Video description as of 2023-06-23 10:15 PDT:

This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn’t realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.

Video transcript:

  • 2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
  • 2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
  • 2023-06-19: user decides to submit a legal request under CCPA to delete content
  • 2023-06-19 @ 11:07 PDT: user receives reply from “Reddit Legal Support” (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT

Hello,

We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:

 1. Account deletion is irreversible.
 2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page. 

Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.

More information about account deletion is available in our Privacy Policy.

Kind regards,

Reddit Legal Support
  • 2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,

If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account. 

It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.

It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments. 

Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and must be completed by August 3rd 2023.
  • 2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
  • 2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again

User concludes video and clarifies why this is a violation of CCPA:

At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted. 

By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.

For example ...

<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>

Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.

Reddit Discussion on “/r/videos”: https://old.reddit.com/r/videos/comments/14je01k/reddit_may_be_violating_the_fucking_ccpa/

[2023-06-23 14:52 PDT] edit ~ formatting, fix title typo

  • @mallocOP
    link
    English
    1771 year ago

    Decided to expand on the original video and include a transcription of the events in the video. Hope this helps our visually impaired folks.

    Personally, I find this disgusting. Hope Reddit gets litigated up the ass.

    • @Merulox
      link
      English
      531 year ago

      Good work on the transcription, it must’ve taken a while to do.

      • @mallocOP
        link
        English
        40
        edit-2
        1 year ago

        Normally, transcription like this will take a long time. However, since it’s largely text based (e-mails, viewing reddit) and relatively short. It was pretty easy to transcribe to text. With the help of some macOS features like copying and pasting from video, it became a non-trivial task.

        I think I spent more time on formatting rather than on transcription.

    • nevernevermore
      link
      fedilink
      281 year ago

      Seriously, thank you for that extra mile. This is the kind selflessness that I remember on the old internet

    • @SomeoneElse
      link
      English
      161 year ago

      Thank you. I’m not visually impaired but I have cognitive issues that make watching videos difficult. I appreciate your time and effort 😊

  • @HerrLewakaas
    link
    English
    641 year ago

    This seems enough to me to sue them on grounds of violating the GDPR. Not sure where spez is going with this but paying GDPR fines will most definitely not do any good to reddit’s profitability lol

    • @ozillator
      link
      English
      -371 year ago

      How does one go about holding a US based company accountable violating an EU law that they aren’t required to comply with?

      • @romaselli
        link
        English
        73
        edit-2
        1 year ago

        They are required to comply with it if they want to offer services to European customers. If they don’t comply with the local regulation they will face fines and if they don’t pay them and become compliant, they might have their access blocked from within the EU.

        The same is true for Brazil, which has similar legislation to the GDPR to protect Brazilian users from online services abusive practices regarding their data. Services can and have been blocked in Brazil for failing to comply with local regulations.

        • @Gabu
          link
          English
          101 year ago

          Adding to this, while there are certainly ways to bribe the Brazilian regulatory and supervisory bodies, they’re pretty damn heavy handed and pro-consumer to begin with. One agency has recently fined Netflix for their bait-and-switch marketing to what is estimated as several hundred million USD, with even bigger fines to come.

        • @jcg
          link
          English
          31 year ago

          Has this ever actually happened?

          • @romaselli
            link
            English
            33
            edit-2
            1 year ago

            In Europe fines have been dealt but no blocking yet as far as I am aware. Just the fine and threat of a block happening is usually enough to make companies comply because they don’t want to lose out on the market share.

            Edit: Link to Europe statistics: https://www.privacyaffairs.com/gdpr-fines/

          • Jon-H558
            link
            fedilink
            61 year ago

            A lot of local.usa news sites region block EU ipaddresses to premptivly as they do a lot of tracking.etc that would.violate it so they just chose not to have the hassle of eu visitors

            • @jcg
              link
              11 year ago

              Yeah I read about that but it seems to be voluntary. I haven’t read anything about anyone actually being blocked, but it seems to be because the threat of a fine and blocking is enough. Another commenter pointed out they have offices within the EU so I guess EU officials could chase them up there.

