Pre-written complaints

To: Google LLC / Apple Inc. / Microsoft Corp. — Account Security and Data Protection Officer
Subject: Article 22 / FTC Act §5 demand — recovery of account [email], contradicted by ongoing SMS prompts to registered number

I am [your name], the registered holder of account [email], locked out since [date].

In the period since the lockout I have received automated SMS prompts from your security system at the phone number registered to that account, including on:
- [paste date/time of each prompt]
- [paste date/time of each prompt]
- [paste date/time of each prompt]

Each prompt names the account in full and is sent to the verified number on file. By sending them, your security system is affirming — in writing, with timestamps — that you recognise me as the legitimate holder of that number, and the number as belonging to that account.

I have nonetheless completed your recovery flow approximately [number] times with the correct credentials, with no human review, no written decision, and no appeal.

I formally request, within 30 days:
1. A copy of all personal data held in or relating to account [email] (GDPR Art. 15 / UK GDPR Art. 15 / PIPEDA Principle 4.9 / CCPA right to know).
2. Restoration of access, or in the alternative a written statement of reasons identifying the specific clause of your terms of service relied on (DSA Art. 17 where applicable).
3. Human review under GDPR Art. 22 (right not to be subject to a decision based solely on automated processing).
4. Cessation of automated SMS prompts to the registered number until a written decision on (2) has been issued.

I have preserved video evidence of the recovery flow, time-stamped and hashed, and copies are held by third parties. A complaint is being filed in parallel with the competent regulator in [your country].

[your name]
[email]

To: Federal Trade Commission — Consumer Complaint

I am [your name], a resident of [your state], filing a complaint regarding my inability to access my Google account ([email address]) despite being the legitimate account holder.

On approximately [date], I was locked out of my account. I have completed Google's automated recovery process approximately [number] times, providing the correct password and verification codes. The system has not produced a written decision, has not offered an appeal path, and has not made a human reviewer available to me.

As a result of this lockout, I have lost access to: [list: email, photos, payments, etc.].

The concrete harm this has caused: [describe lost wages, missed deadlines, financial impact].

I believe this practice is unfair within the meaning of Section 5 of the FTC Act because the harm is substantial, not reasonably avoidable by consumers, and not outweighed by countervailing benefits. Consumers cannot reasonably anticipate that providing email, payment, and identity services to hundreds of millions of people would come without any human review process when those services fail.

I am one of many. A growing public record of similar cases is being collected at the Locked Out project.

Respectfully,
[your name]
[contact email]

To: Office of the Attorney General of [your state]
Consumer Protection Division

Dear Attorney General,

My name is [your name] and I am a resident of [your state]. I am writing to report a consumer protection concern involving Google LLC's account lockout and recovery practices.

My Google account ([email]) has been inaccessible since [date]. I have completed Google's recovery flow approximately [number] times with correct credentials. There is no human reviewer available, no written decision, and no appeals process.

I have lost access to: [list].
The harm to me has been: [describe].

I respectfully request that your office consider:
1. Investigating whether Google's lack of human recovery review constitutes an unfair business practice under our state's consumer protection statutes.
2. Engaging Google to establish a mandatory human-review process for accounts locked out longer than 14 days.

This is not an isolated incident. A growing public record is being maintained at the Locked Out project.

Thank you for your time.

[your name]
[email]

To: [National Data Protection Authority — your country]

I, [your name], resident of [your country], submit a complaint under the General Data Protection Regulation (Regulation (EU) 2016/679) against Google Ireland Limited / Google LLC concerning my Google account [email].

Since [date] I have been unable to access this account. Despite approximately [number] recovery attempts with correct credentials, Google has provided no human review, no written decision, and no effective means to exercise my rights under the GDPR.

Specifically I assert that Google is failing to facilitate:
- Article 15 — right of access to my personal data held in the account.
- Article 16 — right to rectification of inaccurate account-status information.
- Article 20 — right to data portability of my email, contacts, photos, and other content.
- Article 22 — right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects without the right to obtain human intervention.

Personal data and services I am unable to access: [list].
Material and non-material harm caused: [describe].

I request that your authority investigate and, if appropriate, exercise its powers under Article 58 to require Google to provide a meaningful human-review process within a reasonable timeframe.

Sincerely,
[your name]
[email]

To: Information Commissioner's Office

I, [your name], of [the United Kingdom], make a complaint about Google's handling of my personal data in connection with account [email].

