The GDPR requires that a company implement the right to erasure on request, not that it have a button labeled "Delete My Account." Have you contacted support?
Exactly this. Just contact them and they will remove your account. I've done it with multiple other services and they complied without problems through customer support.
You can request access to your personal information, or correct or update out-of-date or inaccurate personal information we hold about you.
You can most easily do this by visiting the "Account" portion of our website, [...] You may also request that we delete personal information that we hold about you.
To make requests, or if you have any other question regarding our privacy practices, please contact our Data Protection Officer/Privacy Office at privacy@netflix.com. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Please also see the "Your Choices" section of this Privacy Statement for additional choices regarding your information.
Correct me if I'm wrong, but I don't think that's relevant: if you open your service to EU users you have to comply to GDPR as far as their data is concerned. Am I missing something here?
That Netflix has offices in the EU[1] where GDPR can easily be enforced, while YC does not. Supposedly, the EU will try to enforce its own law on all the nations of the world, but I've yet to hear of a case where it does enforce GDPR outside of the EU.
EDIT: I remember there's also had the "requirement" for worldwide businesses to setup physical offices in the EU before accepting EU citizens as clients. I put "requirement" in scare-quotes, because I find that equally difficult for the EU to enforce throughout the world. Maybe, the GDPR will either apply only to those companies that have set-up physical offices in the EU and not the ones that haven't, or cause the creation of The Great Firewall of Europe to block out businesses that haven't set-up physical offices. I do wonder if some nations will allow this enforcement of foreign law by treaty.
EDIT 2: s/Realistically speaking/Maybe/. Realistically speaking, I have no clue how GDPR enforcement will play out.
Imho: GDPR allows keeping if required by law. E.g. for long term archival of accounting information for tax reasons. That information, in some systems, might be the same as the user account itself and therefore might be totally acceptable. However, in that sample there is no reason to keep your password and your preferences or non-anonymzed stats.
The process of deleting your account isn't something that has to be you can do yourself using a "delete my account" button with half a dozen confirmation boxes.
They can process it themselves by sending a request and still be GDPR compliant.
I haven't renewed my subscription some months ago. I had a message mentioning that my playlists would be kept during one year and would be deleted after this period. Don't know if it applies to user information.
I hate rules like that. I mean, I love them, but we can't verify anything. Not sure how to solve that, either. Only thing that comes to mind is constant audit but that seems insanely unreasonable.