        • @mallocOP
          link
          English
          -101 year ago

          So Brazil has the equivalent of China’s firewall? Or is this something implemented at the ISP level?

          • @romaselli
            link
            English
            111 year ago

            It’s implemented at the ISP level, Brazilian courts can mandate all nationally operating ISPs and mobile carries to block certain websites or services if they fail to comply with for example a judicial warrant. This has happened twice with WhatsApp for instance, and Telegram was threatened with it as well because they refused to hand over the identities of neonazi domestic terrorist groups.

              • @Gabu
                link
                English
                71 year ago

                The average user doesn’t even know what a proxy is. At that point, you’ve killed profitability.

              • @romaselli
                link
                English
                51 year ago

                I am aware, but businesses generally don’t want their users to jump through hoops to be able to access their services.

      • @SuperIce
        link
        English
        341 year ago

        They are required to comply with the GDPR to operate in Europe.

        • @sudneo
          link
          English
          151 year ago

          Even more, they are required to comply if they target European countries as a market. For example, if you have registration open and you have translations in - say - French, Italian, German etc. It is already enough to force you to comply, as there is the clear intent of targeting European users.

      • @phx
        link
        English
        291 year ago

        The same way they have with Facebook, Google etc. If they continue to do business in Europe with European users, they comply with European law or get fined significant amounts.

        • @HamSwagwich
          link
          English
          81 year ago

          That Irish sandwich corporate structure (that’s really a thing , I’m not making it up) to dodge taxes is coming home to bite them in the ass. How delicious…

      • Anti-Antidote
        link
        English
        131 year ago

        It’s either comply with laws regarding EU users or get blocked from operating in EU countries, I’m not sure of the entire process though

        • @Cannacheques
          link
          English
          11 year ago

          Internet empires like Facebook and Reddit have a lot of grey area to be honest

      • @SuperIce
        link
        English
        11 year ago

        deleted by creator

  • @yeeter
    link
    English
    56
    edit-2
    1 year ago

    Discord is worse. At least Reddit lets you delete everything you post. With Discord, if you are banned from a server, then there is no way to delete your posts in that server. That is insane to me in this day and age.

  • static
    link
    fedilink
    42
    edit-2
    1 year ago

    Interesting, from a GDPR perspective this is unacceptable.
    Pondering about a proper GDPR complaint.

    some of my old reddit accounts might have > 1000 comments.

    • @mallocOP
      link
      381 year ago

      The video creator appears to be from California, since he was trying to claim account deletion under CCPA. If reddit legal support is also slow rolling account and associated content deletion as well for GDPR, then the legal blowback could be massive.

      • static
        link
        fedilink
        13
        edit-2
        1 year ago

        I assume that they just don’t have the infrastructure to do it, otherwise they would just use GDPR code for CCPA.

        As a software developer: GDPR was a real pain to refit into an old legacy system. It’s less of a pain if you know beforehand and can plan ahead.

        • CMLVI
          link
          fedilink
          13
          edit-2
          1 year ago

          Would suck if they had to spend money on the infrastructure to mass-delete data that the deletion of lessened their value to investors.

          Shame.

          • static
            link
            fedilink
            11
            edit-2
            1 year ago

            It’s a flawed risk assesment.
            short term not complying is much cheaper. long therm it’s bad, but for the individual : “whatever, I got my bonus and switched to another position”

            • @sudneo
              link
              31 year ago

              It’s actually a risky game. It doesn’t happen often, but under GDPR not complying can result in the stop of data processing. It happened recently with Italy and OpenAI for example. If that happens, reddit would be forced to stop processing any data from people coming from that particular country, or countries, because each data protection authority can act. Of course that is the equivalent of a nuke, but it can happen, and if it happens I am not sure anybody is getting bonuses soon…

    • @eleitl
      link
      291 year ago

      My account is 16+ year old and has 300 k combined karma. I will be sure to contact my data protection officer to complain. Reddit needs an audit to document they wipe the db properly, and the data is gone from backups. Not just my data, anything they got on me.

      • fishcurry509
        link
        31 year ago

        After seeing the comments above, I was about to say precisely this. Getting the data protection authority involved is the most sensible way.

