Reddit user alleges California Consumer Privacy Act (CCPA) non-compliance/violation; and finds it difficult to delete posts and content on Reddit
Video description as of 2023-06-23 10:15 PDT:
This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn't realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.
Video transcript:
2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
2023-06-19: user decides to submit a legal request under CCPA to delete content
2023-06-19 @ 11:07 PDT: user receives reply from "Reddit Legal Support" (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT
Hello,
We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:
1. Account deletion is irreversible.
2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page.
Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.
More information about account deletion is available in our Privacy Policy.
Kind regards,
Reddit Legal Support
2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,
If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account.
It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.
It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments.
Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and must be completed by August 3rd 2023.
2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again
User concludes video and clarifies why this is a violation of CCPA:
At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted.
By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.
For example ...
<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>
Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.
Normally, transcription like this will take a long time. However, since it's largely text based (e-mails, viewing reddit) and relatively short. It was pretty easy to transcribe to text. With the help of some macOS features like copying and pasting from video, it became a non-trivial task.
I think I spent more time on formatting rather than on transcription.
This seems enough to me to sue them on grounds of violating the GDPR. Not sure where spez is going with this but paying GDPR fines will most definitely not do any good to reddit's profitability lol
They are required to comply with it if they want to offer services to European customers. If they don't comply with the local regulation they will face fines and if they don't pay them and become compliant, they might have their access blocked from within the EU.
The same is true for Brazil, which has similar legislation to the GDPR to protect Brazilian users from online services abusive practices regarding their data. Services can and have been blocked in Brazil for failing to comply with local regulations.
The same way they have with Facebook, Google etc. If they continue to do business in Europe with European users, they comply with European law or get fined significant amounts.
Discord is worse. At least Reddit lets you delete everything you post. With Discord, if you are banned from a server, then there is no way to delete your posts in that server. That is insane to me in this day and age.
Yes, reddit let's you delete everything you post but then they secretly repost it all a few days later. I'd argue that's worse because they make you think it's deleted but it's not.
This behavior is demonstrated in the video and many other reddit users have posted similar complaints recently. I have personally experienced the same issue.
At least Reddit lets you delete everything you post
Only the last 1000 comments or so. Earlier comments get dropped from your user profile and become virtually inaccessible, only findable with a google search.
Also, comments from closed subreddits are inaccessible to you, but still there (i.e. when the subreddit reopens, they will become available again).
The video creator appears to be from California, since he was trying to claim account deletion under CCPA. If reddit legal support is also slow rolling account and associated content deletion as well for GDPR, then the legal blowback could be massive.
My account is 16+ year old and has 300 k combined karma. I will be sure to contact my data protection officer to complain. Reddit needs an audit to document they wipe the db properly, and the data is gone from backups. Not just my data, anything they got on me.
That's insane. I'm no lawyer but I've used the CCPA to get my info removed from a lot of those data-broker sites. It's always immediate, "Okay, we've removed your information." California better hit Reddit hard for this, and Europe too.
Worth noting that at the time users did not need to agree to be a moderator, it could be thrust upon them. I've heard that he had comments both on the sub and comments defending it, but have not personally seen any proof of that.
It's not strictly untrue, but it has implications that I don't personally quite believe (though I'm willing to change that opinion if somebody has evidence).
Back in the day invitations to be a mod were auto-accepted so the mod of /r/jailbait added him to the modlist
The guy's a crappy CEO I'm not sure why people have meme about stupid shit like the above to distract from that especially on the fediverse which has it's share of questionable content
Spez was a mod of the jailbait sub before the corporate buyout shut it down. Technically we don't know if he shared any pictures, but we know he was a mod at one point.
I made a GDPR request through reddithelp.com last night; maybe I shouldn't have bothered! Assuming I don't hear back, I'll resend the request via email then report them to the Information Commissioner (UK gov dept) if I've had no proper response.
By the way, I'm not sure if the California law is the same, but with a GDPR "right to be forgotten" request, the organisation must delete your data from their backups (or at least make sure your data will not be restored from a backup). Asking you to delete your own comments clearly won't meet that requirement.
I'm gonna send mine registered mail. The way they have been behaving, I wouldn't put it past them to just send requests straight to the trash, then claim they never received them with a shit eating grin on their face.
I'm curious though, what would happen if someone sent a GDPR deletion request to a Lemmy instance?
The server admin would then delete the posts and account, but what if some other instances had defederated after the user made the posts, how would it be possible to make sure the posts are deleted from those instances as well? In theory that could be hundreds of servers. I guess the user would have to reach out to each instance?
Good question. Yes, it would be much harder because you're basically shotgunning your posts all over the place when posting here. I would think it's pretty much impossible to make sure that every single instance of it is gone.
As far as I can tell, GDPR is a defense against corporations who claim to own your data, and hold that data hostage. But it's not a infallible tool to scrub data from the internet.
Think about a tweet that's been screenshotted throughout the Internet. Twitter would have to delete the original post and and data they control, but I imagine they have no liability for the outsiders taking screenshots.
How GDPR applies to Lemmy may have to be explored in court.
