Any pointers on how to report them?

As requested, I’m posting the full text of the email into this post body. I hope it’s screen reader friendly:

u/USERNAME,

tl;dr – you’re invited to a special program that lets redditors purchase stock at the same price as institutional investors when we IPO. Details about eligibility and next steps follow. This (long, dense) email has all the info we can provide due to legal restrictions.

As you may have heard, Reddit has taken steps toward becoming a publicly traded company with the initial public filing of our registration statement with the U.S. Securities and Exchange Commission on February 22, 2024. Yes, it’s happening.

And because you have helped make Reddit what it is today, you now have the opportunity to become Reddit owners at the same price as institutional investors.

We’re offering a Directed Share Program (“DSP”) that invites eligible users and moderators who have contributed to Reddit to participate in our initial public offering (“IPO”). (Including you!) Program Requirements While being selected to pre-register is the first step, there are certain legal and regulatory requirements to participate in the DSP that are outside of Reddit’s control. Bear with us here…

To be eligible for the DSP, you must: • Be a current U.S. resident; o You will be asked to provide the DSP Administrator a valid social security or permanent resident number, along with other personal information. Reddit will not have access to this data. o Please note that U.S. residents using a VPN may face application limitations if the VPN locates them in certain non-U.S. jurisdictions. • Be at least 18 years old; • Provide your full legal name and an email address; • Not be a current or former Reddit employee (FTE). When the DSP launches (a few weeks after pre-registration ends), individuals who have been confirmed for the program will be contacted by our external DSP Administrator. You will then be asked to provide additional information securely to the DSP Administrator to confirm your eligibility. How to pre-register The number of people who can participate in the DSP is limited; we will offer this opportunity to as many redditors as we are able to accommodate. If capacity is reached before the deadline, you will be added to the waitlist. Based on demand, we may also limit the number of shares available.

If you are interested in being part of Reddit’s DSP, please go to https://reddit.com/dsp on desktop to complete the pre-registration form. If you are one of the confirmed participants, we will follow up with an email with more details in the coming weeks. You can also refer to the Frequently Asked Questions for more information. Due to regulatory restrictions (yeah… we know…) we are not able to respond to further inquiries or questions.

Pre-registering does not guarantee that you will be invited or able to participate in the DSP; it also does not obligate you to purchase shares.

As with any investment opportunity, you should make an individual decision based on your own personal circumstances and risk tolerance. Therefore, we urge you to review the preliminary prospectus, when available, before deciding whether to invest in Reddit.

The deadline for pre-registering for the DSP is March 5, 2024. If capacity is reached before the deadline, you will be added to the waitlist. What happens next? While there won’t be a confirmation email immediately after you pre-register, everyone who pre-registers will receive an email in the coming weeks from “noreply@redditmail.com”, telling them whether they can proceed with the next steps for the DSP.

This is an automated message (beep, boop, beep) and does not receive replies. Please refer to the FAQ for more information. Per our lawyercats, we are not able to respond to further inquiries or questions. Prospectus and Important Disclosures The offering will be made only by means of a prospectus. When available, a copy of the preliminary prospectus related to the offering may be obtained from: Morgan Stanley & Co. LLC, Prospectus Department, 180 Varick Street, New York, New York 10014, or email: prospectus@morganstanley.com; Goldman Sachs & Co. LLC, Attention: Prospectus Department, 200 West Street, New York, New York 10282, telephone: 1-866-471-2526, facsimile: 212-902-9316, or email: prospectus-ny@ny.email.gs.com; J.P. Morgan Securities LLC, Attention:c/o Broadridge Financial Solutions, 1155 Long Island Avenue, Edgewood, New York 11717, telephone: 1-866-803-9204, or email: prospectus-eq_fi@jpmorgan.com; and BofA Securities, Inc., NC1-022-02-25, 201 North Tryon Street, Charlotte, North Carolina 28255-0001, Attention: Prospectus Department, telephone: 1-800-294-1322, or email: dg.prospectus_requests@bofa.com.

A registration statement relating to these securities has been filed with the U.S. Securities and Exchange Commission but has not yet become effective. These securities may not be sold nor may offers to buy be accepted prior to the time the registration statement becomes effective. This notification shall not constitute an offer to sell or the solicitation of an offer to buy these securities, nor shall there be any sale of these securities in any state or jurisdiction in which such offer, solicitation, or sale would be unlawful prior to registration or qualification under the securities laws of any such state or jurisdiction.

