Video description as of 2023-06-23 10:15 PDT:
This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn’t realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.
Video transcript:
- 2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
- 2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
- 2023-06-19: user decides to submit a legal request under CCPA to delete content
- 2023-06-19 @ 11:07 PDT: user receives reply from “Reddit Legal Support” (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT
Hello,
We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:
1. Account deletion is irreversible.
2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page.
Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.
More information about account deletion is available in our Privacy Policy.
Kind regards,
Reddit Legal Support
- 2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,
If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account.
It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.
It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments.
Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and must be completed by August 3rd 2023.
- 2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
- 2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again
User concludes video and clarifies why this is a violation of CCPA:
At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted.
By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.
For example ...
<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>
Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.
Reddit Discussion on “/r/videos”: https://old.reddit.com/r/videos/comments/14je01k/reddit_may_be_violating_the_fucking_ccpa/
[2023-06-23 14:52 PDT] edit ~ formatting, fix title typo
That’s insane. I’m no lawyer but I’ve used the CCPA to get my info removed from a lot of those data-broker sites. It’s always immediate, “Okay, we’ve removed your information.” California better hit Reddit hard for this, and Europe too.
deleted by creator
Decided to expand on the original video and include a transcription of the events in the video. Hope this helps our visually impaired folks.
Personally, I find this disgusting. Hope Reddit gets litigated up the ass.
Good work on the transcription, it must’ve taken a while to do.
Normally, transcription like this will take a long time. However, since it’s largely text based (e-mails, viewing reddit) and relatively short. It was pretty easy to transcribe to text. With the help of some macOS features like copying and pasting from video, it became a
non-trivial task.I think I spent more time on formatting rather than on transcription.
I think you meant ‘it be came a non-trivial task’. At least that fits more with that paragraph’s overall sentiment.
Anyway, thanks for the work. I much rather skim a text than watch a YouTube video.
My grammar took a nose dive after transcription 😅. I fixed it. Thx
I really hope the GDPR is put to full use here.
I’m curious though, what would happen if someone sent a GDPR deletion request to a Lemmy instance? The server admin would then delete the posts and account, but what if some other instances had defederated after the user made the posts, how would it be possible to make sure the posts are deleted from those instances as well? In theory that could be hundreds of servers. I guess the user would have to reach out to each instance?
Good question. Yes, it would be much harder because you’re basically shotgunning your posts all over the place when posting here. I would think it’s pretty much impossible to make sure that every single instance of it is gone.
As far as I can tell, GDPR is a defense against corporations who claim to own your data, and hold that data hostage. But it’s not a infallible tool to scrub data from the internet.
Think about a tweet that’s been screenshotted throughout the Internet. Twitter would have to delete the original post and and data they control, but I imagine they have no liability for the outsiders taking screenshots.
How GDPR applies to Lemmy may have to be explored in court.
But I’m just a layperson without specific knowledge of the law, so that legal framework may already exist.
That is crazy. I spent hours one week ago deleting manually all my comments. I had an empty profile. After reading this post I checked my account and all my comments are back. That is crazy. What a shit company. I’m hesitant to submit GDPR request since I feel like I’ll lost account access with comments still visible…
Tried this last night and my posts are back too. Thinking about editing each and replacing with some shit about spez. That will surely get it removed
I guarantee most power users are the ones who are upset about this change. Losing decades of content they created for free hurts reddit unimaginably. How many articles have you seen about SEO ruining Google and needing to append ‘reddit’ to searches?
Power users deleting their content ruins that search engine to reddit pipeline.
Call them out on LinkedIn. Bet.
If anyone here lives in California and has had reddit violate their rights you can file a complaint here: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
Fuck u/Spez
EU GDPR - where to report if someone refuses to delete personal data.
List of institutions for each EU member.: https://edpb.europa.eu/about-edpb/about-edpb/members_enDiscord is worse. At least Reddit lets you delete everything you post. With Discord, if you are banned from a server, then there is no way to delete your posts in that server. That is insane to me in this day and age.
Yes, reddit let’s you delete everything you post but then they secretly repost it all a few days later. I’d argue that’s worse because they make you think it’s deleted but it’s not.
This behavior is demonstrated in the video and many other reddit users have posted similar complaints recently. I have personally experienced the same issue.
I agree that if Reddit is doing that, then that is unacceptable. I have no reason to doubt it, but I have not experienced it myself.
deleted by creator
At least Reddit lets you delete everything you post
Only the last 1000 comments or so. Earlier comments get dropped from your user profile and become virtually inaccessible, only findable with a google search.
Also, comments from closed subreddits are inaccessible to you, but still there (i.e. when the subreddit reopens, they will become available again).
deleted by creator
In the code, looks like Lemmy instance administrators are given the option to purge all data associated with the account.
pub struct BanPerson { ... /// Optionally remove all their data. Useful for new troll accounts. pub remove_data: Option<bool>, ... }
Usage of the “remove_data” boolean optional:
... // Remove their data if that's desired let remove_data = data.remove_data.unwrap_or(false); if remove_data { remove_user_data( person.id, context.pool(), context.settings(), context.client(), ) .await?; ...
From a user perspective, there is a route available for them to delete their account:
But not clear if this removes the account AND posts and comments.
disclaimer: I don’t use rust and not familiar with the common libraries and stdlib, so maybe somebody else can chime in
This seems enough to me to sue them on grounds of violating the GDPR. Not sure where spez is going with this but paying GDPR fines will most definitely not do any good to reddit’s profitability lol
How does one go about holding a US based company accountable violating an EU law that they aren’t required to comply with?