But I'm just a layperson without specific knowledge of the law, so that legal framework may already exist.
It would basically be the same experience as leaked nudes currently. Whack-a-mole with dozens of different sites and needing to send a takedown request to each one, some of them sketchy or based in other geographies/jurisdictions.
Reddit has sites like push shift that copy every single post permanently for academic use. It's unlikely that there won't be (or already aren't) similar data vacuums for the Fediverse. In my opinion it's a good idea to think of everything on the Fediverse as permanent.
It could be that if there isn't a mechanism in place the EU would likely review GDPR for this new scenario (federation) and produce an ammendment to GDPR. It's a bit of a minefield, but I'm sure it would be looked into if/when the EU had to deal with this and come up with a solution. It could be that many small instances that are non compliant regularly get nuked and the larger ones are able to be compliant and keep going.
They could consider action to remove the service from the EU if federated services cannot be regulated, but I doubt this is possible due to the concept of federation.
That is crazy. I spent hours one week ago deleting manually all my comments. I had an empty profile. After reading this post I checked my account and all my comments are back. That is crazy. What a shit company. I’m hesitant to submit GDPR request since I feel like I’ll lost account access with comments still visible…
I guarantee most power users are the ones who are upset about this change. Losing decades of content they created for free hurts reddit unimaginably. How many articles have you seen about SEO ruining Google and needing to append 'reddit' to searches?
Power users deleting their content ruins that search engine to reddit pipeline.
I think Reddit should be forced to retroactively delete all comments and post history from users who have since deleted their account. If the user account was deleted, there is no reason they should be allowed to keep the data on that deleted account, period.
At the very least a company should be required to give the option to nuke your data when deleting an account. Not sure if this exists in any legislation but would be useful.
Not really. The list of controversies from reddit have continued to increase since 2014. The latest controversy was just the last straw that broke the camel's back.
Personally, I am not familiar with CCPA, so I can not really comment on the justifications claimed by the video creator. But the fact that reddit legal support is slow rolling the deletion of the content generated is just scummy.
Lots of zombie posts. I had to run power delete every day for 7 days before it stopped seeing posts reappear.
Edit: as others have mentioned, the posts in locked subs don't appear to be visible or, at least, deleteable by PDS. When subs reopen the posts re-appear. I just had all my Plex posts pop back up when the mods caved to "popular" opinion and reopened. I put popular in quotes because I presume all polls are now being brigaded by the administration.
We'll see what they do. What I flagged I am the registered copyright holder for. Metallica proved that we can treat them stealing copyrighted material that was expressly forbidden like it's industrial espionage, I'm sure I can find an IP lawyer with a raging hate-on for Reddit.
It's funny. I got a little drunk and posted something on Reddit I really ought not have. I went back a day later and deleted it. A day after that, the comment came back, and I was suspended for three days over it. If you hadn't brought that comment back from the dead, this wouldn't even have happened, but okay, whatever. It wasn't like I wanted to spent too much time at Reddit after the lemur-eyed, horse-teethed worm told us how expendable we all are as users.
One other thing to note is that many of these companies don’t even try to determine if you live in California or not. I have worked for two large tech companies on data governance issues and we didn’t even bother to check. If we got a request we would comply with CCPA. It was not worth the potential fines to try and only comply with CA residents. Reddits whole business model is based on that data though so they may deem it worth the effort.
From my quick reading Privacy Act 1988 and GDPR are fairly consistent with eachother, but our legislation is a bit outdated. It seems to be amended every few months, but only in relation to niche clauses that cover very specific circumstances about someone in a particular role and their specific ability to interact with data.
-There is no distinction in Privacy Act between a data processor and a data controller. GDPR regulates individual responsibilities for both.
-In the Privacy Act there's nothing to stop multiple de-identified datasets from being cross referenced together in a way that could re-identify the data subject.
-The legal basis to protect consumers from collection of personally identifiable data is stronger under GDPR. The only thing an Aus organisation needs to do to collect sensitive data is establish that it's 'reasonably necessary' for their core business operation.
Also note that although GDPR is a European union regulation, many Australian businesses are still beholden to it, e.g. if they knowingly collect information from European customers or have a branch located in EU. You can't really have an EU branch that's GDPR-compliant if your parent company overseas isn't.
Is there bot / tool to edit my reddit posts in batch ? Seems that editing could be harder to mass reverse as it requires someone to review if the edit was for better or worse.
Alternatively to keep on deleting my reddit posts every day ?
I am right this second in the process of using PowerDeleteSuite to edit all my old reddit comments to be ads for lemmy
Edit: huh but it only worked okay, successfully replaced about 1/4 of my old comments after running it a few times. Any recommendations from those who have had more success?
Alternatively to keep on deleting my reddit posts every day ?
Late to the game here, but that's the approach I've gone with. I got Shreddit, made a config file (containing the necessary detail for all my accounts), and made a shell script that I ran three times a day, likely until June 30.
Nowadays, my accounts look clean enough, and whenever some post or comment resurface, the next run of the script should take care of it.