No offer to buy the securities can be accepted and no part of the purchase price can be received until the registration statement has become effective, and any such offer may be withdrawn or revoked, without obligation or commitment of any kind, at any time prior to the notice of its acceptance given after the effective date. An indication of interest in response to this notification will involve no obligation or commitment of any kind.

You are receiving this email because a Reddit account, USERNAME, is registered to this email address. 548 Market St., #16093, San Francisco, CA 94104–5401

  • Gork@lemm.ee
    link
    fedilink
    arrow-up
    117
    ·
    8 months ago

    Does the GDPR have teeth against this kind of violation? Could Reddit be hit hard with violation fees?

    • northendtrooper@lemmy.ca
      link
      fedilink
      arrow-up
      157
      ·
      8 months ago

      If the user resides in Europe then yeah. This means they didn’t follow GDPR and still retain data on user(s).

        • Aceticon@lemmy.world
          link
          fedilink
          arrow-up
          32
          arrow-down
          1
          ·
          edit-2
          8 months ago

          E-mail counts as user identifying (it’s a bit more complicated) information per the GDPR, so clearly they have kept user identifying information so the GDPR applies.

          EDIT: as pointed out by @coffeeClean@infosec.pub and from reading recommendation wp136 provided by him in a different post, the e-mail, unless it contains the full user name is user idenfityable information - because it can be crossed with other data (not necessarilly the IP address) to identify a person - rather than identifying information. Either way, it is considered “personal data” by the GDPR, as said very explicitly in that document which gives e-mail as an example of such. The same applies to IP address (mentioned below).

          Even an IP address is user identifying information per the GDPR, which is why if for example a website wants to be compliant without obtaining explicit user authorization, it needs to do things like not maintain logs with IP addresses for longer than it would be necessary to track down problems with the website or intrusion attempts.

          • coffeeClean@infosec.pub
            link
            fedilink
            arrow-up
            9
            arrow-down
            1
            ·
            edit-2
            8 months ago

            Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.

  • gmtom@lemmy.world
    link
    fedilink
    arrow-up
    92
    arrow-down
    1
    ·
    8 months ago

    They sent one to my deleted account that was literally called GDPR_Violation lol

  • merthyr1831@lemmy.world
    link
    fedilink
    arrow-up
    75
    ·
    8 months ago

    I haven’t used my reddit account the API change, beyond maybe 3 or 4 comments. I got an invite. How the fuck was I one of their top 35k most active users? Seems like their site isnt nearly as active as they’re claiming

    • chiliedogg@lemmy.world
      link
      fedilink
      arrow-up
      39
      arrow-down
      1
      ·
      8 months ago

      It’s based in Karma. Since I had over 200k I was invited in the first group even though I hadn’t logged in since the change.

        • chiliedogg@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          8 months ago

          There are a couple other factors. Were you a mod? Did you ever participate in one of reddit’s community programs like the Helper Program or Mod Council?

          The 3 criteria are MVP status, which is based on participation in certain programs, Karma, or Mod Actions.

          • mxcory@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            3
            ·
            8 months ago

            Just chiming in, 34k karma (only 4 post karma) and haven’t posted for 9 months. Never a mod. I also got the IPO offer. Think I was gifted gold one time.

        • wildebeesties@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          Same. 13 year account with 42,000 karma. Have not been on since the API change. Never a mod, never part of anything special, just a regular user in every way.

      • DragonAce@lemmy.world
        link
        fedilink
        arrow-up
        8
        ·
        edit-2
        8 months ago

        Yeah I just got an invite as well and I haven’t logged in since the protest that brought the first wave of us here. So karma has to be a deciding factor, I had over 100k I think so that would be the only reason I got an invite.

    • fxt_ryknow@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      8 months ago

      I got the email, also… And like you, I’ve not used reddit since the api BS. I’ve not logged in, commented or anything since just before sync stopped working.

    • SSTF@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      8 months ago

      I too got an email and haven’t posted at all since the API change.

      If I really was in the top 35k before that, then at least I know quitting Reddit made some kind of dent in their content.

