Hacker News new | past | comments | ask | show | jobs | submit login
How to Delete Your Reddit Account and All Data Under GDPR/CCPA (thomashunter.name)
79 points by tlhunter on June 19, 2023 | hide | past | favorite | 53 comments



I'm amazed at the amount of fire that Reddit has been playing with here. The update on this article is pretty amazing, with Reddit really not understanding their legal requirements before shooting that response back.

I've been having some fun using Lemmy in the mean time, and I quite like it. Once some communities get established, I think it'll easily take over from Reddit. It wasn't quite ready for prime time yet, but this boost in popularity is quickly showing the places it needs some help, and I think it'll get it.

That isn't to say I've abandoned Reddit, though. I still read it as much as I had... I'm just really interested in alternatives existing as well.


Is there a way to increase density on Lemmy? I want it closer to old.Reddit.


I don't think any such alternative frontend is maintained, but making changes to the front-end is not terribly complicated from when I last took a stab at it.


Kbin.social?

Jerboa for Android looks just like redreader did for reddit


> with Reddit really not understanding their legal requirements before shooting that response back

I think you and the author misunderstand gdpr and ccpa.

Severing the link between username and post is not at all obviously noncompliant with GDPR and CCPA. So simply making the username equal to "[deleted]" is likely compliant.

1 - anonymity is a valid method here -- once you cannot link a post with a person, it's colorably no longer "personal data", which is defined as data related to an *identifiable* person.

2 - in GDPR art 17, there are multiple reasons Reddit could avoid deleting. Note that the right of deletion only covers personal data, and has multiple exceptions, including (art 6) legitimate interests of others, which could cover the other people in threads reading and responding to messages.

Even if you believe that none of the above suffice, enforcement lies in going through a country-specific DPA in Europe. Either the one Reddit has established as their primary DPA, or a user's country-specific DPA. From then, the (heavily overloaded) DPA would have to prioritize this for enforcement action (which I strongly suspect they wouldn't) and agree with the complainant's position (which I also am not sure they would.) Even if all that happened, Reddit could appeal.

But I strongly suspect that the DPA would not take action and find anonymization good enough, particularly since Reddit is intended to be public. The DPAs are generally expending their resources on the most egregious violators and/or their naughty list of Google / Facebook.

As for CPRA, it also has multiple exceptions for deletion [1], including anonymization (by rending a post no longer personal information); as well as (d)(4) right of free speech, etc.

A similar enforcement overload analysis will likely apply to the CA Privacy Protection Agency as DPAs.

[1] https://www.caprivacy.org/cpra-text/#section5


>simply making the username equal to "[deleted]" is likely compliant.

What if any of the comments themselves contain a name, username or other personal data that could be used to connect it to a person? "Anonymization" by deleting comment's authors like that just seems unnecessarily risky considering the potential fines.


> considering the potential fines

No fine has been close to the maximum; no fine has been put in place for any set of facts anything close to a public forum post not being fully anonymized. If you don't believe me, you're free to read the set of DPA decisions to date as well as the edpb and wg guidance.

There have been many complaints about similar actions (esp Discord) and, to date, no DPA actions. In fact, the CNIL did fine Discord for other things, and didn't touch this.


This kind of “shadow delete” is an alarming dark pattern. The user’s intent is clear, the company pretends to address it and later reverts the action when the user is likely to not notice.

Their approach to handling deletion in general is unintuitive and extremely user hostile. Also in the context of the response from support.

> I received a response from Reddit pretty quickly after submitting it. The response told me that I must delete all of the posts and comments beforehand.


> The response told me that I must delete all of the posts and comments beforehand.

Reddit appears to also be making this as difficult as possible. According to both my user profile and the scripts being used to delete my account history, I've successfully deleted all my posts and comments...

A quick Google search of my username however, turns up hundreds of posts & comments still on Reddit going back several years, but which don't appear anywhere in my user profile.

I'm not sure if this is simply poor design on their part, or if this is a deliberate attempt to frustrate deletion attempts... but I'm not currently inclined to give them the benefit of the doubt given recent statements and actions.


> Last week I went through and deleted every single post and comment associated with my account. And, while the data disappeared for a few days, everything has since been reinstated.

