this post was submitted on 26 Jun 2023
428 points (99.5% liked)

Reddit

17802 readers
16 users here now

News and Discussions about Reddit

Welcome to !reddit. This is a community for all news and discussions about Reddit.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


Rule 1- No brigading.

**You may not encourage brigading any communities or subreddits in any way. **

YSKs are about self-improvement on how to do things.



Rule 2- No illegal or NSFW or gore content.

**No illegal or NSFW or gore content. **



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts.

Provided it is about the community itself, you may post non-Reddit posts using the [META] tag on your post title.



Rule 7- You can't harass or disturb other members.

If you vocally harass or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



:::spoiler Rule 10- Majority of bots aren't allowed to participate here.

founded 2 years ago
MODERATORS
 

Video description as of 2023-06-23 10:15 PDT:

This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn't realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.

Video transcript:

  • 2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
  • 2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
  • 2023-06-19: user decides to submit a legal request under CCPA to delete content
  • 2023-06-19 @ 11:07 PDT: user receives reply from "Reddit Legal Support" (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT

Hello,

We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:

 1. Account deletion is irreversible.
 2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page. 

Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.

More information about account deletion is available in our Privacy Policy.

Kind regards,

Reddit Legal Support
  • 2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,

If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account. 

It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.

It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments. 

Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and
must be completed by August 3rd 2023.
  • 2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
  • 2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again

User concludes video and clarifies why this is a violation of CCPA:

At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted. 

By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.

For example ...

<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>

Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.

Reddit Discussion on "/r/videos": https://old.reddit.com/r/videos/comments/14je01k/reddit_may_be_violating_the_fucking_ccpa/

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 53 points 2 years ago (3 children)

Decided to expand on the original video and include a transcription of the events in the video. Hope this helps our visually impaired folks.

Personally, I find this disgusting. Hope Reddit gets litigated up the ass.

[–] [email protected] 17 points 2 years ago (1 children)

Good work on the transcription, it must've taken a while to do.

[–] [email protected] 12 points 2 years ago (3 children)

Normally, transcription like this will take a long time. However, since it's largely text based (e-mails, viewing reddit) and relatively short. It was pretty easy to transcribe to text. With the help of some macOS features like copying and pasting from video, it became a non-trivial task.

I think I spent more time on formatting rather than on transcription.

load more comments (3 replies)
[–] [email protected] 12 points 2 years ago

Seriously, thank you for that extra mile. This is the kind selflessness that I remember on the old internet

load more comments (1 replies)
[–] [email protected] 25 points 2 years ago (25 children)

This seems enough to me to sue them on grounds of violating the GDPR. Not sure where spez is going with this but paying GDPR fines will most definitely not do any good to reddit's profitability lol

load more comments (25 replies)
[–] [email protected] 24 points 2 years ago

If anyone here lives in California and has had reddit violate their rights you can file a complaint here: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

[–] [email protected] 20 points 2 years ago* (last edited 2 years ago) (6 children)

Discord is worse. At least Reddit lets you delete everything you post. With Discord, if you are banned from a server, then there is no way to delete your posts in that server. That is insane to me in this day and age.

[–] [email protected] 7 points 2 years ago (1 children)

Yes, reddit let's you delete everything you post but then they secretly repost it all a few days later. I'd argue that's worse because they make you think it's deleted but it's not.

This behavior is demonstrated in the video and many other reddit users have posted similar complaints recently. I have personally experienced the same issue.

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 18 points 2 years ago (1 children)

so the CEO known for sharing pornographic pictures of minors online does not respect people's privacy after all? who would've thought

[–] [email protected] 11 points 2 years ago (3 children)

I’m OOTL, spez did what now?

[–] [email protected] 12 points 2 years ago

Spez was a mod of /r/jailbait

Worth noting that at the time users did not need to agree to be a moderator, it could be thrust upon them. I've heard that he had comments both on the sub and comments defending it, but have not personally seen any proof of that.

It's not strictly untrue, but it has implications that I don't personally quite believe (though I'm willing to change that opinion if somebody has evidence).

[–] [email protected] 6 points 2 years ago (2 children)

Spez was a mod of the jailbait sub before the corporate buyout shut it down. Technically we don't know if he shared any pictures, but we know he was a mod at one point.

[–] [email protected] 6 points 2 years ago

It should also be said that back then you could nominate users to be a mod and appoint them without their input.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 18 points 2 years ago* (last edited 2 years ago) (3 children)

Interesting, from a GDPR perspective this is unacceptable.
Pondering about a proper GDPR complaint.

some of my old reddit accounts might have > 1000 comments.

[–] [email protected] 16 points 2 years ago (1 children)

The video creator appears to be from California, since he was trying to claim account deletion under CCPA. If reddit legal support is also slow rolling account and associated content deletion as well for GDPR, then the legal blowback could be massive.

[–] [email protected] 7 points 2 years ago (3 children)

I assume that they just don't have the infrastructure to do it, otherwise they would just use GDPR code for CCPA.