    • dejected_warp_core@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      Did you post a lot? Do you have email notifications turned on?

      My old account has… a lot (six digits worth), of comment karma. But I think I posted a grand total of three times in the last ten years or so. I also have notifications turned off. So, no IPO notification for me.

    • Kaity@leminal.space
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      8 months ago

      it’s getting more obvious they are going to pull the rug, admittedly I haven’t followed too much on the situation or on reddit at all since I stopped using reddit almost a decade ago. the site really went to shit didn’t it. I just grab my popcorn when new updates pop up these days, all reddit is for me now is an end result from a google search about a problem.

    • Altima NEO@lemmy.zip
      link
      fedilink
      English
      arrow-up
      16
      ·
      8 months ago

      Youre telling me, they sent me TWO invitations for two of my accounts. One of which I retired years ago because the username was kinda insensitive. Its been inactive for years, yet apparently it has enough karma for them to message me about it.

      • Tbird83ii@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        8 months ago

        You should be very VERY vocal about how your account, insensitive name, was asked to own part of Reddit and how willing you are to do that, in order to make sure that the world knows that reddit is owned in part by insensitive name…

    • dejected_warp_core@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      8 months ago

      I think it’s more than that.

      The price for these shares is probably not cheap for the individual, but won’t raise a ton of money internally in the grand scheme of things. At least, that’s how it works for employee options and phantom stock. The disparity here is due it’s utility as a retention mechanism. The idea is that, if invested, you’re less likely to jump ship until after IPO. With options and phantom stock, they typically have a “vestment period”, so you have to wait before you can get your money back out.

      In this case, Reddit knows it needs its moderators and power users, but can’t afford to employ those people. So we get this weird middle-ground where they entice people to stick around, but they’re still not employees. As a bonus to Reddit Inc., these “investors” will provide ballast for the IPO, because I’m betting this stuff has a vestment period that extends well past the IPO date. Seeing this all on a balance sheet will make other investors feel a lot better about buying or even holding shares when the IPO kicks off.

      What I really don’t like about this is that they mention the “DSP” and define it, but are coy about what the actual investment instrument is. What kind of shares are these? What is the price per share?

  • cosmicrookie@lemmy.world
    link
    fedilink
    arrow-up
    55
    ·
    8 months ago

    They once sent me an email, about their new privacy conditions on my deleted account too. If you live in EU I’d recommend forwarding this message and the confirmation of your account being deletes to your local data authorities. It’s pretty easy to file a compliant

  • ipkpjersi@lemmy.ml
    link
    fedilink
    arrow-up
    56
    arrow-down
    4
    ·
    8 months ago

    I wouldn’t expect companies to hard delete in this day and age. I fully expect that they all soft delete, sadly.

      • Rodeo@lemmy.ca
        link
        fedilink
        arrow-up
        1
        arrow-down
        5
        ·
        8 months ago

        And what jurisdiction does the gdpr have over servers hosted in America?

        We’re all still waiting for the court case that sets this precedent.

        • YoorWeb@lemmy.world
          link
          fedilink
          arrow-up
          12
          ·
          8 months ago

          *According to Article 3(2), a business that targets individuals in the EU for offering goods or services (even if it’s free) or monitoring their behaviour falls under the scope of GDPR. Monitoring activities such as tracking through cookies or other technologies, behavioural advertising, geolocation, market surveys etc performed by a non-EU business can be subject to GDPR. A US business that has no establishment in the EU, but sells goods or services to consumers in the EU, will fall under the scope of GDPR in the US. Note that the law extends to any resident of the EU, irrespective of citizenship. *

          Source: https://www.cookieyes.com/blog/gdpr-in-the-us-a-checklist-for-compliance/

          Many US companies were fined, it doesn’t matter where your servers are, it matters if you target EU customers. In this case, Reddit very clearly targeted EU citizens.

          • Rodeo@lemmy.ca
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            8 months ago

            Can you cite a case where an American company with no holdings or dealings in the EU was fined successfully?

            If the company has no infrastructure within the jurisdiction of the gdpr, how can they hope to enforce it?

