> The solution is to escalate your request to the local data protection agency
In many countries in Europe, you can expect a response within 30-90 days acknowledging receipt, and an actual response that they'll look into it and request a statement from the company after a year or so.
Sometimes you get lucky, but then only hear back that the company has now changed that one specific bad behavior (after profiting from it for a year or two) and thus the case is closed.
Zero meaningful enforcement.
Until NGOs start suing at scale, nothing will change.
In Europe the GDPR states that businesses have a single calendar month to respond to you, either with the data, how to easily get them, or a damn good reason why they couldn't comply in time.
It happened to me once that a business hasn't responded in time, but after I sent them a follow up that they are breaking the law by ignoring my request, they responded right away the next day.
I also only sent the requests to the biggest offenders, so the sample is small.
30-90 days is therefore possibly the period one should expect to wait to get a response, even though more than approx. 30 days is illegal.
In many countries in Europe, you can expect a response within 30-90 days acknowledging receipt, and an actual response that they'll look into it and request a statement from the company after a year or so.
Sometimes you get lucky, but then only hear back that the company has now changed that one specific bad behavior (after profiting from it for a year or two) and thus the case is closed.
Zero meaningful enforcement.
Until NGOs start suing at scale, nothing will change.