    • @vanillabear
      link
      21 year ago

      It´s worth a try isn´t it? Maybe there are templates to use?

  • @NMSGalacticHub
    link
    English
    391 year ago

    That’s insane. I’m no lawyer but I’ve used the CCPA to get my info removed from a lot of those data-broker sites. It’s always immediate, “Okay, we’ve removed your information.” California better hit Reddit hard for this, and Europe too.

  • pollodiabolo
    link
    fedilink
    371 year ago

    so the CEO known for sharing pornographic pictures of minors online does not respect people’s privacy after all? who would’ve thought

      • 1st
        link
        fedilink
        231 year ago

        Spez was a mod of /r/jailbait

        Worth noting that at the time users did not need to agree to be a moderator, it could be thrust upon them. I’ve heard that he had comments both on the sub and comments defending it, but have not personally seen any proof of that.

        It’s not strictly untrue, but it has implications that I don’t personally quite believe (though I’m willing to change that opinion if somebody has evidence).

        • @Pixelologist
          link
          11 year ago

          He made a special award for them for being the ‘worst sub of the year’

      • @[email protected]
        link
        fedilink
        19
        edit-2
        1 year ago

        Back in the day invitations to be a mod were auto-accepted so the mod of /r/jailbait added him to the modlist

        The guy’s a crappy CEO I’m not sure why people have meme about stupid shit like the above to distract from that especially on the fediverse which has it’s share of questionable content

      • Bonehead
        link
        fedilink
        121 year ago

        Spez was a mod of the jailbait sub before the corporate buyout shut it down. Technically we don’t know if he shared any pictures, but we know he was a mod at one point.

        • TWeaK
          link
          fedilink
          131 year ago

          It should also be said that back then you could nominate users to be a mod and appoint them without their input.

        • Roboticide
          link
          131 year ago

          He’s a piece of shit, but worth noting he was a mod of /r/jailbait at a time that mod requests sent to users were auto-accepted. He did not need to actively do anything. All he needed to do was ignore his Moderator privileges and inbox for a while.

  • @thatwill
    link
    English
    301 year ago

    I made a GDPR request through reddithelp.com last night; maybe I shouldn’t have bothered! Assuming I don’t hear back, I’ll resend the request via email then report them to the Information Commissioner (UK gov dept) if I’ve had no proper response.

    By the way, I’m not sure if the California law is the same, but with a GDPR “right to be forgotten” request, the organisation must delete your data from their backups (or at least make sure your data will not be restored from a backup). Asking you to delete your own comments clearly won’t meet that requirement.

    • @Tired8281
      link
      English
      141 year ago

      I’m gonna send mine registered mail. The way they have been behaving, I wouldn’t put it past them to just send requests straight to the trash, then claim they never received them with a shit eating grin on their face.

      • @Lenny
        link
        English
        2
        edit-2
        1 year ago

        Wish i did it via mail. There’s no proof/track otherwise (unless you record it).

        Requested my data last week. Does anybody know the legal timeframe for them to comply?

  • Techie
    link
    English
    301 year ago

    I really hope the GDPR is put to full use here.

    I’m curious though, what would happen if someone sent a GDPR deletion request to a Lemmy instance? The server admin would then delete the posts and account, but what if some other instances had defederated after the user made the posts, how would it be possible to make sure the posts are deleted from those instances as well? In theory that could be hundreds of servers. I guess the user would have to reach out to each instance?

    • @samus12345
      link
      English
      161 year ago

      Good question. Yes, it would be much harder because you’re basically shotgunning your posts all over the place when posting here. I would think it’s pretty much impossible to make sure that every single instance of it is gone.

      • @TechnoBabble
        link
        English
        71 year ago

        As far as I can tell, GDPR is a defense against corporations who claim to own your data, and hold that data hostage. But it’s not a infallible tool to scrub data from the internet.

        Think about a tweet that’s been screenshotted throughout the Internet. Twitter would have to delete the original post and and data they control, but I imagine they have no liability for the outsiders taking screenshots.

        How GDPR applies to Lemmy may have to be explored in court.

        But I’m just a layperson without specific knowledge of the law, so that legal framework may already exist.

