Video description as of 2023-06-23 10:15 PDT:

This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn’t realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.

Video transcript:

  • 2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
  • 2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
  • 2023-06-19: user decides to submit a legal request under CCPA to delete content
  • 2023-06-19 @ 11:07 PDT: user receives reply from “Reddit Legal Support” (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT

Hello,

We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:

 1. Account deletion is irreversible.
 2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page. 

Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.

More information about account deletion is available in our Privacy Policy.

Kind regards,

Reddit Legal Support
  • 2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,

If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account. 

It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.

It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments. 

Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and
must be completed by August 3rd 2023.
  • 2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
  • 2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again

User concludes video and clarifies why this is a violation of CCPA:

At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted. 

By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.

For example ...

<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>

Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.

Reddit Discussion on “/r/videos”: https://old.reddit.com/r/videos/comments/14je01k/reddit_may_be_violating_the_fucking_ccpa/

  • static@kbin.social
    link
    fedilink
    arrow-up
    22
    ·
    edit-2
    1 year ago

    Interesting, from a GDPR perspective this is unacceptable.
    Pondering about a proper GDPR complaint.

    some of my old reddit accounts might have > 1000 comments.

    • malloc@lemmy.worldOP
      link
      fedilink
      arrow-up
      19
      ·
      1 year ago

      The video creator appears to be from California, since he was trying to claim account deletion under CCPA. If reddit legal support is also slow rolling account and associated content deletion as well for GDPR, then the legal blowback could be massive.

      • static@kbin.social
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        I assume that they just don’t have the infrastructure to do it, otherwise they would just use GDPR code for CCPA.

        As a software developer: GDPR was a real pain to refit into an old legacy system. It’s less of a pain if you know beforehand and can plan ahead.

        • CMLVI@kbin.social
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          1 year ago

          Would suck if they had to spend money on the infrastructure to mass-delete data that the deletion of lessened their value to investors.

          Shame.

          • static@kbin.social
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            1 year ago

            It’s a flawed risk assesment.
            short term not complying is much cheaper. long therm it’s bad, but for the individual : “whatever, I got my bonus and switched to another position”

            • sudneo@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              It’s actually a risky game. It doesn’t happen often, but under GDPR not complying can result in the stop of data processing. It happened recently with Italy and OpenAI for example. If that happens, reddit would be forced to stop processing any data from people coming from that particular country, or countries, because each data protection authority can act. Of course that is the equivalent of a nuke, but it can happen, and if it happens I am not sure anybody is getting bonuses soon…

    • eleitl@lemmy.world
      link
      fedilink
      arrow-up
      13
      ·
      1 year ago

      My account is 16+ year old and has 300 k combined karma. I will be sure to contact my data protection officer to complain. Reddit needs an audit to document they wipe the db properly, and the data is gone from backups. Not just my data, anything they got on me.

      • fishcurry509@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        After seeing the comments above, I was about to say precisely this. Getting the data protection authority involved is the most sensible way.