Any pointers on how to report them?
As requested, I’m posting the full text of the email into this post body. I hope it’s screen reader friendly:
u/USERNAME,
tl;dr – you’re invited to a special program that lets redditors purchase stock at the same price as institutional investors when we IPO. Details about eligibility and next steps follow. This (long, dense) email has all the info we can provide due to legal restrictions.
As you may have heard, Reddit has taken steps toward becoming a publicly traded company with the initial public filing of our registration statement with the U.S. Securities and Exchange Commission on February 22, 2024. Yes, it’s happening.
And because you have helped make Reddit what it is today, you now have the opportunity to become Reddit owners at the same price as institutional investors.
We’re offering a Directed Share Program (“DSP”) that invites eligible users and moderators who have contributed to Reddit to participate in our initial public offering (“IPO”). (Including you!) Program Requirements While being selected to pre-register is the first step, there are certain legal and regulatory requirements to participate in the DSP that are outside of Reddit’s control. Bear with us here…
To be eligible for the DSP, you must: • Be a current U.S. resident; o You will be asked to provide the DSP Administrator a valid social security or permanent resident number, along with other personal information. Reddit will not have access to this data. o Please note that U.S. residents using a VPN may face application limitations if the VPN locates them in certain non-U.S. jurisdictions. • Be at least 18 years old; • Provide your full legal name and an email address; • Not be a current or former Reddit employee (FTE). When the DSP launches (a few weeks after pre-registration ends), individuals who have been confirmed for the program will be contacted by our external DSP Administrator. You will then be asked to provide additional information securely to the DSP Administrator to confirm your eligibility. How to pre-register The number of people who can participate in the DSP is limited; we will offer this opportunity to as many redditors as we are able to accommodate. If capacity is reached before the deadline, you will be added to the waitlist. Based on demand, we may also limit the number of shares available.
If you are interested in being part of Reddit’s DSP, please go to https://reddit.com/dsp on desktop to complete the pre-registration form. If you are one of the confirmed participants, we will follow up with an email with more details in the coming weeks. You can also refer to the Frequently Asked Questions for more information. Due to regulatory restrictions (yeah… we know…) we are not able to respond to further inquiries or questions.
Pre-registering does not guarantee that you will be invited or able to participate in the DSP; it also does not obligate you to purchase shares.
As with any investment opportunity, you should make an individual decision based on your own personal circumstances and risk tolerance. Therefore, we urge you to review the preliminary prospectus, when available, before deciding whether to invest in Reddit.
The deadline for pre-registering for the DSP is March 5, 2024. If capacity is reached before the deadline, you will be added to the waitlist. What happens next? While there won’t be a confirmation email immediately after you pre-register, everyone who pre-registers will receive an email in the coming weeks from “[email protected]”, telling them whether they can proceed with the next steps for the DSP.
This is an automated message (beep, boop, beep) and does not receive replies. Please refer to the FAQ for more information. Per our lawyercats, we are not able to respond to further inquiries or questions. Prospectus and Important Disclosures The offering will be made only by means of a prospectus. When available, a copy of the preliminary prospectus related to the offering may be obtained from: Morgan Stanley & Co. LLC, Prospectus Department, 180 Varick Street, New York, New York 10014, or email: [email protected]; Goldman Sachs & Co. LLC, Attention: Prospectus Department, 200 West Street, New York, New York 10282, telephone: 1-866-471-2526, facsimile: 212-902-9316, or email: [email protected]; J.P. Morgan Securities LLC, Attention:c/o Broadridge Financial Solutions, 1155 Long Island Avenue, Edgewood, New York 11717, telephone: 1-866-803-9204, or email: [email protected]; and BofA Securities, Inc., NC1-022-02-25, 201 North Tryon Street, Charlotte, North Carolina 28255-0001, Attention: Prospectus Department, telephone: 1-800-294-1322, or email: [email protected].
A registration statement relating to these securities has been filed with the U.S. Securities and Exchange Commission but has not yet become effective. These securities may not be sold nor may offers to buy be accepted prior to the time the registration statement becomes effective. This notification shall not constitute an offer to sell or the solicitation of an offer to buy these securities, nor shall there be any sale of these securities in any state or jurisdiction in which such offer, solicitation, or sale would be unlawful prior to registration or qualification under the securities laws of any such state or jurisdiction.