I used power delete tools to edit and delete all data. Then I deleted my account. It still shows as deleted, so I cannot confirm this. Anyone else?

If Reddit is re-instating content that was deleted they are crossing a hard moral line for me. That is not only deceptive way beyond plausible deniability and the usual dark patterns. It’s the ultimate “you are an adversary and we don’t care about you, like at all”. I can’t even imagine the consequences for people who are doxxed, stalked or worse.


I used "Power Delete Suite" to delete all my comments. Everything over 3 months old, came back a little over 24 hours later.

Edit: Now less sure of this statement. I just had more "come back", all in the same subreddit. So it now appears I'm seeing comments I couldn't previously see because that sub was still private. This makes me less sure the comments I saw previously "came back" rather than being the same issue.


Reddit have been scrapped for years, doesn't matter if reddit itself delete any of our data, tons of sites like https://camas.unddit.com/ have scrapped and stored everything.


Most people who care enough to delete their content, not just their accounts, are probably aware of archiving, and likely think it’s a good thing. The goal is to prevent Reddit from profiting off of voluntary contributions.


Typo, “scrapped” -> “scraped”.

Scrapped (from: scrap) - discarded, e.g.: “scrapped design”.

Scraped (from: scrape) - when something was removed from a surface, e.g.: “scraped website”.


The site you linked does not work and the GitHub repository is disabled.


I am not a lawyer, but my full-time work involves reviewing codebases for GDPR and CCPA compliance.

I do not believe this strategy will achieve what OP is hoping.

In response to a deletion request, Reddit instead seeks to anonymize the data. Anonymous data is not personal data, so anonymous data is not covered by GDPR.

If you submit a GDPR deletion request, they will in this way wriggle into a position where they claim GDPR does not apply.

When Reddit (or most any other website) soft-deletes an account, they simply obfuscate the user's identifiers such as username and IP address. They argue that this is sufficient to make the mass of remaining data anonymous, and therefore not covered by any privacy law.

This is an extremely common position for websites. However, it requires that the remaining data truly be anonymous. For Reddit, this is absurd, as the free-form content of the website allows any amount of identifying information to be uploaded. Reddit simply cannot guarantee that identities cannot be deduced from what remains.

I believe this is fundamentally in violation of GDPR, but I am not a GDPR regulator with the power of enforcement.

This requires a legal appeal to the regulatory bodies.


Usually companies would rather delete uploaded content / text to avoid the chance of the user having disclosed private information through that content which will remain if simply "anonymized" because the account holder's PII is disconnected from the content. The liability is high enough to warrant deleting the content.


I agree, "legitimate" companies usually want to comply and to do right by their users. That's why I get hired.

But currently the entire online analytics and advertising industries are hanging by this thread.


Reddit handled this whole situation like crap from the beginning. It'd be hard to think of how they could make it worse. One of the subreddits I most liked to visit has reopened but with submissions restricted, so it is dead. The fact that Reddit managed to piss everyone off, and then let their moderators destroy the site, and continues to let that happen ... it's just incredible. I'm all done. The moderators succeeded. But I don't like them any more than I like Reddit corporate, they all suck. They should start their own thread in r/AmItheAsshole.


https://commission.europa.eu/law/law-topic/data-protection/r... (European Commission: What should I do if I think that my personal data protection rights haven’t been respected?)


does anybody have a citation from the actual laws referenced here to back up that content you've posted counts as "personal data", and that you can actually use these laws to request the deletion of content you've publicly shared?


> I received a response from Reddit pretty quickly after submitting it. The response told me that I must delete all of the posts and comments beforehand. I'm pretty sure this is in violation of both GDPR/CCPA as it might be physically impossible for a user to delete, say, one million comments. Of course, this ignores the fact that Reddit already restored all of the data that I've deleted.

This is obviously a very frustrating response from Reddit.

I recently made an extension that automates deleting your content for you because of malarkey like this. Not sure yet if there's anything I can do to make deletions "stick", so to speak, but at least you can run the extension as many times as you like. Would love to hear if anyone figures anything more out, especially OP.

https://chrome.google.com/webstore/detail/bulk-delete-reddit...


Even without the problem of reddit restoring deleted posts and comments, a user upthread noted that this is insufficient for another reason: it can't delete comments in subreddits that are currently private.


