Section 1 – GDPR Violations by the IA1. Unlawful Processing Without a Legal Ba

1. Section 1 – GDPR Violations by the IA
2. 1. Unlawful Processing Without a Legal Basis (Article 6)
3. Per Article 6(1), processing of personal data is lawful only if one of the legal bases applies,
4. including the data subject's explicit consent (Article 4(11)) or contractual necessity. The IA
5. collects and archives personal data (Article 4(1)) from third-party websites without consent or
6. notice, in violation of Article 6(1)(a) and (f). The activities of web crawling, duplicating, storing,
7. and making available personal data clearly fall under the definition of “processing” under Article
8. 4(2). The IA's default position of scraping all content regardless of public interest does not
9. qualify as a legitimate interest, nor has a balancing test under Article 6(1)(f) been demonstrated.
10. 2. Misapplication of Public Interest (Articles 5, 89, Recitals 157, 158)
11. The IA routinely invokes Article 89(1) (processing for archival purposes in the public interest)
12. without satisfying the substantive criteria. For this exemption to apply, the processing must:
13. serve a genuine and substantial public interest (e.g., educational, historical, scientific, or
14. journalistic purposes) (Recitals 157, 158), be subject to appropriate safeguards, and respect
15. data minimization and necessity principles (Article 5(1)(c), 5(1)(e)). The indiscriminate scraping
16. and retention of non-public, personal, and semi-private content such as personal blogs, social
17.  
18. profiles, or deleted/modified web pages clearly exceeds what is necessary for a legitimate public
19. interest archive. As such, the IA’s reliance on Article 89 is legally unfounded.
20. 3. Failure to Inform Data Subjects (Article 5, 13, 14)
21. Where personal data is not collected directly from the data subject, Article 13 and Article 14(1)
22. obliges the controller (Article 4(7)) to provide information including: the identity and contact
23. details of the controller, the purposes and legal basis for processing, the categories of data
24. involved, retention periods, and the rights of the data subject. The IA does not notify affected
25. individuals when it collects and archives their data, nor does it offer any public mechanism for
26. identifying or objecting to such processing. This violates the transparency principle under Article
27. 5(1)(a).
28. 4. Excessive Retention (Article 5)
29. The IA stores personal data indefinitely, including in backup systems, without a defined retention
30. schedule or regular erasure mechanism. This is incompatible with the storage limitation principle
31. under Article 5(1)(e), which mandates data be kept only for as long as necessary for the
32. purposes originally collected. Archiving “everything forever,” including obsolete, harmful, or
33. contested data, clearly exceeds what is proportionate or necessary under GDPR standards.
34. 5. Failure to Respond to Erasure Requests (Articles 12, 17)
35. Under Article 17(1) (Right to Erasure) and Article 12(3), a controller must respond to valid data
36. deletion requests within one month. In multiple documented cases including mine, the IA has:
37. not responded within the deadline, failed to confirm any deletion or legal basis for refusal, or
38. offered vague responses about “exclusion” without any erasure. This constitutes a direct
39. violation of Articles 12 and 17 and demonstrates systemic failure to uphold data subject rights.
40. 6. Incomplete Erasure (Recital 66)
41. Instead of fully deleting personal data upon request, the IA often merely “excludes” it from public
42. view while retaining the data internally. Per Recital 66, controllers must take reasonable steps to
43. erase all replications, including: backups, indexed copies, and any further dissemination. This
44. form of concealment is not equivalent to erasure. As long as the data remains stored or
45. accessible internally, it is still being “processed” (Article 4(2)) and therefore remains under the
46. controller’s obligations.
47. 7. Processing Special and Potentially Sensitive Categories of Data (Article 9)
48. The IA may be processing special categories of personal data (e.g., political views, health
49. information, personal identifiers tied to minors, usernames linked to behavior, etc.) without
50. satisfying the exceptions in Article 9(2). In many cases, the archived data also includes: phone
51. numbers, emails, real names, photos, personal identifiers (such as age, location, etc.), data
52.  
53. from minors (violation of COPPA), and entire web pages. This heightens the severity of the data
54. protection violations and suggests lack of adequate internal data classification and safeguards.
