The laws that protect you — and the settlement racket that doesn't

1. What people actually search for (Semrush, US, monthly)

This is real demand, pulled from Semrush. The crisis is not niche.

Source: Semrush, US database. The question-form "how to contact" numbers look small because people give up and search the product name directly. Add the related variants together and you're looking at hundreds of thousands of US searches a month for "I can't get back into my account."

2. The laws that already protect you

You don't need a new law to start. You need to invoke the ones platforms hope you don't know about.

European Union

• GDPR Article 15 — Right of Access. The platform must give you a copy of all personal data they hold on you, within 30 days, free. Lockout doesn't suspend this right.
• GDPR Article 20 — Data Portability. You can demand your data in a machine-readable format and have it ported to another provider.
• GDPR Article 17 — Right to Erasure. When you decide.
• Digital Services Act, Article 17. Any account suspension or restriction requires a clear written "statement of reasons" — not a generic email.
• DSA Article 20. Mandatory internal complaint mechanism, free of charge, for at least 6 months after the decision.
• DSA Article 21. Right to out-of-court dispute settlement through a certified body — binding on the platform if you win.
• Digital Markets Act. Gatekeepers (Google, Apple, Meta, Microsoft, Amazon, ByteDance) must allow real account and data portability between core services.

United States

• FTC Act §5. Unfair or deceptive practices in commerce. Marketing an account as recoverable and then making recovery impossible is exactly this.
• State UDAP statutes. Every state has one — California's CLRA, New York GBL §349, etc. Often allow private right of action and statutory damages.
• CCPA / CPRA (California). Right to know, right to delete, right to data portability — applies to most large platforms regardless of where you live, if they do business with Californians.
• Computer Fraud and Abuse Act. Limited, but locking the rightful owner out of their own account can intersect with it.
• State attorneys general. Often the fastest escalation. They forward consumer complaints to companies and platforms answer them.

Canada

• PIPEDA. Right of access to your data within 30 days, right to challenge accuracy, right to complain to the Office of the Privacy Commissioner — who actually investigates.
• Provincial Consumer Protection Acts. Ontario CPA, Quebec CPA, BC BPCPA — cover unfair practices and misleading representations.
• CRTC. Handles complaints about SIM swaps, port-out fraud, and carrier-side identity attacks that often start a lockout chain.

United Kingdom

• UK GDPR + Data Protection Act 2018. Mirrors EU access, portability, erasure rights.
• Online Safety Act 2023. Ofcom-enforced; covers user-empowerment and complaint duties.
• Consumer Rights Act 2015. Digital content must be of satisfactory quality, fit for purpose, and as described. A locked account isn't.

Australia

• Privacy Act 1988 + Australian Privacy Principles. APP 12 (access), APP 13 (correction).
• Australian Consumer Law. Statutory guarantees apply to digital services. ACCC enforces.

3. The $25–$100 racket

When platforms get sued, they usually lose. And then they settle. And then this happens:

• Meta / Cambridge Analytica — $725M settlement (2023). Approximately 17 million claims filed. Claimants who actually filled out the form received roughly $30 each. Lawyers asked for 25% of the fund — about $180M.
• Equifax data breach — $425M+ consumer fund. The "$125 cash option" was advertised loudly, then quietly capped because too many people claimed it. Most got under $40 or a credit-monitoring voucher.
• Google+ shutdown — $7.5M. Claimants received roughly $2.15 each. Lawyers received a substantial multiple of that.
• Google Location History — $62M. No money to consumers at all; paid only to non-profits chosen by the lawyers. Court approval was contested for exactly this reason.

The pattern: enormous headline number, fee award to plaintiffs' counsel in the high tens or low hundreds of millions, a per-claimant payout that wouldn't replace a single lost photo album, and a settlement agreement that releases the platform from any further individual claims on the same facts. You sign the cheque, you sign away your right to sue.

4. What works better than the cheque

1. File the GDPR Article 15 / PIPEDA / CCPA data-access request first. Lockout does not pause this. The regulator does answer.
2. Write the named, signed letter. One letter from a real person on a real domain beats a thousand form submissions. Use /letter.
3. Document the trail before it disappears. /preserve.
4. Pool the testimony. Class actions are weak partly because they're built on thin pleadings. Stories with receipts, names, dates, and SHA-256 hashes are strong. /stories, /share.
5. File with the right regulator for your country. EU residents → national DPA + DSA out-of-court body. Californians → CPPA + state AG. Canadians → OPC + provincial consumer affairs + CRTC for carrier-side. UK → ICO + Ofcom. Australians → OAIC + ACCC.
6. Opt out of every class-action settlement that doesn't address human review. The opt-out date is in the notice. Missing it sells your individual claim for $25.

5. Where this site fits

• The Wall gives you a witnessed identity that survives any single account being killed — so when you cite GDPR Art 15 in writing, "the data subject" is provably you.
• Field Reports pool the URL, browser, and SIM-swap evidence that turns "my account was locked" into "here is the platform-side pattern" — citable in a regulator filing.
• Full Disclosure is the named complainant register regulators and journalists actually need.
• The plan is how all of this stays free, no-ads, no-data-sales, forever.

Nothing on this page is legal advice. It is a map of which rights, in which country, you can invoke yourself today without paying anyone. If your case is large enough, see a licensed lawyer in your jurisdiction — but read the settlement notice before you sign it.