The same way they have with Facebook, Google etc. If they continue to do business in Europe with European users, they comply with European law or get fined significant amounts.
They are required to comply with it if they want to offer services to European customers. If they don’t comply with the local regulation they will face fines and if they don’t pay them and become compliant, they might have their access blocked from within the EU.
The same is true for Brazil, which has similar legislation to the GDPR to protect Brazilian users from online services abusive practices regarding their data. Services can and have been blocked in Brazil for failing to comply with local regulations.
Adding to this, while there are certainly ways to bribe the Brazilian regulatory and supervisory bodies, they’re pretty damn heavy handed and pro-consumer to begin with. One agency has recently fined Netflix for their bait-and-switch marketing to what is estimated as several hundred million USD, with even bigger fines to come.
So Brazil has the equivalent of China’s firewall? Or is this something implemented at the ISP level?
It’s implemented at the ISP level, Brazilian courts can mandate all nationally operating ISPs and mobile carries to block certain websites or services if they fail to comply with for example a judicial warrant. This has happened twice with WhatsApp for instance, and Telegram was threatened with it as well because they refused to hand over the identities of neonazi domestic terrorist groups.
Has this ever actually happened?
A lot of local.usa news sites region block EU ipaddresses to premptivly as they do a lot of tracking.etc that would.violate it so they just chose not to have the hassle of eu visitors
In Europe fines have been dealt but no blocking yet as far as I am aware. Just the fine and threat of a block happening is usually enough to make companies comply because they don’t want to lose out on the market share.
Edit: Link to Europe statistics: https://www.privacyaffairs.com/gdpr-fines/
Blocking did happen, I am not sure how often. Clearview AI and openAI (chatGPT) in Italy at least come to mind.
https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9751323#english_version
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9870847#english
A lot of US news sites are blocking themselves out of Europe instead of complying.
I don’t think that’s something that Reddit would do. They currently have offices in Dublin and Amsterdam, they clearly have an interest in the European market.
Reddit has its European headquarters in Ireland… And its absolutely legally required to follow our laws.
That Irish sandwich corporate structure (that’s really a thing , I’m not making it up) to dodge taxes is coming home to bite them in the ass. How delicious…
They are required to comply with the GDPR to operate in Europe.
Even more, they are required to comply if they target European countries as a market. For example, if you have registration open and you have translations in - say - French, Italian, German etc. It is already enough to force you to comply, as there is the clear intent of targeting European users.
Is there bot / tool to edit my reddit posts in batch ? Seems that editing could be harder to mass reverse as it requires someone to review if the edit was for better or worse.
Alternatively to keep on deleting my reddit posts every day ?
PowerDeleteSuite on GitHub
I am right this second in the process of using PowerDeleteSuite to edit all my old reddit comments to be ads for lemmy
Edit: huh but it only worked okay, successfully replaced about 1/4 of my old comments after running it a few times. Any recommendations from those who have had more success?
I’ve run it about a dozen times over the past few weeks, it misses different comments and also comments get restored to previous versions (i.e. back to the original or to one of the earlier overwrite pass versions). At this point I don’t have any comments in my profile that aren’t at least some version of the overwrite message but I also manually deleted a bunch of comments that either were restored or were missed during an overwrite pass. It seems like at least once a day something gets reverted or restored but I haven’t been paying close attention. My plan is to check again in a few days and probably run it a few more times.
Removed by mod
Unfortunately this doesn’t get past the 1000 comment limit. I’ve found lots of my old comments still on Reddit. Does anyone have another solution?
I’ve heard good things about redact.dev
react.dev worked really well for me, be warned though some subs ban you for using it. I was banned from r/funny for removing my posts, a couple of others banned me too but don’t think they were big names/ as well known as rfunny
Does it matter if they ban you if you are planning on leaving anyways?
it was just a cautionary message for anyone else looking to use the same app.
Alternatively to keep on deleting my reddit posts every day ?
Late to the game here, but that’s the approach I’ve gone with. I got Shreddit, made a config file (containing the necessary detail for all my accounts), and made a shell script that I ran three times a day, likely until June 30.
Nowadays, my accounts look clean enough, and whenever some post or comment resurface, the next run of the script should take care of it.
And just on top of all that, I do check my accounts from a different browser I never use Reddit on. So far it’s clean-looking, no posts or replies showing on any of them. But whether or not Reddit actually deleted them, I’m not sure. I’m never sure.
Keep upvoting for algorithm. Keep updating to never die. Keep disseminating to those unheard. Keep EDUCATING. So people on Internet will eventually get ourselves the insight to ponder and make (mass and individual) actions on ourselves (cause only us the mass will steer a happening
and slap his stubborness).Should never let this go down and covered.
I bet that this video/problem will never solve/succeed if people do not become considerate and woke but just read and passby from this. Protests seem not working to my perspectives. But, mass (compliant and infallible) actions ensures changes.
Was this written by an AI?
This is for the first time in my real Internet life that someone interrogates my comment (maybe also my real existence) whether if it’s written by AI or not. 🤣😂🤯😭
Lololol but so sad and eerie that netizens have begun to fear of contexts and contents they see on Internet and offline+tangible media
probably maliciously generated by AI I hope not(I understand and also experience).I should embrace and be cleverly prepared to this hardly grasped phenomenon that I’ve been worrying of and never been liking, to my perspective, the coming of real cultural information age.
deleted by creator
deleted by creator
Is anyone surprised at this?
I think Reddit should be forced to retroactively delete all comments and post history from users who have since deleted their account. If the user account was deleted, there is no reason they should be allowed to keep the data on that deleted account, period.