempt, meaning the basic elements were met, and referred the matter to a district judge for further consideration.
Civil contempt is the mechanism courts use to compel compliance and, where warranted, to penalize a party that has failed to meet a court order. For a company, that can mean fines that accumulate until it complies, alongside the reputational damage of being formally found in contempt.
Three days after the hearing, Vercel produced everything it had previously claimed it could not find or did not have, according to a Justice Department announcement. The contempt proceeding then ended through a stipulated dismissal, a legal arrangement in which both sides agree to close the case permanently.
What it cost Vercel
The dismissal was not free. In exchange for ending the case, Vercel agreed to a set of conditions. It admitted wrongdoing, conceding that its legal process response tools were inadequate in two specific ways: the inability to handle certain content, and the inability to handle content sitting in a deletion queue. The company also covered the government's legal fees, the costs the Justice Department incurred chasing down compliance that should have happened in the first place.
"When a federal court issues a search warrant, it is not a suggestion, but a mandatory directive, essential to the pursuit of justice, that a recipient company must comply with," said A. Tysen Duva, assistant attorney general at the Justice Department's Criminal Division. "The Criminal Division pursues technology companies who fail to uphold their lawfully mandated obligations. We are pleased Vercel has belatedly complied and accepted responsibility for the unnecessary costs incurred by the government in this matter."
Vercel says it has since updated its legal processes so it can respond more quickly to similar warrants in the future. You can read more about the company on its official site.
Why this matters for users
Strip away the courtroom procedure and this case raises a question that touches everyone who stores data with a cloud provider: when a company says your data is deleted, is it?
The honest answer, as Vercel's deletion queue illustrates, is often "not yet." Staged deletion is sensible engineering. It protects database stability and reduces the risk of botched, irreversible erasures. But it also means that data marked for deletion can persist in a recoverable form, sometimes for a meaningful window, after a user believes it has been erased.
That carries cuts both ways for digital rights. On one hand, it means law enforcement can still reach information users thought was gone, which is precisely what happened here. On the other, a company that cannot even locate the data it holds has a transparency problem. If Vercel's own Trust and Safety team could not see content in its deletion queue, then the company could not have given an accurate answer to a user asking whether their information had truly been removed, nor to a court asking the same thing.
Data protection regimes increasingly treat the right to erasure as a real obligation rather than a marketing promise. Under the EU's General Data Protection Regulation, the right to erasure gives individuals the ability to demand deletion of their personal data in defined circumstances, and companies are expected to be able to act on and account for those requests. California's Consumer Privacy Act grants comparable deletion rights to residents. A provider whose internal tooling cannot reliably find, preserve, or remove specific records is poorly positioned to honor any of those obligations, whether the request comes from a regulator, a court, or a user exercising their own rights.
What changes
For Vercel, the immediate change is operational. The company has rebuilt the systems its Trust and Safety team relies on so it can locate, preserve, and produce content, including material parked in deletion queues, when a lawful order arrives. The admission of wrongdoing and the fee payment close the matter, but the underlying lesson is about visibility into one's own data stores.
For the broader industry, the case is a reminder that retention architecture is a compliance issue, not just an engineering one. A deletion queue that is invisible to legal and safety teams creates risk in both directions: it can leave a company unable to comply with a warrant, and it can leave it unable to honor a user's deletion request or answer accurately when asked what data it still holds.
Users can't inspect a provider's deletion queue, but they can read retention and privacy policies with a more skeptical eye, look for specific commitments on how long data persists after deletion, and treat "deleted" as a process rather than an instant. The Vercel episode shows that the distance between requesting deletion and achieving it is real, and that even the company holding the data may not always know where the line sits.
Comments
Please log in or register to join the discussion