As a software developer: GDPR was a real pain to refit into an old legacy system. It's less of a pain if you know beforehand and can plan ahead.

load more comments (3 replies)
[–] [email protected] 12 points 2 years ago (1 children)

My account is 16+ year old and has 300 k combined karma. I will be sure to contact my data protection officer to complain. Reddit needs an audit to document they wipe the db properly, and the data is gone from backups. Not just my data, anything they got on me.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 16 points 2 years ago

That's insane. I'm no lawyer but I've used the CCPA to get my info removed from a lot of those data-broker sites. It's always immediate, "Okay, we've removed your information." California better hit Reddit hard for this, and Europe too.

[–] [email protected] 14 points 2 years ago (2 children)

That is crazy. I spent hours one week ago deleting manually all my comments. I had an empty profile. After reading this post I checked my account and all my comments are back. That is crazy. What a shit company. I’m hesitant to submit GDPR request since I feel like I’ll lost account access with comments still visible…

[–] [email protected] 6 points 2 years ago

I guarantee most power users are the ones who are upset about this change. Losing decades of content they created for free hurts reddit unimaginably. How many articles have you seen about SEO ruining Google and needing to append 'reddit' to searches?

Power users deleting their content ruins that search engine to reddit pipeline.

load more comments (1 replies)
[–] [email protected] 14 points 2 years ago

EU GDPR - where to report if someone refuses to delete personal data.
List of institutions for each EU member.: https://edpb.europa.eu/about-edpb/about-edpb/members_en

[–] [email protected] 12 points 2 years ago (4 children)

Is anyone surprised at this?

I think Reddit should be forced to retroactively delete all comments and post history from users who have since deleted their account. If the user account was deleted, there is no reason they should be allowed to keep the data on that deleted account, period.

load more comments (4 replies)
[–] [email protected] 11 points 2 years ago (3 children)

I really hope the GDPR is put to full use here.

I'm curious though, what would happen if someone sent a GDPR deletion request to a Lemmy instance? The server admin would then delete the posts and account, but what if some other instances had defederated after the user made the posts, how would it be possible to make sure the posts are deleted from those instances as well? In theory that could be hundreds of servers. I guess the user would have to reach out to each instance?

[–] [email protected] 7 points 2 years ago (1 children)

Good question. Yes, it would be much harder because you're basically shotgunning your posts all over the place when posting here. I would think it's pretty much impossible to make sure that every single instance of it is gone.

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 9 points 2 years ago (6 children)

Well shoot. I'm in California these days and recently deleted all my comments on Reddit. I'll have to monitor and see if they come back...

[–] [email protected] 8 points 2 years ago

Since some have been restored you can now file a complaint with California. https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

load more comments (5 replies)
[–] [email protected] 8 points 2 years ago (2 children)

I made a GDPR request through reddithelp.com last night; maybe I shouldn't have bothered! Assuming I don't hear back, I'll resend the request via email then report them to the Information Commissioner (UK gov dept) if I've had no proper response.

By the way, I'm not sure if the California law is the same, but with a GDPR "right to be forgotten" request, the organisation must delete your data from their backups (or at least make sure your data will not be restored from a backup). Asking you to delete your own comments clearly won't meet that requirement.

load more comments (2 replies)
[–] [email protected] 8 points 2 years ago

This post says it pretty well, I'll just leave this here in case anyone wants an editorial.

[–] [email protected] 7 points 2 years ago

It's funny. I got a little drunk and posted something on Reddit I really ought not have. I went back a day later and deleted it. A day after that, the comment came back, and I was suspended for three days over it. If you hadn't brought that comment back from the dead, this wouldn't even have happened, but okay, whatever. It wasn't like I wanted to spent too much time at Reddit after the lemur-eyed, horse-teethed worm told us how expendable we all are as users.

[–] [email protected] 6 points 2 years ago (2 children)

I had to DMCA some of my stuff off the site to get it to stay off.

load more comments (2 replies)
[–] [email protected] 5 points 2 years ago (1 children)

Quick question: is there any similar law in Australia?

[–] [email protected] 6 points 2 years ago* (last edited 2 years ago)

From my quick reading Privacy Act 1988 and GDPR are fairly consistent with eachother, but our legislation is a bit outdated. It seems to be amended every few months, but only in relation to niche clauses that cover very specific circumstances about someone in a particular role and their specific ability to interact with data.

-There is no distinction in Privacy Act between a data processor and a data controller. GDPR regulates individual responsibilities for both.

-In the Privacy Act there's nothing to stop multiple de-identified datasets from being cross referenced together in a way that could re-identify the data subject.

-The legal basis to protect consumers from collection of personally identifiable data is stronger under GDPR. The only thing an Aus organisation needs to do to collect sensitive data is establish that it's 'reasonably necessary' for their core business operation.

Also note that although GDPR is a European union regulation, many Australian businesses are still beholden to it, e.g. if they knowingly collect information from European customers or have a branch located in EU. You can't really have an EU branch that's GDPR-compliant if your parent company overseas isn't.

load more comments
view more: next ›