            • reinei@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              8 months ago

              IANAL and this obviously won’t happen (because it’s one of if not the stupidest way to go about it right from the get go) but still:

              They can literally demand any and all European ISPs block all their traffic, they can still raise the fees and if they don’t pay accrue interest/late claims on it. Will this change anything? Not immediately, but the moment that company does anything the courts can reach they are in a whole lot of trouble.


              Anyway besides this are there really companies that are so US centric that a European court can’t (like really absolutely can’t) reach them?

            • Thomrade@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              8 months ago

              Reddit has holdings in Dublin, Ireland, where they have a large contingent of employees. thus they are required to adhere to GDPR.

        • scv@discuss.online
          link
          fedilink
          arrow-up
          6
          ·
          8 months ago

          Reddit has employees and servers in Europe, including EU countries. GDPR most definitely applies.

    • PlexSheep@feddit.de
      link
      fedilink
      arrow-up
      139
      ·
      8 months ago

      That’s true, but if OP is European and received this Mail, it is a GDPR violation regardless of if the content is relevant or not. As far as I know, not a lawyer.

        • wreckedcarzz@lemmy.world
          link
          fedilink
          English
          arrow-up
          30
          ·
          8 months ago

          You also had to be over (what appears to be) an overall karma threshold to get the invite. It wasn’t sent to all users (I have a dormant second account that did not receive this notice). I received this message about 2 days ago.

        • jaybone@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          I’m not sure how they pick their IPO scam emails.

          I had a ton of Reddit accounts. Only my oldest one from like 14 years ago got the special email.

      • SchmidtGenetics@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        2
        ·
        8 months ago

        Not if they provided incorrect info during signing up. Which is very likely if they received an email only US accounts have been getting.

      • ColeSloth@discuss.tchncs.de
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        8 months ago

        But did they have anything or selected listed that they were from Europe, I wonder? Like, I tend to bounce around on my ip address with my vpn.

      • Hotzilla@sopuli.xyz
        link
        fedilink
        arrow-up
        18
        ·
        edit-2
        8 months ago

        On purpose GDPR violation is 4% of global yearly revenue fine for the company, which in reddit’s case would be 32M USD.

        Still I assume OP has not actually done “forget me” request for reddit, just deleted the account. Delete is not same thing, as requesting to destroying all identifiable data of you.

        GDPR doesn’t care were company is located, if you handle European citizens data, you must comply.

        • coffeeClean@infosec.pub
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          8 months ago

          Delete is not same thing, as requesting to destroying all identifiable data of you.

          This is what I don’t get. How are Reddit accounts not pseudo/anonymous? Back when I had an account (~5+ years ago at latest) they had nothing personally identifiable on me, in which case there are no GDPR rights to speak of. Even if I were to make an Art.17 request and go above and beyond by supplying a copy of my ID card with the request, Reddit would have no way to even verify that my ID is associated to the acct.

          • Hotzilla@sopuli.xyz
            link
            fedilink
            arrow-up
            1
            ·
            8 months ago

            Email and nickname are considered identifiable data by gdpr, but that’s it. If they remove those, it is enough.

    • Z3k3@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      8 months ago

      I got this email in the UK guessing they are just Feering it at every account with a verified email against it

      • FuryMaker@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        2
        ·
        8 months ago

        Didn’t they make a loss?

        So 4% of negative global revenue is… a profit?

        That mean they get paid?

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          17
          arrow-down
          1
          ·
          edit-2
          8 months ago

          Revenue is all the money they have earned, not the money that they can necessarily use or “withdrawal” and run away with. If you spend 1 million and earn 0,5 million you still have a revenue of 0,5 million (and a loss of 0,5 million)

          So yes they can still get fined (obviously) but it’s extremely unlikely that they will be fined the maximum amount possible. Especially for something small like this. As far as I know the DPAs has never fined anywhere close to 4% of global annual revenue. They are probably saving the higher fines for really serious violations.

          It probably gets way more complicated with tax and all that, but I ain’t no accountant so I dunno.

          Edit: The highest fine ever (since May 2023) is for Meta at 1,3 Billion USD and that’s roughly 1 % of their global annual revenue (116,6 Billion USD) for 2022. That’s half of the maximum fine for a normal violation and one-quarter the maximum fine for a serious violation.

          • Aceticon@lemmy.world
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            8 months ago

            Yupes, not just Revenue but actually Global Revenue.