As far as I know, there's actually no way to even see or delete comments in private subreddits at all.


Someone needs to automate all this so people can start doing it by the millions. Reddit wants to play hardball, so let's play hardball.


What sort of a shitty delete your data process doesn't delete your data?!?!

On brand for reddit I guess


I think I'll do this out of spite because I've come to detest Reddit


Last week I deleted all of my Reddit comments and posts. They've all since been restored. That inspired me to write up this post on how to delete an account using GDPR/CCPA.


Can you confirm they've actually been deleted now that you've submitted this formal request?


There is an update on TFA.

(Edited out bandwagon-ey commentary.)


Can this be used to force them to delete sent messages?

Like person A sent a message to person B.

A invokes GDPR.

Will the messages from A disappear in the inbox of person B?


No, GDPR is not an universal delete cheat code.

It has specific permissions where it's OK to retain data, it just needs to be anonymised - and even that can be waived in some cases.


As far as I know you cannot even access posts further down than 1000 as sorted by your top/mostc controversial/best posts on your profile.

I have accounts I haven't been able to fully delete in the past.

So here is reddit claiming they won't comply with GDPR :D


[flagged]


You can't always get what you want.


But sometimes you can.


This isn't one of those times.


You could've just said that directly instead of being snarky.


Does anyone know why HN doesn't allow account deletion or comment deletion after a timer, seemingly in violation of GDPR?


Some version of "these comments are a donation to the community and the idea of taking your ball and going home is anathema to what we are trying to build here"

which is a long way of saying "we think our shit don't stink"

I've recently (over two months) deleted my Twitter, Reddit, and Facebook accounts and was not impressed by what I found when I went to delete my HN account.

I understand that there are other options (reset password to random gibberish, run a script to delete my comments) and none of that would provide the catharsis I aimed for so I'm still here, for now, I guess.

Edit: looking at the other replies next to mine, I think "we think our shit don't stink" was an accurate description of what's going on here.


I thought you wanted to delete your account. Why are you still here?


"I've had it with social media sites. I thought HN could be a last bastion, then I saw a dude arguing that he wasn't sure tuberculosis was as bad as it's made it out to be and decided it was just as shitty there as everywhere else. I went to delete my account and found out I couldn't, which hilariously strengthened my resolve to delete the account.

I'd say thanks but I think it's extremely stupid that you're making me resort to this method to achieve the desired result that a half dozen other sites had no issue letting me get to without explaining why or waiting in a multi-day queue, so I'll just say, I hope you have a nice day."


Just told you, there's no delete button.


Yeah, but if you don't want to be here, why are you still around? You can't delete your account, but you can stop using the site.


I answered that in my original post: "I understand that there are other options (reset password to random gibberish, run a script to delete my comments[, or, third option I'm inserting now, which seemed obvious to the point of not bothering to state it, just stop using the site]) and none of that would provide the catharsis I aimed for so I'm still here, for now, I guess."


Oh, you just want to complain.


I don't think it's unreasonable to complain about HN not having the same functionality that every other social media site has.



There's nothing the GDPR that says deletion must be self serve.


They absolutely do allow that, they just ask that you send them a request which they regularly respond to. That doesn't violate GDPR or CA's law, and why should it?

One of the major elements of this site is that it's a building knowledge-base, at least in theory, and people randomly gouging parts of it out on a whim is unhelpful. By adding a (legally acceptable) step in between the urge to delete and the action, they toe the line while discouraging tantrums.


Reddit's response of: "Your comments and posts must be deleted separately from an account deletion." is illegal in California, and in the European Union.

This is a direct violation of California and European Privacy Laws and I sincerely hope attorneys file class action suits against Conde Nast (reddit's parent company-) immediately.

If Conde Nast starts bearing the financial strain of these piss-poor decisions Reddit's leadership is making, then things will change.


Not only that, but they are (apparently) holding the account hostage in saying that it must be done before they will delete his account, which doesn't even make sense.

You can't see the posts you made within the subreddits that went private. (I haven't checked visibility via the API, though.)


Ok, I did not thoroughly read and raised my pitchfork as soon as I reached the period mark. It is as the grandparent described. (Past the edit window.)


Condé Nast hasn't owned Reddit in over a decade.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: