Any pointers on how to report them?
As requested, I’m posting the full text of the email into this post body. I hope it’s screen reader friendly:
u/USERNAME,
tl;dr – you’re invited to a special program that lets redditors purchase stock at the same price as institutional investors when we IPO. Details about eligibility and next steps follow. This (long, dense) email has all the info we can provide due to legal restrictions.
As you may have heard, Reddit has taken steps toward becoming a publicly traded company with the initial public filing of our registration statement with the U.S. Securities and Exchange Commission on February 22, 2024. Yes, it’s happening.
And because you have helped make Reddit what it is today, you now have the opportunity to become Reddit owners at the same price as institutional investors.
We’re offering a Directed Share Program (“DSP”) that invites eligible users and moderators who have contributed to Reddit to participate in our initial public offering (“IPO”). (Including you!) Program Requirements While being selected to pre-register is the first step, there are certain legal and regulatory requirements to participate in the DSP that are outside of Reddit’s control. Bear with us here…
To be eligible for the DSP, you must: • Be a current U.S. resident; o You will be asked to provide the DSP Administrator a valid social security or permanent resident number, along with other personal information. Reddit will not have access to this data. o Please note that U.S. residents using a VPN may face application limitations if the VPN locates them in certain non-U.S. jurisdictions. • Be at least 18 years old; • Provide your full legal name and an email address; • Not be a current or former Reddit employee (FTE). When the DSP launches (a few weeks after pre-registration ends), individuals who have been confirmed for the program will be contacted by our external DSP Administrator. You will then be asked to provide additional information securely to the DSP Administrator to confirm your eligibility. How to pre-register The number of people who can participate in the DSP is limited; we will offer this opportunity to as many redditors as we are able to accommodate. If capacity is reached before the deadline, you will be added to the waitlist. Based on demand, we may also limit the number of shares available.
If you are interested in being part of Reddit’s DSP, please go to https://reddit.com/dsp on desktop to complete the pre-registration form. If you are one of the confirmed participants, we will follow up with an email with more details in the coming weeks. You can also refer to the Frequently Asked Questions for more information. Due to regulatory restrictions (yeah… we know…) we are not able to respond to further inquiries or questions.
Pre-registering does not guarantee that you will be invited or able to participate in the DSP; it also does not obligate you to purchase shares.
As with any investment opportunity, you should make an individual decision based on your own personal circumstances and risk tolerance. Therefore, we urge you to review the preliminary prospectus, when available, before deciding whether to invest in Reddit.
The deadline for pre-registering for the DSP is March 5, 2024. If capacity is reached before the deadline, you will be added to the waitlist. What happens next? While there won’t be a confirmation email immediately after you pre-register, everyone who pre-registers will receive an email in the coming weeks from “noreply@redditmail.com”, telling them whether they can proceed with the next steps for the DSP.
This is an automated message (beep, boop, beep) and does not receive replies. Please refer to the FAQ for more information. Per our lawyercats, we are not able to respond to further inquiries or questions. Prospectus and Important Disclosures The offering will be made only by means of a prospectus. When available, a copy of the preliminary prospectus related to the offering may be obtained from: Morgan Stanley & Co. LLC, Prospectus Department, 180 Varick Street, New York, New York 10014, or email: prospectus@morganstanley.com; Goldman Sachs & Co. LLC, Attention: Prospectus Department, 200 West Street, New York, New York 10282, telephone: 1-866-471-2526, facsimile: 212-902-9316, or email: prospectus-ny@ny.email.gs.com; J.P. Morgan Securities LLC, Attention:c/o Broadridge Financial Solutions, 1155 Long Island Avenue, Edgewood, New York 11717, telephone: 1-866-803-9204, or email: prospectus-eq_fi@jpmorgan.com; and BofA Securities, Inc., NC1-022-02-25, 201 North Tryon Street, Charlotte, North Carolina 28255-0001, Attention: Prospectus Department, telephone: 1-800-294-1322, or email: dg.prospectus_requests@bofa.com.
A registration statement relating to these securities has been filed with the U.S. Securities and Exchange Commission but has not yet become effective. These securities may not be sold nor may offers to buy be accepted prior to the time the registration statement becomes effective. This notification shall not constitute an offer to sell or the solicitation of an offer to buy these securities, nor shall there be any sale of these securities in any state or jurisdiction in which such offer, solicitation, or sale would be unlawful prior to registration or qualification under the securities laws of any such state or jurisdiction.
No offer to buy the securities can be accepted and no part of the purchase price can be received until the registration statement has become effective, and any such offer may be withdrawn or revoked, without obligation or commitment of any kind, at any time prior to the notice of its acceptance given after the effective date. An indication of interest in response to this notification will involve no obligation or commitment of any kind.
You are receiving this email because a Reddit account, USERNAME, is registered to this email address. 548 Market St., #16093, San Francisco, CA 94104–5401
You are on a privacy-offending Cloudflare site (#LemmyWorld), so Tor users are blocked from seeing your Cloudflare-jailed image. If you care about privacy you will bounce from that instance.