No offer to buy the securities can be accepted and no part of the purchase price can be received until the registration statement has become effective, and any such offer may be withdrawn or revoked, without obligation or commitment of any kind, at any time prior to the notice of its acceptance given after the effective date. An indication of interest in response to this notification will involve no obligation or commitment of any kind.
You are receiving this email because a Reddit account, USERNAME, is registered to this email address. 548 Market St., #16093, San Francisco, CA 94104–5401
I got a message in my email that’s linked to a banned account…
Excuse my ignorance but how is this a violation?
GDPR requires deleting data if you ask them to delete data. How did they get your email address if they supposedly deleted your information?
Is deleting an account the same as asking them to delete it though?
Gdpr also requires data only to be kept no longer than is necessary for the purpose for which it was collected. Deleting your account, even it isn’t a request to delete your data removes any purpose for keeping it.
That’s more for people booking flights and what not. With an account, they need a way to contact you if you’ve done something illegal, among a host of other things. It’s not the same scenario.
Until you specifically request it, it’s not gonna happen, and even then, they still need something to keep to trace back to you for legal reasons.
GDPR also requieres that you use the data for the appropiate cause that the user opted in to. So if they have the data for legal stuff this would still be a violation.
How so? The person never requested it to be deleted for that, you consented to all of this when you made your account and linked it to an email.
Article 6 states that there are only 6 reasons why you can process data the one applying here is a
If the data subject has given consent to the processing of his or her personal data;
Informed consent has to be given freely and for each purpose individually each consent option one has to consent to has to be opt in and has to be singular not bundeled.reddit doesnt do that therfore their only right is to use the mail as part of the service. With the deletion of this account they are not further allowed to use this mail for anything else except legal.
That’s wrong
Do they even have a presence in Europe?
Let’s assume that the dude requested for a deletion of his account (specifically - not all his data) of the basis of gdpr and the execution of his data subject rights; that doesn’t exclude the possibility for reddit to keep his contact details for specific purposes based on the legitimate interest of reddit. Or at least they could play with the argument.
They can keep it but they are not allowed to use it as of article 5&6.
You might want to crosspost your story to [email protected]. But if you do that be clever with your phrasing so as to not seem to be asking for advice, but rather for information. E.g. is there any case law for this situation…
(I’m assuming you’re in the UK because other commenters focused on UK law)
It cheeses my beans so goram much that they took a perfectly good web site and made it terrible so they could sell it to “the public”, notionally the same people who were using the site!!!
I can only conclude that this is some kind of scam and actually most of the thing is going to end up owned by deliberately nebulous “institutional investors” and not the community members who constitute and deserve ownership of the community. Or even the people at Reddit Inc. who did the work of making the thing.
DAE socialism?
I can only conclude that this is some kind of scam
That depends on your framing.
Is it a legitimate attempt to sell shares? Absolutely. Completely legal, disregarding OP’s claim of a GDPR violation. There might be wiggle-room to suggest this is some flavor of price manipulation, but I’m not a lawyer or SEC investigator. In order to IPO, there’s a compliance framework that makes this functionally identical to any other IPO on the market.
Are some people who buy this IPO going to be left holding the bag? In a round-about “we’re all playing the same game, but also not” way, yes. For an instant, people will be holding shares in Reddit at the IPO price, and speculation on value will drive that up on the back of the IPO itself. It might plummet later the same day, it may not. But what is going to really burn people is when the primary shareholders “cash out” and sell a huge chunk of that stock. That usually has the effect of signaling that the company isn’t worth what it was anymore. It’s a gamble where the house can destroy your bid before you can manage to pawn your chips off onto the next guy.
From a spectator standpoint, where this may get interesting is where Reddit IPO intersects with r/wallstreetbets.
Edit: dividends are also a thing, but I never hear about that outside of what mutual funds and 401ks are up to. As someone who has no idea how Reddit does or can actually make money, I’m going to guess that’s not going to be a benefit of being a long-term shareholder.
They sent one to my deleted account that was literally called GDPR_Violation lol
lmfao
There really needs to be a resource where data subjects can pool their evidence and collaborate on GDPR actions against common data controllers.