        • @CinnerB
          link
          English
          11 year ago

          This is exactly what it is.

    • @Zuberi
      link
      English
      41 year ago

      Lemmy isn’t a single entity. Not sure it applies here but who knows. The future cases will be wild

    • drphungky
      link
      English
      4
      edit-2
      1 year ago

      It would basically be the same experience as leaked nudes currently. Whack-a-mole with dozens of different sites and needing to send a takedown request to each one, some of them sketchy or based in other geographies/jurisdictions.

      Reddit has sites like push shift that copy every single post permanently for academic use. It’s unlikely that there won’t be (or already aren’t) similar data vacuums for the Fediverse. In my opinion it’s a good idea to think of everything on the Fediverse as permanent.

    • @Luvs2Spuj
      link
      English
      21 year ago

      It could be that if there isn’t a mechanism in place the EU would likely review GDPR for this new scenario (federation) and produce an ammendment to GDPR. It’s a bit of a minefield, but I’m sure it would be looked into if/when the EU had to deal with this and come up with a solution. It could be that many small instances that are non compliant regularly get nuked and the larger ones are able to be compliant and keep going.

      They could consider action to remove the service from the EU if federated services cannot be regulated, but I doubt this is possible due to the concept of federation.

  • @Maraval26
    link
    English
    291 year ago

    That is crazy. I spent hours one week ago deleting manually all my comments. I had an empty profile. After reading this post I checked my account and all my comments are back. That is crazy. What a shit company. I’m hesitant to submit GDPR request since I feel like I’ll lost account access with comments still visible…

    • @overlordror
      link
      English
      161 year ago

      I guarantee most power users are the ones who are upset about this change. Losing decades of content they created for free hurts reddit unimaginably. How many articles have you seen about SEO ruining Google and needing to append ‘reddit’ to searches?

      Power users deleting their content ruins that search engine to reddit pipeline.

    • @Zardoz
      link
      English
      81 year ago

      Tried this last night and my posts are back too. Thinking about editing each and replacing with some shit about spez. That will surely get it removed

  • @RightHandOfIkaros
    link
    English
    241 year ago

    Is anyone surprised at this?

    I think Reddit should be forced to retroactively delete all comments and post history from users who have since deleted their account. If the user account was deleted, there is no reason they should be allowed to keep the data on that deleted account, period.

    • @MegaUltraChicken
      link
      English
      141 year ago

      At the very least a company should be required to give the option to nuke your data when deleting an account. Not sure if this exists in any legislation but would be useful.

    • @mallocOP
      link
      English
      81 year ago

      Not really. The list of controversies from reddit have continued to increase since 2014. The latest controversy was just the last straw that broke the camel’s back.

      Personally, I am not familiar with CCPA, so I can not really comment on the justifications claimed by the video creator. But the fact that reddit legal support is slow rolling the deletion of the content generated is just scummy.

    • @hamFoilHat
      link
      English
      81 year ago

      Or if the account is permabanned. Pretty much any time an account is no longer accessable.

  • @Maggoty
    link
    English
    21
    edit-2
    1 year ago

    Well shoot. I’m in California these days and recently deleted all my comments on Reddit. I’ll have to monitor and see if they come back…

    Edit - update, it looks like they’ve restored some but not others. That might have something to do with the multiple overwrites I did.

    • Overzeetop
      link
      English
      9
      edit-2
      1 year ago

      Lots of zombie posts. I had to run power delete every day for 7 days before it stopped seeing posts reappear.

      Edit: as others have mentioned, the posts in locked subs don’t appear to be visible or, at least, deleteable by PDS. When subs reopen the posts re-appear. I just had all my Plex posts pop back up when the mods caved to “popular” opinion and reopened. I put popular in quotes because I presume all polls are now being brigaded by the administration.

      • @Maggoty
        link
        English
        31 year ago

        Yeah I should have kept it going for a few more days.

        • Overzeetop
          link
          English
          51 year ago

          But you shouldn’t have to, really.

    • @NuclearArmWrestling
      link
      English
      11 year ago

      Mine came back. If I’m using a VPN out of the EU, would the GDPR apply to me?