            It’s not exactly hard for a large transnational company to create accounting losses or even move revenue around to appear in some other country (usually using elements of intellectual property, such as costs for licensing Trademarks or Copyrighted material, which is why large Tech companies love it), but ultimatelly, money coming in anywhere in the World is money coming in anywhere in the World, and you can’t really avoid declaring it short of outright accounting fraud (something which can result in prison time for the people involved and it’s pretty impossible to hide unless they’re cash or crypto payments).

            As Revenue is pretty straightforwardly “money in” (no taxes, no depreciation, no expenses - such as paying “trademark licensing costs” to a daughter company in a tax haven, which is a way of moving profits around - considered) it’s pretty hard to manipulate and Globally means you can’t avoid it being counted by trickeries such as having a daughter company in a different country be the one that receives payments.

        • triplenadir
          link
          fedilink
          arrow-up
          3
          ·
          8 months ago

          usually “revenue” means “income, before expenses” so if wouldn’t matter if they made a profit (revenue higher than expenses) or a loss (revenue less than expenses)

    • d00ery@lemmy.world
      link
      fedilink
      arrow-up
      80
      ·
      edit-2
      8 months ago

      Upon leaving the EU any laws that were in use were ‘enshrined’ into UK law. In order for the UK to remove EU laws we’d need to actively remove them through an act of parliament. (At least that’s my vague understanding…) https://www.legislation.gov.uk/eu-legislation-and-uk-law

      I’m happy to keep the EU laws, it’ll save time when we rejoin.🇪🇺🇬🇧

      • Evil_Shrubbery@lemm.ee
        link
        fedilink
        arrow-up
        17
        ·
        edit-2
        8 months ago

        Yeah, EU directives need to be adopted into local country legislature (with some deadlines), whereas EU delegated acts (usually hierarchically under a directive) automatically apply to all EU members. Hehe, members.

        • coffeeClean@infosec.pub
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          8 months ago

          The GDPR is a not a directive. It’s a regulation. Nontheless, I read that the GDPR was specifically mirrored into UK law with a couple minor modifications.

          But to answer @automaton@lemmy.world, AFAIK the #GDPR does not apply in this situation anyway because Reddit accounts are “anonymous”. The GDPR only protects identified people.

          /cc @d00ery@lemmy.world

          • Aceticon@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            8 months ago

            An e-mail address is “user identifying information” per GDPR, so if the UK version does not differ from the EU version on this (and it would be pretty weird if it did), it applies.

          • Evil_Shrubbery@lemm.ee
            link
            fedilink
            arrow-up
            1
            ·
            8 months ago

            That’s how I understand the UK situation too, however what is anonymous is left much for debate & sometimes local best-practices. Like, a user can be identifiable by their posts, or even full name.

            • coffeeClean@infosec.pub
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              8 months ago

              If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.

              As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).

              (edit) more clarity here, hopefully → https://infosec.pub/comment/6975469

        • VaultBoyNewVegas@lemmy.world
          link
          fedilink
          arrow-up
          21
          ·
          8 months ago

          It would take years for the UK to rejoin. First there’d have to be public polling, referendum and a desire by the sitting government to start the process then it’ll be however long it takes for the EU to debate the application and then the UK needs all members to accept the application. Currently neither the two largest UK parties want to even re-open the brexit debates. So basically it’d be at least over a decade.

          • Nollij@sopuli.xyz
            link
            fedilink
            English
            arrow-up
            16
            ·
            8 months ago

            Plus, it’s unlikely that the UK will get the same terms they had when they left. That will have to be negotiated as well.

        • Ben Hur Horse Race@lemm.ee
          link
          fedilink
          arrow-up
          4
          ·
          8 months ago

          would we really though? think about them driving around in their austin powers union jack painted minis, just whipping around random roundabouts saying “I say” and “buh herr hear haar”

      • Astongt615@lemmy.one
        link
        fedilink
        arrow-up
        8
        ·
        8 months ago

        They gave you a do-over. Things could change in the term, but my expectations are low. See: the US

    • sunbeam60@lemmy.one
      link
      fedilink
      arrow-up
      28
      arrow-down
      3
      ·
      8 months ago

      Ding ding ding we have a winner. Unless you’ve done an official “right of erasure” request they’re perfectly entitled to keep your data, account deletion and all.

      • INHALE_VEGETABLES@aussie.zone
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        Is a right of erasure possible at this stage?

        I assume they still store the context of a deleted post somewhere and that the AI would still access it.

        • FuryMaker@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          With cloud or tape backups, it’s nearly impossible to fully delete all data.

          By design, you would want to protect it from accidental or intentional deletion.

          I don’t know how any company can fully comply with GDPR to be honest.

      • coffeeClean@infosec.pub
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        I think the whole discussion is moot when the data is “anonymous”.

        But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.

        • Aceticon@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          8 months ago

          An e-mail is “user identifying information” per GDPR.

          So it’s not considered anonymous.

          • coffeeClean@infosec.pub
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            8 months ago

            That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?

            According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)

            The EC also says “an email address such as info@company.com” is not an example of personal data.

            This should really be covered by an EDPB Guideline, but I’m not finding one.

            • Aceticon@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              8 months ago

              Yeah, you are correct and the wording is inded “personal data”.

              I vaguelly remember it was treated the same as a phone number.

              It’s been years since I had to look into the GDPR.

              • coffeeClean@infosec.pub
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                8 months ago

                I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.

                GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.

                Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.

                • Aceticon@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  8 months ago

                  Well, from your second source an e-mail is personal data (as explicitly said so in that document), related by “content” and in this specific case if Reddit is indeed sending IPO e-mails to some rather than others depending on Karma also by “result” (though it would be the combination of e-mail and Karma that is the related by “result” part as it’s not the e-mail itself that causes the differentiated treatment between individuals) to an “identifiable” individual (possibly also “identified” depending if the e-mail address contains the person’s full name) (the example in that document for dynamic IP addresses seems the one relevant for e-mails).

                  As for the 4th condition, that of being a natural person, as long as the OP received the e-mail on a personal address rather than a company address, that’s pretty obviously fullfilled.

                  As per that document, if the piece of data they hold fullfills all 4 conditions, it’s covered by the GDPR.

    • ChrislyBear@lemmy.worldOP
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      I did the whole “GDPR, delete my stuff dance”. They replied with “you have to delete your posts yourself”. I didn’t budge, gave them the required 30 day ultimatum, but they gave zero fucks.

      • Contend6248@feddit.de
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        8 months ago

        I did the same, but i deleted my comments and posts, they brought all back, i guess they fuck around.

  • planish@sh.itjust.works
    link
    fedilink
    arrow-up
    28
    arrow-down
    1
    ·
    8 months ago

    It cheeses my beans so goram much that they took a perfectly good web site and made it terrible so they could sell it to “the public”, notionally the same people who were using the site!!!

    I can only conclude that this is some kind of scam and actually most of the thing is going to end up owned by deliberately nebulous “institutional investors” and not the community members who constitute and deserve ownership of the community. Or even the people at Reddit Inc. who did the work of making the thing.

    DAE socialism?

    • dejected_warp_core@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      8 months ago

      I can only conclude that this is some kind of scam

      That depends on your framing.

      Is it a legitimate attempt to sell shares? Absolutely. Completely legal, disregarding OP’s claim of a GDPR violation. There might be wiggle-room to suggest this is some flavor of price manipulation, but I’m not a lawyer or SEC investigator. In order to IPO, there’s a compliance framework that makes this functionally identical to any other IPO on the market.

      Are some people who buy this IPO going to be left holding the bag? In a round-about “we’re all playing the same game, but also not” way, yes. For an instant, people will be holding shares in Reddit at the IPO price, and speculation on value will drive that up on the back of the IPO itself. It might plummet later the same day, it may not. But what is going to really burn people is when the primary shareholders “cash out” and sell a huge chunk of that stock. That usually has the effect of signaling that the company isn’t worth what it was anymore. It’s a gamble where the house can destroy your bid before you can manage to pawn your chips off onto the next guy.

      From a spectator standpoint, where this may get interesting is where Reddit IPO intersects with r/wallstreetbets.

      Edit: dividends are also a thing, but I never hear about that outside of what mutual funds and 401ks are up to. As someone who has no idea how Reddit does or can actually make money, I’m going to guess that’s not going to be a benefit of being a long-term shareholder.