55. 8. No Designated Data Protection Officer (Articles 37, 38, 39)
56. Under Article 37(1)(b), a Data Protection Officer (DPO) is required when processing operations:
57. involve regular and systematic monitoring of data subjects on a large scale, or involve special
58. categories of data (Article 9). Despite operating a platform that systematically collects and
59. reproduces personal data from across the globe, the IA provides no accessible DPO contact
60. and appears not to have designated a qualified DPO according to their Bios. This is a
61. governance failure under Articles 37–39.
62. 9. Inadequate Technical and Organizational Measures (Articles 5, 32)
63. Article 32 requires data controllers to implement measures ensuring a level of security
64. appropriate to the risk. Given the scale of IA’s duplication and distribution systems, and the lack
65. of deletion pathways, it is unlikely that they: apply proper access controls, enforce deletion from
66. backups, or prevent unauthorized internal access. The lack of any external audit or compliance
67. transparency also raises concerns about data integrity and confidentiality (Article 5(1)(f)).
68. 10. General Evasion of Data Subject Rights (Articles 12, 13, 14, 15, 17, 21)
69. The IA creates systemic obstacles to users exercising their rights under GDPR by: obscuring
70. their internal policies, failing to provide a working request form, ignoring or delaying responses,
71. and denying access to meaningful erasure options. This constitutes a violation of: Article 12
72. (Transparent communication), Articles 13–15 (Right to information and access), Article 17
73. (Erasure), Article 21 (Right to object), and probably more.
74. Section 2 – CCPA Violations by the IA
75. 1. Collection Without Notice (§1798.100)
76. The IA archives and processes personal information (names, usernames, emails, etc.) without
77. informing users at or before the point of collection. There’s no notice or “right to know”
78. disclosure, especially when content is scraped.
79. 2. Failure to Honor Deletion Requests (§1798.105)
80. If a user makes a verified request to delete personal data, the service must: respond within
81. specific deadlines, erase the data from systems (including backups), and confirm the request is
82. completed. As mentioned above, the IA has a history of “excluding” content (hiding it) instead of
83. erasing it, which does not fulfill the deletion requirement.
84. 3. No Access or Disclosure Rights Fulfilled (§1798.100, 1798.110, 1798.115)
85.  
86. Consumers have the right to request: what personal data is collected, how it’s used and with
87. whom it’s shared, and where it came from. The IA provides no clear mechanism or response
88. process for such access requests.
89. 4. Retention Policy Not Transparent (§1798.100, 1798.130)
90. CCPA requires a description of how long data is retained or the criteria used to determine
91. retention. The IA keeps data indefinitely without disclosing any justification or retention
92. schedule.
93. 5. No Easily Accessible Privacy Policy (§1798.130)
94. The IA’s privacy policy (if it exists) is not clearly accessible from all pages, nor does it outline
95. consumer rights as required under California law.
96. Section 3 – COPPA Violations by the IA
97. 1. Collecting Personal Info from Children Without Verifiable Parental Consent (§312.5)
98. The IA archives: profiles, posts, comments, and entire web pages which often contain names,
99. usernames, photos, voice, IPs, and identifiers of children under 13. There is no consent
100. mechanism, nor do they even attempt to verify age.
101. 2. No Direct Notice to Parents (§312.4)
102. COPPA requires direct notice to parents before any collection of personal data from children.
103. The IA does not notify parents when a child’s webpage or content is archived.
104. 3. Failure to Honor Erasure Requests for Children (§312.6)
105. If a parent or guardian requests deletion of a child’s data, it must be fully removed including from
106. backups. The IA’s “exclude” system is not compliant under COPPA as the data still exists
107. internally.
108. 4. No Privacy Policy for Children (§312.3, 312.4)
109. Any service likely to process children’s data must have a clear, child-friendly privacy policy as
110. well as state what data is collected, how it’s used, and how to request deletion. The IA does not
111. have a specific COPPA-compliant privacy policy or a special section addressing children’s data.
112. 5. Passive Collection from Third-Party Sites Visited by Children
113.  
114. Even if the IA does not directly target children, archiving children’s websites, gaming forums, or
115. educational tools that have a strong likelihood of being used by minors still falls under COPPA if
116. the audience includes under-13s, and no consent was obtained from guardians.