And just on top of all that, I do check my accounts from a different browser I never use Reddit on. So far it's clean-looking, no posts or replies showing on any of them. But whether or not Reddit actually deleted them, I'm not sure. I'm never sure.
I have been removing my posts from Reddit over the last week and have found that you don't see and can't remove posts from subreddits that you don't have access to. I keep seeing sets of posts all from the same subreddit as they come out of blackout.
This is the main reason people keep claiming comments are "being restored". They aren't, they just were on private subs that were reactivated.
But that means if you delete your account while a sub is private, you lose all access to be able to delete those posts when they come back.
Reddit needs to provide some kind of service or tool to delete ALL posts made by your account to avoid this problem. Many people who deleted their accounts without knowing this loophole are currently SOOL. I really, really hope they face some regulatory response/fines because of this.
First off browser didn't even allow to open embed website within none securely written website.
With less secure setting old.reddit.com will refuse connection.
Keep upvoting for algorithm. Keep updating to never die. Keep disseminating to those unheard. Keep EDUCATING. So people on Internet will eventually get ourselves the insight to ponder and make (mass and individual) actions on ourselves (cause only us the mass will steer a happening and slap his stubborness).
Should never let this go down and covered.
I bet that this video/problem will never solve/succeed if people do not become considerate and woke but just read and passby from this. Protests seem not working to my perspectives. But, mass (compliant and infallible) actions ensures changes.
This is for the first time in my real Internet life that someone interrogates my comment (maybe also my real existence) whether if it's written by AI or not. 🤣😂🤯😭
Lololol but so sad and eerie that netizens have begun to fear of contexts and contents they see on Internet and offline+tangible media probably maliciously generated by AI I hope not (I understand and also experience).
I should embrace and be cleverly prepared to this hardly grasped phenomenon that I've been worrying of and never been liking, to my perspective, the coming of real cultural information age.
It apparently doesn't purge everything. I had used shreddit and I am still able to read some of my older comments. Luckily the actual posts are gone (I manually deleted everything).
Reddit is fishy either way - I was manually deleting my comments each day over the past week and occasionally reached the "end" of the comment list. "There seems to be nothing here" and "This user hasn't posted anything" displayed regardless of whether I used old.reddit or the redesign, and regardless of how I sorted the list (new VS top). A couple of hours later, there were comments again, multiple pages' worth of content....
After I got the "this user hasn't posted anything" message two days in a row, I used shreddit, and it found and deleted a whooping 981 MORE comments that reddit chose to not show me. And that was definitely not all of it, provable. (This comment for example is one of mine and I am rather sure that I had deleted it as I have the same text copy-pasted in my "saved from reddit before deleting" folder)
It's not possible to find all your Reddit content. Even using tools, you won't do it. The only way is to google your username and maybe you'll get some hits.
I am obviously not a lawyer but I don't see how Reddit is in the wrong here. On GDPR.EU that "The EU’s GDPR only applies to personal data, which is any piece of information that relates to an identifiable person. It’s crucial for any business with EU consumers to understand this concept for GDPR compliance." I don't see how your comment history would be considered "personal data".
It even says in Reddit's TOS that "When Your Content is created with or submitted to the Services, you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works of, distribute, store, perform, and display Your Content and any name, username, voice, or likeness provided in connection with Your Content in all media formats and channels now known or later developed anywhere in the world".
You've agreed that your posts are no longer your "personal data" at that point...
I don’t see how your comment history would be considered “personal data”.
From the GDPR definitions: The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
irrevocable
You’ve agreed that your posts are no longer your “personal data” at that point…
No, that is not how that works under European law at all. You can at **any **time revoke this right, that's one of the basic rules of GDPR.
And yes, Reddit falls under GDPR as they specifically enable EU citizens to use their services.
And yes, Reddit falls under GDPR as they specifically enable EU citizens to use their services
And since they introduced their ambassador program where they tried to "clone" well know subreddits to make a local alternative (in German, French,...), they can't even deny it since they specifically targeted European countries
When you delete a Reddit account, it will mark your username as "[deleted]" so they are at least attempting to anonymize the posts. Reddit has no obligation to remove anonymized posts unless it contains identifiable personal data. (https://www.jdsupra.com/legalnews/eu-general-court-examines-data-1532025/) "If data about individuals is processed so that the individuals cannot be identified, the data can be used free from the restrictions imposed by the GDPR (e.g. enabling a pharmaceutical company to use patient data for R&D)." If the data recipients (readers) can't link it back to a identifiable person (a specific person), it's not personal data. Of course, they're not going to just blanket delete every post a user ever made because that's not in their favor. If there is a specific post with personally identifiable data Reddit is clearly assuming the onus is on the user to request deletions of specific posts that contain identifiable personal data (which GPDR.EU says they are absolutely allowed to do). Unless they are challenged in court, they ain't gonna do jack shit. Not saying you can't try or that what Reddit is doing is right, but good luck!
It could be personally identifiable depending on the content. This is a problem I’ve had at work where users put in callback numbers or emails when using the “contact us” form. As far as I can tell this data still needs to be deleted upon request, though it’s unclear to what lengths we are expected to go to. This would be an interesting test case if nothing else.