Reddit user alleges California Consumer Privacy Act (CCPA) non-compliance/violtion; and finds it difficult to delete posts and content on Reddit

Video description as of 2023-06-23 10:15 PDT:

This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn't realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.

Video transcript:

  • 2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
  • 2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
  • 2023-06-19: user decides to submit a legal request under CCPA to delete content
  • 2023-06-19 @ 11:07 PDT: user receives reply from "Reddit Legal Support" (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT

Hello,

We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:

 1. Account deletion is irreversible.
 2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page. 

Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.

More information about account deletion is available in our Privacy Policy.

Kind regards,

Reddit Legal Support
  • 2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,

If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account. 

It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.

It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments. 

Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and
must be completed by August 3rd 2023.
  • 2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
  • 2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again

User concludes video and clarifies why this is a violation of CCPA:

At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted. 

By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.

For example ...

<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>

Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.

Reddit Discussion on "/r/videos": https://old.reddit.com/r/videos/comments/14je01k/reddit_may_be_violating_the_fucking_ccpa/

malloc,

Decided to expand on the original video and include a transcription of the events in the video. Hope this helps our visually impaired folks.

Personally, I find this disgusting. Hope Reddit gets litigated up the ass.

Merulox,

Good work on the transcription, it must've taken a while to do.

malloc, (edited )

Normally, transcription like this will take a long time. However, since it's largely text based (e-mails, viewing reddit) and relatively short. It was pretty easy to transcribe to text. With the help of some macOS features like copying and pasting from video, it became a non-trivial task.

I think I spent more time on formatting rather than on transcription.

bleistift2,

I think you meant ‘it be came a ~non-~trivial task’. At least that fits more with that paragraph’s overall sentiment.

Anyway, thanks for the work. I much rather skim a text than watch a YouTube video.

malloc,

My grammar took a nose dive after transcription 😅. I fixed it. Thx

JackGreenEarth,
JackGreenEarth avatar

@malloc Just so you and anyone else reading this knows, you can copy and paste text from images on any major OS, using 3rd party tools.

@Merulox

dismalnow,
dismalnow avatar

https://addons.mozilla.org/en-US/android/addon/video-background-play-fix/

nevernevermore,
nevernevermore avatar

Seriously, thank you for that extra mile. This is the kind selflessness that I remember on the old internet

SomeoneElse,

Thank you. I’m not visually impaired but I have cognitive issues that make watching videos difficult. I appreciate your time and effort 😊

pollodiabolo,

so the CEO known for sharing pornographic pictures of minors online does not respect people's privacy after all? who would've thought

nevernevermore,
nevernevermore avatar

I’m OOTL, spez did what now?

Bonehead,

Spez was a mod of the jailbait sub before the corporate buyout shut it down. Technically we don't know if he shared any pictures, but we know he was a mod at one point.

roboticide,

He's a piece of shit, but worth noting he was a mod of /r/jailbait at a time that mod requests sent to users were auto-accepted. He did not need to actively do anything. All he needed to do was ignore his Moderator privileges and inbox for a while.

TWeaK,

It should also be said that back then you could nominate users to be a mod and appoint them without their input.

1st,

Spez was a mod of /r/jailbait

Worth noting that at the time users did not need to agree to be a moderator, it could be thrust upon them. I've heard that he had comments both on the sub and comments defending it, but have not personally seen any proof of that.

It's not strictly untrue, but it has implications that I don't personally quite believe (though I'm willing to change that opinion if somebody has evidence).

epocsquadron,
epocsquadron avatar

Worth noting Colorado and very recently Connecticut have similar laws, so the complaint could be leveraged from multiple states.

razorwiregoatlick,
razorwiregoatlick avatar

One other thing to note is that many of these companies don’t even try to determine if you live in California or not. I have worked for two large tech companies on data governance issues and we didn’t even bother to check. If we got a request we would comply with CCPA. It was not worth the potential fines to try and only comply with CA residents. Reddits whole business model is based on that data though so they may deem it worth the effort.

ArugulaZ,
ArugulaZ avatar

It's funny. I got a little drunk and posted something on Reddit I really ought not have. I went back a day later and deleted it. A day after that, the comment came back, and I was suspended for three days over it. If you hadn't brought that comment back from the dead, this wouldn't even have happened, but okay, whatever. It wasn't like I wanted to spent too much time at Reddit after the lemur-eyed, horse-teethed worm told us how expendable we all are as users.

yeeter,

Discord is worse. At least Reddit lets you delete everything you post. With Discord, if you are banned from a server, then there is no way to delete your posts in that server. That is insane to me in this day and age.

