Reddit can restore your deleted posts. However, if people flood them with GDPR / CCPA delete requests, they may become liable for lawsuits if they don’t comply.

It sounds like their current policy is to not delete your posts even when deleting your account, but there may be grounds for legal action here.

  • NotTheOnlyGamer@kbin.social
    1·
    1 year ago

    If you can prove that the data you’re asking to have deleted is or contains PII, I’m sure they’ll comply to the letter of the law. Outside of that, all content submitted to Reddit belongs to Reddit, Conde Nast, Advance Media, and all subsidiaries.

    • Sousa@lemmy.worldEnglish
      0·
      1 year ago

      Surely this is wrong? If the content I posted is not deleted and it still shows as being made from my account, it traces back to me, so it should be deleted if I requested so. In addition to this, would you apply the same logic to private messages? With or without your name or username, if you send a message to someone and cancel or delete it, no one should be able to recover it unless you consent to it.

      Let’s go more in depth now. According to the UK’s Data Protection Act 2018 (GDPR) and EU’s Regulation (EU) 2016/679 (General Data Protection Regulation):

      Examples of Personal Data (excluding the most obvious ones): (here and here)

      • race
      • ethnic background
      • political opinions
      • religious beliefs
      • trade union membership
      • genetics
      • biometrics (where used for identification)
      • health
      • sex life or orientation

      Processing Meaning: (here)

      Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

      Examples of processing include:

      posting/putting a photo of a person on a website;

      With this in mind, you can no longer only be identified by your username (in case it says “Deleted”), you could potentially be identified by your post’s content (and post history). If consent is withdrawn and you wish that the company stops processing your data, the company must comply (here).

      With the heat Reddit is taking, and probably the wave of complaints that’s about to happen, I’m eager to see what’s going to be the regulator’s response.



      Edit: Apparently, according to Reddit’s User Agreement, the “content” we create on Reddit is “Your Content”, not Reddit’s content, so I’m not sure where you saw that:

      all content submitted to Reddit belongs to Reddit, Conde Nast, Advance Media, and all subsidiaries.

      because, in reality:

      The Services may contain information, text, links, graphics, photos, videos, audio, streams, or other materials (“Content”), including Content created with or submitted to the Services by you or through your Account (“Your Content”). We take no responsibility for and we do not expressly or implicitly endorse, support, or guarantee the completeness, truthfulness, accuracy, or reliability of any of Your Content.

      By submitting Your Content to the Services, you represent and warrant that you have all rights, power, and authority necessary to grant the rights to Your Content contained within these Terms. Because you alone are responsible for Your Content, you may expose yourself to liability if you post or share Content without all necessary rights.

      You retain any ownership rights you have in Your Content, but you grant Reddit the following license to use that Content:

      When Your Content is created with or submitted to the Services, you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works of, distribute, store, perform, and display Your Content and any name, username, voice, or likeness provided in connection with Your Content in all media formats and channels now known or later developed anywhere in the world. This license includes the right for us to make Your Content available for syndication, broadcast, distribution, or publication by other companies, organizations, or individuals who partner with Reddit. You also agree that we may remove metadata associated with Your Content, and you irrevocably waive any claims and assertions of moral rights or attribution with respect to Your Content.

      From Reddit’s Privacy Policy:

      Your Rights and Choices:

      Deleting Your Account
      You may delete your account information at any time from the user preferences page. You can also submit a request to delete the personal information Reddit maintains about you by following the process described below this table. When you delete your account, your profile is no longer visible to other users and disassociated from content you posted under that account. Please note, however, that the posts, comments, and messages you submitted prior to deleting your account will still be visible to others unless you first delete the specific content. After you submit a request to delete your account, it may take up to 90 days for our purge script to complete deletion. We may also retain certain information about you as required by law or for legitimate business purposes.

      Please remember that you don’t have to live in the EU to be safeguarded by GDPR, you can also be a EU/EEA citizen.
      Also, check your country’s law since it’s very likely you’re protected by something similar.

      • Steeve@lemmy.ca
        1·
        1 year ago

        No, they’re correct, which the rest of your comment alludes to in the full context. You’d only be allowed to request deletion of comments with personal data, and Reddit is within their rights to have you specify which ones.

        • Sousa@lemmy.world
          0·
          1 year ago

          I’m sorry but that’s not what the User’s agreement and Privacy Policy says. It’s pretty obvious who’s the content’s owner and what rights we have over it. The only way reddit can keep that content is by making a derivate of the content, like stated above. As I can see some of my original posts being recovered after deletion, these are obviously not derivative of anything, they’re the original content.

          As of right now, I haven’t deleted my account, so this includes my username. That’s definitely personal data, and as such, they’re not allowed to recover the post without my consent. Maybe the solution to the problem at the moment is to keep an account in order to have more control over our content and make sure stays deleted. In case they change their UA or PP regarding this matter, then we should request the account’s deletion.

            • Sousa@lemmy.world
              0·
              1 year ago

              Personal data only matters from a GDPR point of view. Regarding Reddit’s UA and PP, that doesn’t have any relevance. They also specifically cover our current problem as an example:

              Please note, however, that the posts, comments, and messages you submitted prior to deleting your account will still be visible to others unless you first delete the specific content.


              Which is exactly what I (and many other people) did, and yet they’ve restored our content without our permission. And once again, at least in my case, I only deleted my posts and not my account as of right now. This means every single one of my restored posts has my handle on it, which is personal data.

              An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.


              It really doesn’t get any easier to understand, but please make sure to keep glazing spez.
              I’m sure he appreciates any support he can get right now.

              • Steeve@lemmy.ca
                0·
                1 year ago

                Dude, we were specifically discussing the GDPR, a subject that I have a lot of experience in through my career. You don’t get to move the goalposts to Reddit’s ToS and accuse me of supporting spez lmao. Get out of here.

                • Sousa@lemmy.world
                  0·
                  1 year ago

                  Surely you have loads of experience, yet you lack reading capabilities. I suggest you re-read the information above and draw your own conclusions. I won’t be discussing this any longer, as you must be clearly trolling or lacking in the reading department.

  • ddnomad@infosec.pubEnglish
    1·
    1 year ago

    Strongly suggest overriding all comments and posts (using something like PowerDeleteSuite) before submitting a GDPR request though. Replace it with “use kbin/lemmy” or similar.

    Not sure whether it will work out but I am planning to do that before API is gone (assume ~28th of June or something).

    • Sousa@lemmy.worldEnglish
      1·
      1 year ago

      They’d probably recover the original content, even though it is illegal for them to do so.
      Don’t worry, their IPO will surely be a success after part of the community leaves + possible GDPR fines.

    • Sousa@lemmy.world
      2·
      1 year ago

      Reddit’s Privacy Policy and User Agreement apply to you either way, so I’d assume you’d be able to make a request based on that. Due to the EU’s GDPR regulations, most companies make their policies GDPR-compliant, meaning fewer variations, less work, and better consumer protections.