Since [date], I have been locked out of this account following approximately [number] recovery attempts. Google has not provided a human reviewer, a written decision, or a meaningful appeal — depriving me of effective access to my own personal data.

I believe this engages my rights under the UK GDPR, particularly Article 15 (right of access), Article 20 (data portability), and Article 22 (rights related to automated decision-making).

Data and services affected: [list].
Harm caused: [describe].

I respectfully request the Commissioner consider investigating Google's account-recovery practices.

[your name]
[email]

To: Office of the Privacy Commissioner of Canada

I, [your name], of Canada, am filing a complaint under PIPEDA concerning Google's handling of my personal information in account [email].

Since [date] I have been unable to access this account. After approximately [number] recovery attempts, Google has not provided a human reviewer, a written explanation, or any meaningful appeal. I am effectively denied access to and control over my own personal information held by an organization subject to PIPEDA.

Personal information and services I am unable to reach: [list].
Harm caused: [describe].

I respectfully ask the Commissioner to consider whether Google is in compliance with its obligations under Principles 4.9 (Individual Access) and 4.10 (Challenging Compliance) of Schedule 1 of PIPEDA.

[your name]
[email]

Subject: Locked out of my Google account for [N] attempts and counting — there's no human to call

Hi,

I'm [your name], based in [location]. I'm one of a growing number of people who've been locked out of a Google account with no human escalation path.

The short version: my account ([email]) has been inaccessible since [date]. I've completed Google's automated recovery roughly [number] times with correct credentials. There is no person to talk to, no written decision, and no appeal. I've lost access to [list] and the concrete harm has been [describe].

I'm documenting my case (and others') at the Locked Out project, a public record of these lockouts. There are dozens of similar stories collected there, with timelines and screenshots.

Happy to share my full evidence packet (ID, billing records, lockout timeline) if you'd like to take a look. The pattern feels worth a story.

Thanks for considering,
[your name]
[email]

To: [Platform] — Privacy / CCPA Verifiable Consumer Request
Subject: CCPA §§1798.100, 1798.105, 1798.110 — verifiable consumer request, account [email]

I am [your name], a California resident. I am exercising my rights under the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§1798.100 et seq.), as amended by the CPRA.

Pursuant to §1798.110 (right to know) I request, within 45 days (extendable once by 45 days on written notice under §1798.130(a)(2)):
1. The categories of personal information you have collected about me linked to account [email].
2. The specific pieces of personal information collected.
3. The categories of sources from which the information was collected.
4. The business or commercial purpose for collecting or selling that information.
5. The categories of third parties with whom you share that information.
6. A portable copy of all personal information, in a readily useable format.

Pursuant to §1798.105 (right to delete), upon completion of the disclosure above, delete all personal information you hold concerning me, subject only to the enumerated exceptions in §1798.105(d).

Identity verification: I am the registered holder of [email]. I have been locked out since [date] after approximately [number] recovery attempts with correct credentials. Your refusal to verify me through your standard flow does not extinguish my §1798.100 rights — §1798.185 implementing regulations (CCR §7060) require a reasonable alternative verification path. Government-issued ID and a notarised declaration are available on request.

Failure to respond within statutory windows constitutes a violation under §1798.155 (administrative enforcement by the California Privacy Protection Agency) and, for security-breach contexts, gives rise to a private right of action under §1798.150.

[your name]
[email]

To: [Platform] — Privacy / Biometric Information Privacy Act Demand
Subject: 740 ILCS 14 (BIPA) — demand for written policy, disclosure, and destruction, account [email]

I am [your name], a resident of Illinois. I have used your service through account [email] since [date when account was created]. Your service required me to submit biometric identifiers or biometric information including, without limitation: facial geometry (selfie / liveness check), voiceprint, and/or fingerprint or finger-scan data.

Under the Illinois Biometric Information Privacy Act (740 ILCS 14), I demand within 30 days:

1. **§15(b) disclosure.** A copy of the written notice you provided me, the specific purpose for collecting my biometric identifiers, the length of term for which they will be stored, and my signed written release authorising collection. Absent these, every collection event is a separate §15(b) violation.

2. **§15(a) policy.** A copy of your publicly available written retention schedule and guidelines for permanent destruction of biometric identifiers, in compliance with §15(a).

3. **§15(d) disclosure.** Identification of every third party with whom you have disclosed, redisclosed, or otherwise disseminated my biometric data, and the contractual basis for each disclosure.

