271
Reddit user alleges California Consumer Privacy Act (CCPA) non-compliance/violation; and finds it difficult to delete posts and content on Reddit (youtube.com)
submitted 1 year ago* (last edited 1 year ago) by malloc@lemmy.world to c/reddit@lemmy.world
125 comments fedilink hide all child comments

Video description as of 2023-06-23 10:15 PDT:

This video shows that Reddit refused to delete all comments and posts of its users when they close their account via a CCPA / GDPR request. Posts and comments may contain PII. Specifically, Reddit tells users that they must delete the content themselves, which isn't realistic if a user creates a lot of posts. Even if a user does delete their content, Reddit restores the content within a few days.

Video transcript:

  • 2023-06-13 @ 15:15 PDT: user states he deleted all posts and comments
  • 2023-06-16 @ 10:15 PDT (3 days later): user states all posts and comments have been restored
  • 2023-06-19: user decides to submit a legal request under CCPA to delete content
  • 2023-06-19 @ 11:07 PDT: user receives reply from "Reddit Legal Support" (RLS) which states they will delete the account but not the content associated with the account. It is up to the owner of the account to remove the content [e-mail contents reproduced below]
Reddit Legal Support (Reddit Support)
Jun 19, 2023, 11:07 PDT

Hello,

We would be happy to help you delete your Reddit account if you have one. Before we proceed please note:

 1. Account deletion is irreversible.
 2. Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page. 

Once the above mentioned information is removed to your satisfaction, please submit your deletion request by using your Reddit account and this form so we know it's really you making the request.

More information about account deletion is available in our Privacy Policy.

Kind regards,

Reddit Legal Support
  • 2023-06-19 @ 12:02 PDT: user replies back to RLS stating it is unrealistic expectation for end user to manually delete and alleges violation of CCPA [reply reproduced below]
Hello,

If I understand your response properly, you are refusing to delete all data associated with my account. I believe this is illegal and in violation of the CPR. In this case the onus is on you, Reddit, to delete all of the content associated with my account. 

It is besides the point but last week I already deleted all of the posts and comments associated with my account. However Reddit has since restored most of the content.

It is untenable to demand all users to manually delete content when Reddit itself does not provide a self-serve mechanism to mass-delete content. Some users have thousands of posts and millions of comments. 

Just as a reminder, my CPA request to delete my account and all associated data was made on June 19th 2023 and must be completed by August 3rd 2023.
  • 2023-06-24 @ 10:45 PDT: user has not received a reply from RLS. He decided to painstakingly delete all posts and comments while screen recording the effort. Video continues with the user manually deleting posts for his account (https://www.reddit.com/user/nucleocide). Then fast forwards to the end of the segment where the last posts are deleted
  • 2023-06-25 @ 10:25 PDT: user discovers posts and comments are restored, again

User concludes video and clarifies why this is a violation of CCPA:

At this point it appears impossible to manually delete posts and comments on Reddit and expect them to stay deleted. 

By not deleting all posts and comments in an automated way there is no way to guarantee that no PII [Personally Identifiable Information] has been left behind.

For example ...

<user gives example of a comment from 6 months ago on his account which includes his real first name and last name. Screen capture shows the comment was edited recently>

Since there is no guarantee that every single post and comment is free from PII, Reddit must delete all comments and posts from an account upon receiving a GDPR / CPA request.

Reddit Discussion on "/r/videos": https://old.reddit.com/r/videos/comments/14je01k/reddit_may_be_violating_the_fucking_ccpa/

[2023-06-23 14:52 PDT] edit ~ formatting, fix title typo

you are viewing a single comment's thread
view the rest of the comments
[-] romaselli@lemmy.world 27 points 1 year ago* (last edited 1 year ago)

They are required to comply with it if they want to offer services to European customers. If they don't comply with the local regulation they will face fines and if they don't pay them and become compliant, they might have their access blocked from within the EU.

The same is true for Brazil, which has similar legislation to the GDPR to protect Brazilian users from online services abusive practices regarding their data. Services can and have been blocked in Brazil for failing to comply with local regulations.

[-] Gabu@lemmy.world 3 points 1 year ago

Adding to this, while there are certainly ways to bribe the Brazilian regulatory and supervisory bodies, they're pretty damn heavy handed and pro-consumer to begin with. One agency has recently fined Netflix for their bait-and-switch marketing to what is estimated as several hundred million USD, with even bigger fines to come.

[-] jcg@lemmy.world 0 points 1 year ago

Has this ever actually happened?

[-] romaselli@lemmy.world 13 points 1 year ago* (last edited 1 year ago)

In Europe fines have been dealt but no blocking yet as far as I am aware. Just the fine and threat of a block happening is usually enough to make companies comply because they don't want to lose out on the market share.

Edit: Link to Europe statistics: https://www.privacyaffairs.com/gdpr-fines/

[-] query@lemmy.world 4 points 1 year ago

A lot of US news sites are blocking themselves out of Europe instead of complying.

[-] romaselli@lemmy.world 1 points 1 year ago

I don't think that's something that Reddit would do. They currently have offices in Dublin and Amsterdam, they clearly have an interest in the European market.

[-] CookieJarObserver@feddit.de 1 points 1 year ago

Also ok, most of them suck anyway.

[-] Jon-H558@kbin.social 1 points 1 year ago

A lot of local.usa news sites region block EU ipaddresses to premptivly as they do a lot of tracking.etc that would.violate it so they just chose not to have the hassle of eu visitors

[-] jcg@lemmy.world 1 points 1 year ago

Yeah I read about that but it seems to be voluntary. I haven't read anything about anyone actually being blocked, but it seems to be because the threat of a fine and blocking is enough. Another commenter pointed out they have offices within the EU so I guess EU officials could chase them up there.

[-] malloc@lemmy.world -5 points 1 year ago

So Brazil has the equivalent of China's firewall? Or is this something implemented at the ISP level?

[-] romaselli@lemmy.world 4 points 1 year ago

It's implemented at the ISP level, Brazilian courts can mandate all nationally operating ISPs and mobile carries to block certain websites or services if they fail to comply with for example a judicial warrant. This has happened twice with WhatsApp for instance, and Telegram was threatened with it as well because they refused to hand over the identities of neonazi domestic terrorist groups.

[-] CookieJarObserver@feddit.de 2 points 1 year ago

You can easily go around that with a proxy btw.

[-] Gabu@lemmy.world 1 points 1 year ago

The average user doesn't even know what a proxy is. At that point, you've killed profitability.

[-] romaselli@lemmy.world 1 points 1 year ago

I am aware, but businesses generally don't want their users to jump through hoops to be able to access their services.

this post was submitted on 26 Jun 2023
271 points (99.6% liked)

Reddit

17473 readers
326 users here now

News and Discussions about Reddit

Welcome to !reddit. This is a community for all news and discussions about Reddit.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules

Rule 1- No brigading.

**You may not encourage brigading any communities or subreddits in any way. **

YSKs are about self-improvement on how to do things.

Rule 2- No illegal or NSFW or gore content.

**No illegal or NSFW or gore content. **

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts.

Provided it is about the community itself, you may post non-Reddit posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you vocally harass or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

:::spoiler Rule 10- Majority of bots aren't allowed to participate here.

founded 1 year ago
MODERATORS
ja2@lemmy.world
Rooki@lemmy.world
_MoveSwiftly@lemmy.world
Thekingoflorda@lemmy.world
L3s@lemmy.world