Without seeing the image, I have to ask how an anonymous user gets #GDPR rights. Or has #Reddit started supporting an identification mechanism of some kind? When I start the reg process, it asks for an email address, username, and pw, not a first + lastname (but my test stopped when a Google reCAPTCHA push was attempted). I have zero sympathy for Reddit – they are rotten to the core scumbags, but I do not see how the GDPR can be applied to anonymous accounts.
(edit) I gather from other comments you must have posted an email. Would be great if you could copy the text of the email into the body of your post so everyone can see it and so people using screen readers can hear it. Thanks!
Thanks!
The To:
address in the header would be interesting. Of course, you wouldn’t want to disclose it verbatim here but it might be useful to have a rough idea. Was it Firstname.Lastname@yadayada.com or some variation of that, or was it more like commonNickname@yadayada.com? Some people here think it doesn’t matter, that it’s inherently personal info, but the European Commission says it matters. It’s not hard and fast; there are varying shades of gray here. Maybe they kept logs of your IP address and maybe that makes a difference. You might want to read WP136 (I have yet to read that).
I would love to see action taken against Reddit, if anything just to burden their lawyers and create some costs for them. But I doubt it will go anywhere. GDPR enforcement is such a shit-show in Europe. Even dealing with clearly blatant violations that are wholly internal to Europe which should irrefutably incur penalties, simple obvious cases are being ignored by DPAs. So I have little confidence that this cross-border case against a non-EU data controller would actually get results when the law is not really concrete. The one factor in your favor is that Reddit is somewhat high-profile which might take a DPA’s interest.
I don’t think a “delete my account” button constitutes an Article 17 request. It removes the purpose of processing to some extent, which then relies on the data minimization principle (Art.5). Reddit can do a bit of hand-waving to make excuses like needing to retain your email address in case one of your posts sparks a legal inquiry. Your case would be stronger if you had submitted an explicit Art.17 request to Reddit.
From the email:
Per our lawyercats, we are not able to respond to further inquiries or questions.
I wonder if that statement might be actionable. Art.12 and 13 require Reddit to identify a data controller with a point of contact and to tell you your GDPR rights (IIUC). And here they are outright stating in effect “we don’t want to hear from you”. I would stress that in your GDPR complaint, not just the misuse of your email which you expected to be deleted. But note they do provide an address at the bottom of that msg. Although that angle of attack might require Reddit having a way to know you have ties to a GDPR region after the supposedly “deleted” your acct.
Also, I would look into any anti-spam laws your country has. There may be a higher degree of legal actionability there.
I wouldn’t expect companies to hard delete in this day and age. I fully expect that they all soft delete, sadly.
Which is a GDPR violation and should be treated as such when they get caught
And what jurisdiction does the gdpr have over servers hosted in America?
We’re all still waiting for the court case that sets this precedent.
*According to Article 3(2), a business that targets individuals in the EU for offering goods or services (even if it’s free) or monitoring their behaviour falls under the scope of GDPR. Monitoring activities such as tracking through cookies or other technologies, behavioural advertising, geolocation, market surveys etc performed by a non-EU business can be subject to GDPR. A US business that has no establishment in the EU, but sells goods or services to consumers in the EU, will fall under the scope of GDPR in the US. Note that the law extends to any resident of the EU, irrespective of citizenship. *
Source: https://www.cookieyes.com/blog/gdpr-in-the-us-a-checklist-for-compliance/
Many US companies were fined, it doesn’t matter where your servers are, it matters if you target EU customers. In this case, Reddit very clearly targeted EU citizens.
it say’s “be US resident”. Why do they believe your a US resident? Maybe using vpn when signing up huh.
If only they on reddit were so smart to check such stuff before sending the email. I also got the email here in EU and I never used VPN in my life.
Wasnt it only for us residents? Gdpr is european
Reddit may not track that, which isn’t a defense against GDPR violations.
On purpose GDPR violation is 4% of global yearly revenue fine for the company, which in reddit’s case would be 32M USD.
Still I assume OP has not actually done “forget me” request for reddit, just deleted the account. Delete is not same thing, as requesting to destroying all identifiable data of you.
GDPR doesn’t care were company is located, if you handle European citizens data, you must comply.
Delete is not same thing, as requesting to destroying all identifiable data of you.
This is what I don’t get. How are Reddit accounts not pseudo/anonymous? Back when I had an account (~5+ years ago at latest) they had nothing personally identifiable on me, in which case there are no GDPR rights to speak of. Even if I were to make an Art.17 request and go above and beyond by supplying a copy of my ID card with the request, Reddit would have no way to even verify that my ID is associated to the acct.
That’s true, but if OP is European and received this Mail, it is a GDPR violation regardless of if the content is relevant or not. As far as I know, not a lawyer.
Not if they provided incorrect info during signing up. Which is very likely if they received an email only US accounts have been getting.
Just checked my old empty (now) account i didnt get such an email and im european. Maybe they do a send all in steps or something and see who bites. Anyway if ppl want to file a compllaint here is a link with countries and departments to file a gdpr complaint:
You also had to be over (what appears to be) an overall karma threshold to get the invite. It wasn’t sent to all users (I have a dormant second account that did not receive this notice). I received this message about 2 days ago.
They’ll communicate through “noreply@reddit.com”. The mark of professionals…