4. **§15(e) safeguards.** Description of the reasonable standard of care you have used in storing, transmitting, and protecting my biometric data.

5. **Destruction.** Pursuant to §15(a), confirm permanent destruction of all biometric identifiers and biometric information you hold on me, and certify the date of destruction in writing.

BIPA provides a private right of action under §20. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorney's fees, costs, and injunctive relief — without proof of actual injury (Rosenbach v. Six Flags, 2019 IL 123186).

Failure to comply within 30 days will be treated as evidence of intentional or reckless violation for purposes of §20(2).

[your name]
[email]

To: [Platform] — Legal Department, Canadian Operations
Subject: Notice of unfair practice and demand for rescission/relief — Ontario CPA 2002, s. 14-18 / Quebec CPA, art. 215-272

I am [your name], a resident of Ontario, Canada, and the registered holder of account [email].

You marketed this service to me with stated features including recovery, support, and access to data I created. Since [date] I have been locked out. After approximately [number] recovery attempts with correct credentials, you have provided no human reviewer, no written decision, and no meaningful appeal.

Under the Consumer Protection Act, 2002, S.O. 2002, c. 30, Schedule A, this constitutes an unfair practice:
- **s. 14** — false, misleading, or deceptive representations, including representing that an agreement involves rights or remedies it does not.
- **s. 15** — unconscionable representation, given the disproportionate bargaining power and the lack of any meaningful recourse.
- **s. 18** — rescission right: the consumer may rescind an agreement entered into after an unfair practice and recover all amounts paid, plus damages, plus exemplary damages where the practice was knowing.

(For Quebec residents: equivalent provisions are art. 215–230 of the Consumer Protection Act, R.S.Q. c. P-40.1, with art. 272 providing the same private remedies.)

Within 30 days I demand:
1. Restoration of access to account [email], OR
2. A written statement of the specific term of service relied on, AND
3. Identification of the natural person at your organisation who made the decision.

I have lost: [list].
Concrete harm: [describe in dollars where possible].

Failure to cure within 30 days will support a claim filed in the Small Claims Court of Ontario (jurisdiction up to $35,000 in Ontario, $15,000 in Quebec without a lawyer) seeking rescission, return of all amounts paid, damages, exemplary damages, and costs.

[your name]
[email]

To: [Platform] — EU Legal Representative / DSA Compliance Officer
Subject: Digital Services Act, Article 17 — demand for statement of reasons, account [email]

I, [your name], resident of [EU member state], am the recipient of a content/account restriction concerning account [email], effective [date].

Pursuant to Article 17 of Regulation (EU) 2022/2065 (Digital Services Act), I require — without undue delay and in any event in machine-readable form — a statement of reasons containing all of the following elements specified in Article 17(3):

(a) Whether the decision concerns the removal of, the disabling of access to, the demotion of, or the suspension or termination of monetary payments related to the information, the suspension or termination of the provision of the service in whole or in part, or the suspension or termination of the recipient's account, AND the territorial scope of the decision and its duration.

(b) The facts and circumstances relied on in taking the decision, including where relevant whether the decision was taken pursuant to a notice submitted under Article 16 OR pursuant to voluntary own-initiative investigations, and where strictly necessary the identity of the notifier.

(c) Where applicable, information on the use of automated means in taking the decision, including whether the decision was taken in respect of content detected or identified using automated means.

(d) Where the decision concerns allegedly illegal content, a reference to the legal ground relied on and explanations as to why the information is considered illegal on that ground.

(e) Where the decision is based on the alleged incompatibility of the information with the terms and conditions of the provider, **a reference to the contractual ground relied on and explanations as to why the information is considered to be incompatible with that ground**.

(f) Clear and user-friendly information on the possibilities for redress available to the recipient in respect of the decision, in particular through internal complaint-handling mechanisms (Art. 20), out-of-court dispute settlement (Art. 21) and judicial redress.

A generic reference to "community guidelines" or "terms of service" without identifying the specific clause is insufficient — see EU Commission guidance and the published Statement-of-Reasons database. If you have already published a statement of reasons in the DSA Transparency Database, provide the reference ID.

Failure to provide a compliant statement of reasons within a reasonable period (and in any case within 14 days) will be reported to the Digital Services Coordinator of [your EU member state] and, where applicable, to the European Commission for Very Large Online Platforms.

