Flood Reddit with GDPR / CCPA delete requests

cowvin@kbin.social to Reddit Migration@kbin.social – 85 points –

Reddit can restore your deleted posts. However, if people flood them with GDPR / CCPA delete requests, they may become liable for lawsuits if they don't comply.

It sounds like their current policy is to not delete your posts even when deleting your account, but there may be grounds for legal action here.

21

Strongly suggest overriding all comments and posts (using something like PowerDeleteSuite) before submitting a GDPR request though. Replace it with “use kbin/lemmy” or similar.

Not sure whether it will work out but I am planning to do that before API is gone (assume ~28th of June or something).

They'd probably recover the original content, even though it is illegal for them to do so.
Don't worry, their IPO will surely be a success after part of the community leaves + possible GDPR fines.

If you can prove that the data you're asking to have deleted is or contains PII, I'm sure they'll comply to the letter of the law. Outside of that, all content submitted to Reddit belongs to Reddit, Conde Nast, Advance Media, and all subsidiaries.

Surely this is wrong? If the content I posted is not deleted and it still shows as being made from my account, it traces back to me, so it should be deleted if I requested so. In addition to this, would you apply the same logic to private messages? With or without your name or username, if you send a message to someone and cancel or delete it, no one should be able to recover it unless you consent to it.

Let's go more in depth now. According to the UK's Data Protection Act 2018 (GDPR) and EU's Regulation (EU) 2016/679 (General Data Protection Regulation):

Examples of Personal Data (excluding the most obvious ones): (here and here)

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

Processing Meaning: (here)

Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Examples of processing include:

posting/putting a photo of a person on a website;

With this in mind, you can no longer only be identified by your username (in case it says "Deleted"), you could potentially be identified by your post's content (and post history). If consent is withdrawn and you wish that the company stops processing your data, the company must comply (here).

With the heat Reddit is taking, and probably the wave of complaints that's about to happen, I'm eager to see what's going to be the regulator's response.

No, they're correct, which the rest of your comment alludes to in the full context. You'd only be allowed to request deletion of comments with personal data, and Reddit is within their rights to have you specify which ones.

I’m sorry but that’s not what the User’s agreement and Privacy Policy says. It’s pretty obvious who’s the content’s owner and what rights we have over it. The only way reddit can keep that content is by making a derivate of the content, like stated above. As I can see some of my original posts being recovered after deletion, these are obviously not derivative of anything, they’re the original content.

As of right now, I haven’t deleted my account, so this includes my username. That’s definitely personal data, and as such, they’re not allowed to recover the post without my consent. Maybe the solution to the problem at the moment is to keep an account in order to have more control over our content and make sure stays deleted. In case they change their UA or PP regarding this matter, then we should request the account’s deletion.

Again, that only applies to personal data, not all your reddit comments.

Personal data only matters from a GDPR point of view. Regarding Reddit's UA and PP, that doesn't have any relevance. They also specifically cover our current problem as an example:

Please note, however, that the posts, comments, and messages you submitted prior to deleting your account will still be visible to others unless you first delete the specific content.


Which is exactly what I (and many other people) did, and yet they've restored our content without our permission. And once again, at least in my case, I only deleted my posts and not my account as of right now. This means every single one of my restored posts has my handle on it, which is personal data.

An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.


It really doesn't get any easier to understand, but please make sure to keep glazing spez.
I'm sure he appreciates any support he can get right now.

Dude, we were specifically discussing the GDPR, a subject that I have a lot of experience in through my career. You don't get to move the goalposts to Reddit's ToS and accuse me of supporting spez lmao. Get out of here.

Surely you have loads of experience, yet you lack reading capabilities. I suggest you re-read the information above and draw your own conclusions. I won't be discussing this any longer, as you must be clearly trolling or lacking in the reading department.

Read the title of the post bud

I was answering a comment regarding Reddit's ownership of our content and if we're allowed to delete it or not.
From OP:

Reddit can restore your deleted posts.
It sounds like their current policy is to not delete your posts even when deleting your account, but there may be grounds for legal action here.

I'm sure my comments are still well within topic here?
Lil bro tried to read a second time and still failed, please don't try again. 😭😭😭😭\

GDPR applies to all data that can be used to identify a living person (you). The Terms of Service are your contract with reddit, and intellectual property right in portions of your comments that are not personal data would apply to that. The privacy policy applies to everything, because it is the company's notice about what they do and don't do, and they must stick by that, or else they violate the FTC's rules on consumer fairness (among other things). Most companies would simply allow users control over their comments to ensure GDPR compliance, although technically reddit is not required by GDPR to delete or afford any rights related to personal data... UNLESS, they have specified so in their privacy notice and/or terms of service. There, that's my second comment ever in kbin. I'm personally very sick with Reddit's conduct. It's definitely enshitification. Either way, EU data protection authorities would take a very dim view of the willy-nillly way in which Reddit reinstated supposedly deleted comments even without considering the specific content. I suspect the FTC would not be real keen on it either.

It doesnt' belong to Reddit. You give them a license (transferrable and non-revocable) to use the content. But in the EU that is superceded by the GDPR.

Any hope for Canadians? Not sure if using GDPR or CCPA would work in that case.

Reddit's Privacy Policy and User Agreement apply to you either way, so I'd assume you'd be able to make a request based on that. Due to the EU's GDPR regulations, most companies make their policies GDPR-compliant, meaning fewer variations, less work, and better consumer protections.