TL;DR: I got a response from Reddit that basically says they’re not violating anything.
There was a post here 3 weeks ago that talked about the GDPR violations Reddit is committing.
reddit is telling it's future investors with recent news and more info on their IPO, that they're currently selling and looking to sell their user's data to companies wanting to train their LLMs, including Google.
I’m not sure of anyone else has gotten a response from them yet so I thought I’d share the email.
The Email:
Hello,
Thank you for contacting Reddit.
As stated in Reddit's Privacy policy much of the information on the Services is public and accessible to everyone, even without an account. By using the Services, you are directing us to share this information publicly and freely.
Reddit prohibits use of its service to infringe people’s intellectual property rights or any other proprietary rights, and prohibits unauthorized scraping of Reddit content. Please note, however, that when you submit content (including a post, comment, or chat message) to a public part of the Services, any visitors to and users of our Services will be able to see that content, the username associated with the content, and the date and time you originally submitted the content.
Reddit allows moderators to access Reddit content using moderator bots and tools. Reddit also allows other third parties to access public Reddit content using Reddit's developer services, including Reddit Embeds, our APIs, Developer Platform, and similar technologies. We limit third-party access to this content. Reddit's Developer Terms are our standard terms governing how these services are used by third parties.
Please note that you can use the Services without choosing to share information publicly and freely on them, and you can also remove your content from Reddit at your discretion. For more information, please check out our help center articles for more information here
1 Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,
[...]
3 Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
4 Consent should cover all processing activities carried out for the same purpose or purposes.
5 When the processing has multiple purposes, consent should be given for all of them.
6 If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Long tale short, it depends, but likely yes unless reddit stops what it is doing.
Almost every post will contain experiences that could identify someone, so the wisest move would be to assume yes, or naively try to classify each post as 'bread-crumb' or 'not bread-crumb' for their specific processing then store and sell each separately. Non exhaustive list of personal data criteria:
If the comments are tied to, or not stored separately from, your identifiers, (email, IP, handle, site ID, location, etc,) then yes
If your comments are not anonymous or include details about you, then yes.
If the data will be processed to identify you, then yes.
If the data will be used to profile you, then yes.
Unique information about you, such as your subscribed sub-reddits, your browsing habits, the time spent on each link, your writing style, etc may also count as personal data if used to identify or target you.
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[...]
(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
[...]
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;--