SpaceCadet2000,
SpaceCadet2000 avatar

At least Reddit lets you delete everything you post

Only the last 1000 comments or so. Earlier comments get dropped from your user profile and become virtually inaccessible, only findable with a google search.

Also, comments from closed subreddits are inaccessible to you, but still there (i.e. when the subreddit reopens, they will become available again).

oaklandnative,

Yes, reddit let's you delete everything you post but then they secretly repost it all a few days later. I'd argue that's worse because they make you think it's deleted but it's not.

This behavior is demonstrated in the video and many other reddit users have posted similar complaints recently. I have personally experienced the same issue.

yeeter,

I agree that if Reddit is doing that, then that is unacceptable. I have no reason to doubt it, but I have not experienced it myself.

Wox, (edited )

deleted_by_author

    •
    malloc,

    In the code, looks like Lemmy instance administrators are given the option to purge all data associated with the account.

    pub struct BanPerson {
...
  /// Optionally remove all their data. Useful for new troll accounts.
  pub remove_data: Option<bool>,
...
}

    https://github.com/LemmyNet/lemmy/blob/f5209fffc1de527db7ea007d463c158b36fda515/crates/api_common/src/person.rs#L222C1-L230C2

    Usage of the "remove_data" boolean optional:

    ...
    // Remove their data if that's desired
    let remove_data = data.remove_data.unwrap_or(false);
    if remove_data {
      remove_user_data(
        person.id,
        context.pool(),
        context.settings(),
        context.client(),
      )
      .await?;
...

    https://github.com/LemmyNet/lemmy/blob/f5209fffc1de527db7ea007d463c158b36fda515/crates/api/src/local_user/ban_person.rs#L50C1-L59

    From a user perspective, there is a route available for them to delete their account:

    https://github.com/LemmyNet/lemmy/blob/f5209fffc1de527db7ea007d463c158b36fda515/src/api_routes_http.rs#L39C5-L39C18

    But not clear if this removes the account AND posts and comments.

    disclaimer: I don't use rust and not familiar with the common libraries and stdlib, so maybe somebody else can chime in

    TheBeege,

    See here: https://github.com/LemmyNet/lemmy/blob/f5209fffc1de527db7ea007d463c158b36fda515/crates/api_common/src/utils.rs#L693

    The function names are quite clear. It looks like it deletes everything

    thatwill,

    I made a GDPR request through reddithelp.com last night; maybe I shouldn't have bothered! Assuming I don't hear back, I'll resend the request via email then report them to the Information Commissioner (UK gov dept) if I've had no proper response.

    By the way, I'm not sure if the California law is the same, but with a GDPR "right to be forgotten" request, the organisation must delete your data from their backups (or at least make sure your data will not be restored from a backup). Asking you to delete your own comments clearly won't meet that requirement.

    Tired8281,

    I'm gonna send mine registered mail. The way they have been behaving, I wouldn't put it past them to just send requests straight to the trash, then claim they never received them with a shit eating grin on their face.

    Lenny,

    Wish i did it via mail. There's no proof/track otherwise (unless you record it).

    Requested my data last week. Does anybody know the legal timeframe for them to comply?

    static,
    static avatar

    Interesting, from a GDPR perspective this is unacceptable.
    Pondering about a proper GDPR complaint.

    some of my old reddit accounts might have > 1000 comments.

    vanillabear,

    It´s worth a try isn´t it? Maybe there are templates to use?

    eleitl,

    My account is 16+ year old and has 300 k combined karma. I will be sure to contact my data protection officer to complain. Reddit needs an audit to document they wipe the db properly, and the data is gone from backups. Not just my data, anything they got on me.

    fishcurry509,

    After seeing the comments above, I was about to say precisely this. Getting the data protection authority involved is the most sensible way.

    malloc,

    The video creator appears to be from California, since he was trying to claim account deletion under CCPA. If reddit legal support is also slow rolling account and associated content deletion as well for GDPR, then the legal blowback could be massive.

    static,
    static avatar

    I assume that they just don't have the infrastructure to do it, otherwise they would just use GDPR code for CCPA.

    As a software developer: GDPR was a real pain to refit into an old legacy system. It's less of a pain if you know beforehand and can plan ahead.

    CMLVI,
    CMLVI avatar

    Would suck if they had to spend money on the infrastructure to mass-delete data that the deletion of lessened their value to investors.

    Shame.

    static,
    static avatar

    It's a flawed risk assesment.
    short term not complying is much cheaper. long therm it's bad, but for the individual : "whatever, I got my bonus and switched to another position"

    sudneo,

    It's actually a risky game. It doesn't happen often, but under GDPR not complying can result in the stop of data processing. It happened recently with Italy and OpenAI for example. If that happens, reddit would be forced to stop processing any data from people coming from that particular country, or countries, because each data protection authority can act. Of course that is the equivalent of a nuke, but it can happen, and if it happens I am not sure anybody is getting bonuses soon...

    hamFoilHat,

    I have been removing my posts from Reddit over the last week and have found that you don't see and can't remove posts from subreddits that you don't have access to. I keep seeing sets of posts all from the same subreddit as they come out of blackout.

    admiralteal,

    This is the main reason people keep claiming comments are "being restored". They aren't, they just were on private subs that were reactivated.

    But that means if you delete your account while a sub is private, you lose all access to be able to delete those posts when they come back.

    Reddit needs to provide some kind of service or tool to delete ALL posts made by your account to avoid this problem. Many people who deleted their accounts without knowing this loophole are currently SOOL. I really, really hope they face some regulatory response/fines because of this.

    RightHandOfIkaros,

    Is anyone surprised at this?

    I think Reddit should be forced to retroactively delete all comments and post history from users who have since deleted their account. If the user account was deleted, there is no reason they should be allowed to keep the data on that deleted account, period.

    WeirdGoesPro,

    Facebook has entered the chat

    MegaUltraChicken,

    At the very least a company should be required to give the option to nuke your data when deleting an account. Not sure if this exists in any legislation but would be useful.

    hamFoilHat,

    Or if the account is permabanned. Pretty much any time an account is no longer accessable.

    malloc,

    Not really. The list of controversies from reddit have continued to increase since 2014. The latest controversy was just the last straw that broke the camel's back.

    Personally, I am not familiar with CCPA, so I can not really comment on the justifications claimed by the video creator. But the fact that reddit legal support is slow rolling the deletion of the content generated is just scummy.

    HerrLewakaas,

    This seems enough to me to sue them on grounds of violating the GDPR. Not sure where spez is going with this but paying GDPR fines will most definitely not do any good to reddit's profitability lol

    ozillator,

    How does one go about holding a US based company accountable violating an EU law that they aren't required to comply with?

    SuperIce,

    They are required to comply with the GDPR to operate in Europe.

    sudneo,

    Even more, they are required to comply if they target European countries as a market. For example, if you have registration open and you have translations in - say - French, Italian, German etc. It is already enough to force you to comply, as there is the clear intent of targeting European users.

    SuperIce,

    They are required to comply with the GDPR to operate in Europe.

    Kettlepants,

    Yeah, they have to obey the law wherever they operate.

    Cannacheques,

    Internet empires like Facebook and Reddit have a lot of grey area to be honest

    pineapplefriedrice,

    By this magic where they OPERATE IN EUROPE.

    CookieJarObserver,

    Reddit has its European headquarters in Ireland... And its absolutely legally required to follow our laws.

    HamSwagwich,

    That Irish sandwich corporate structure (that's really a thing , I'm not making it up) to dodge taxes is coming home to bite them in the ass. How delicious..

    anti_antidote,

    It's either comply with laws regarding EU users or get blocked from operating in EU countries, I'm not sure of the entire process though

    phx,

    The same way they have with Facebook, Google etc. If they continue to do business in Europe with European users, they comply with European law or get fined significant amounts.

    romaselli, (edited )

    They are required to comply with it if they want to offer services to European customers. If they don't comply with the local regulation they will face fines and if they don't pay them and become compliant, they might have their access blocked from within the EU.

    The same is true for Brazil, which has similar legislation to the GDPR to protect Brazilian users from online services abusive practices regarding their data. Services can and have been blocked in Brazil for failing to comply with local regulations.

    jcg,

    Has this ever actually happened?

    romaselli,

    In Europe fines have been dealt but no blocking yet as far as I am aware. Just the fine and threat of a block happening is usually enough to make companies comply because they don't want to lose out on the market share.

    Edit: Link to Europe statistics: https://www.privacyaffairs.com/gdpr-fines/

    query,

    A lot of US news sites are blocking themselves out of Europe instead of complying.

    CookieJarObserver,

    Also ok, most of them suck anyway.

    romaselli,

    I don't think that's something that Reddit would do. They currently have offices in Dublin and Amsterdam, they clearly have an interest in the European market.

    sudneo,

    Blocking did happen, I am not sure how often. Clearview AI and openAI (chatGPT) in Italy at least come to mind.

    https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9751323#english_version

    https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9870847#english

    Jon-H558,

    A lot of local.usa news sites region block EU ipaddresses to premptivly as they do a lot of tracking.etc that would.violate it so they just chose not to have the hassle of eu visitors

    jcg,

    Yeah I read about that but it seems to be voluntary. I haven't read anything about anyone actually being blocked, but it seems to be because the threat of a fine and blocking is enough. Another commenter pointed out they have offices within the EU so I guess EU officials could chase them up there.

    malloc,

    So Brazil has the equivalent of China's firewall? Or is this something implemented at the ISP level?

    romaselli,

    It's implemented at the ISP level, Brazilian courts can mandate all nationally operating ISPs and mobile carries to block certain websites or services if they fail to comply with for example a judicial warrant. This has happened twice with WhatsApp for instance, and Telegram was threatened with it as well because they refused to hand over the identities of neonazi domestic terrorist groups.

    CookieJarObserver,

    You can easily go around that with a proxy btw.

    Gabu,

    The average user doesn't even know what a proxy is. At that point, you've killed profitability.

    romaselli,

    I am aware, but businesses generally don't want their users to jump through hoops to be able to access their services.

    Gabu,

    Adding to this, while there are certainly ways to bribe the Brazilian regulatory and supervisory bodies, they're pretty damn heavy handed and pro-consumer to begin with. One agency has recently fined Netflix for their bait-and-switch marketing to what is estimated as several hundred million USD, with even bigger fines to come.

    Luvs2Spuj,

    I've had the same canned response to my request, although I used GDPR due to where I live.

    I've filed a complaint through the ICO and requested advice on the best way to proceed.

    Skyketcher,

    Well I just manually deleted all 13 years worth of my comments. Lets see if they reappear.

    Zuberi,

    Call them out on LinkedIn. Bet.

    Rolando_Cueva,

    Fuck u/Spez

    hurp_mcderp,

    I am obviously not a lawyer but I don't see how Reddit is in the wrong here. On GDPR.EU that "The EU’s GDPR only applies to personal data, which is any piece of information that relates to an identifiable person. It’s crucial for any business with EU consumers to understand this concept for GDPR compliance." I don't see how your comment history would be considered "personal data".

    It even says in Reddit's TOS that "When Your Content is created with or submitted to the Services, you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works of, distribute, store, perform, and display Your Content and any name, username, voice, or likeness provided in connection with Your Content in all media formats and channels now known or later developed anywhere in the world".

    You've agreed that your posts are no longer your "personal data" at that point...

    samus12345,
    @samus12345@lemmy.world avatar

    Companies put illegal things in their TOS's all the time.

    JdW, (edited )

    I don’t see how your comment history would be considered “personal data”.

    From the GDPR definitions: The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

    irrevocable You’ve agreed that your posts are no longer your “personal data” at that point…

    No, that is not how that works under European law at all. You can at **any **time revoke this right, that's one of the basic rules of GDPR. And yes, Reddit falls under GDPR as they specifically enable EU citizens to use their services.

    elvith,

    And yes, Reddit falls under GDPR as they specifically enable EU citizens to use their services

    And since they introduced their ambassador program where they tried to "clone" well know subreddits to make a local alternative (in German, French,...), they can't even deny it since they specifically targeted European countries

    Asifall,

    It could be personally identifiable depending on the content. This is a problem I’ve had at work where users put in callback numbers or emails when using the “contact us” form. As far as I can tell this data still needs to be deleted upon request, though it’s unclear to what lengths we are expected to go to. This would be an interesting test case if nothing else.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • reddit@lemmy.world
  • DreamBathrooms
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • mdbf
  • ethstaker
  • megavids
  • osvaldo12
  • tester
  • GTA5RPClips
  • cubers
  • everett
  • tacticalgear
  • cisconetworking
  • normalnudes
  • anitta
  • provamag3
  • Leos
  • JUstTest
  • lostlight
  • All magazines
    •