[your name]
[email]

To: [Platform] — Internal Complaint-Handling System (DSA Article 20)
Subject: Internal complaint under Art. 20 DSA, account [email], original decision [date]

I, [your name], resident of [EU member state], holder of account [email], lodge this internal complaint under Article 20 of Regulation (EU) 2022/2065 against your decision of [date] restricting / suspending / terminating my account.

The decision is contested on the following grounds (Art. 20(1)(a)–(d)):
- The information / account is not illegal content and is not incompatible with your terms and conditions, contrary to the basis stated.
- The statement of reasons you issued (or failed to issue) under Art. 17 does not identify a specific contractual clause and therefore cannot be lawfully relied upon.
- The decision was taken using automated means without meaningful human oversight, contrary to Art. 20(6).
- Imposing the restriction is disproportionate to any legitimate aim.

Facts: I have been locked out since [date]. I have completed your recovery flow approximately [number] times with correct credentials. Personal data and services I am unable to access: [list]. Concrete harm: [describe].

Pursuant to Art. 20(4) you must process this complaint in a timely, non-discriminatory, diligent and non-arbitrary manner. Pursuant to Art. 20(6), the decision on this complaint must be taken under the supervision of appropriately qualified staff and not solely on the basis of automated means.

Pursuant to Art. 20(5), please inform me without undue delay of your reasoned decision and of the possibility of out-of-court dispute settlement under Article 21 and other available means of redress.

I reserve the right to refer this matter to a certified Article 21 out-of-court dispute settlement body (including Appeals Centre Europe) and to the Digital Services Coordinator of [member state].

[your name]
[email]

To: [Platform] — Data Protection Officer (UK)
Subject: Subject Access Request, UK GDPR Article 15 and Data Protection Act 2018, account [email]

I am [your name], of the United Kingdom, and I am exercising my right of access under Article 15 of the UK GDPR and section 45 of the Data Protection Act 2018.

I require, within one calendar month of receipt (Art. 12(3)):

1. Confirmation as to whether you are processing personal data concerning me.
2. A copy of all personal data concerning me, including but not limited to that associated with account [email].
3. The purposes of the processing.
4. The categories of personal data concerned.
5. The recipients or categories of recipient to whom the data have been or will be disclosed, in particular recipients in third countries.
6. Where possible, the envisaged retention period or the criteria used to determine that period.
7. The existence of automated decision-making, including profiling, under Art. 22(1) and (4), and meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for me.
8. Where the data have not been collected from me, all available information as to their source.

This includes data held in support tickets, internal abuse / risk scoring systems, shadow profiles, advertising and inferred-interest data, and any data shared with affiliated entities or processors.

Identity verification: I have been locked out of [email] since [date] after approximately [number] recovery attempts with correct credentials. Your inability to verify me through your normal flow does not extinguish my Art. 15 right — Recital 64 and ICO guidance require "reasonable means" of verification; government-issued ID and a signed declaration are available.

Failure to comply within one calendar month gives me the right to complain to the Information Commissioner's Office without further notice (s. 165 DPA 2018) and to bring a claim under s. 167 / Art. 82.

[your name]
[email]

To: [Platform] — Privacy Officer (Australia)
Subject: Australian Privacy Principle 12 request — access to personal information, account [email]

I am [your name], of Australia, and I am making a request under Australian Privacy Principle 12 (Schedule 1, Privacy Act 1988 (Cth)) for access to the personal information you hold about me, including all information associated with account [email].

APP 12.4 requires you to respond within a reasonable period after the request is made and to give access in the manner requested by me, unless impracticable. The OAIC considers 30 calendar days the outer bound of "reasonable" for an ordinary request.

I request access to:
1. All personal information you hold concerning me, in machine-readable form.
2. The categories of recipients to whom my personal information has been disclosed.
3. Information about whether my personal information has been disclosed overseas (APP 8) and the countries involved.
4. Any internal scoring, risk-flagging, or automated decision records associated with my account.

Background: I have been locked out of [email] since [date], after approximately [number] recovery attempts. Your failure to verify me through your normal recovery flow does not relieve you of your APP 12 obligations — APP 12.5 permits alternative verification, and I am willing to provide government-issued ID.

If access is refused (in whole or in part), I require written reasons and notice of complaint mechanisms, as required by APP 12.9.

Failure to respond within 30 days will be referred to the Office of the Australian Information Commissioner (OAIC) under s. 36 of the Privacy Act.

[your name]
[email]