0 fucks given
Well… now I’m glad I didn’t bother trying to scrub my data off the site ;-)
Never really bought the notion that they weren’t backing it all up.
But I gotta say thank you for helping to make Reddit great! The only thing I still regret is not trying harder to contribute when I was enjoying the site.
Automatic emails have revealed so many LGPD violations with my accounts too (LGPD is the Brazilian version of GDPR).
So cool to hear that Brazil has a GDPR equivalent. That (and the fact that Bolsanaro got booted) makes me want to live there.
Embarrassing that the US can’t get on the ball with this.
Does your law specify that deleting an account must perform the full data deletion? GDPR doesn’t, one needs to manually request the procedure via email or postcard. Iirc, they are in fact forced to maintain personal data for X years in case the user requests it.
Kind of. Yes you really should make an Art.17 request to ensure having a strong GDPR case in the event of non-compliance, but technically there is still an Art.5 data minimization rule that applies to data that is no longer needed for performance of the contract.
There are several reasons why the data should still be kept even with art. 5, if for whatever reason legal entities need to contact you for something that you posted long ago that was archived somewhere else, reddit must keep your contact info, albeit just that, in the spirit of art. 5.
Now, if they are allowed to use that contact info to send you promotional content? I don’t think so. Furthermore, this mal has been sent to accounts that had more than X comment karma, and having that info stored still would breach the data minimozation clause, so idk. I wouldn’t try to sue them in these grounds though.
That’s cool, had Brasil mirrored any other EU legislation too?
Wasnt it only for us residents? Gdpr is european
I got the email in the UK. I don’t think Reddit was looking at what countries users were from when sending it.
I’m in Europe and have gotten this message too through Reddit.
That’s true, but if OP is European and received this Mail, it is a GDPR violation regardless of if the content is relevant or not. As far as I know, not a lawyer.
Just checked my old empty (now) account i didnt get such an email and im european. Maybe they do a send all in steps or something and see who bites. Anyway if ppl want to file a compllaint here is a link with countries and departments to file a gdpr complaint:
You also had to be over (what appears to be) an overall karma threshold to get the invite. It wasn’t sent to all users (I have a dormant second account that did not receive this notice). I received this message about 2 days ago.
theres definitely a threshold. my account with like 100k comment karma was invited, another with like 100 didnt.
From what I was hearing the cutoff is 25K karma.
I’m on 41K comment + 21K post and I got it
Huh, my account was over 100k and I never received an email.
But did they have anything or selected listed that they were from Europe, I wonder? Like, I tend to bounce around on my ip address with my vpn.
Not if they provided incorrect info during signing up. Which is very likely if they received an email only US accounts have been getting.
Aussie here with deleted accounts getting the email.
Reddit may not track that, which isn’t a defense against GDPR violations.
That would not surprise me
On purpose GDPR violation is 4% of global yearly revenue fine for the company, which in reddit’s case would be 32M USD.
Still I assume OP has not actually done “forget me” request for reddit, just deleted the account. Delete is not same thing, as requesting to destroying all identifiable data of you.
GDPR doesn’t care were company is located, if you handle European citizens data, you must comply.
Delete is not same thing, as requesting to destroying all identifiable data of you.
This is what I don’t get. How are Reddit accounts not pseudo/anonymous? Back when I had an account (~5+ years ago at latest) they had nothing personally identifiable on me, in which case there are no GDPR rights to speak of. Even if I were to make an Art.17 request and go above and beyond by supplying a copy of my ID card with the request, Reddit would have no way to even verify that my ID is associated to the acct.
I got this email in the UK guessing they are just Feering it at every account with a verified email against it
oh shit me too i think lol
I received one for a dormant account, but am Canadian so I couldn’t use their IPO insider advantage even if I wanted to
Makes me think this thing is gonna Drill immediately after launch, take everyone’s lunch, and eventually rebound (or get bought by Meta/Alphabet/Microsoft/Apple on the cheap)
Its a bad bet imo too. The enshitification of reddit excelerates on an exponential curve, like a shitty inverse of the tech it is based on.
How good is an app if you feel better the less you use it?
Sounds like you need to contact your nation’s data protection authority
Does the GDPR have teeth against this kind of violation? Could Reddit be hit hard with violation fees?
If the user resides in Europe then yeah. This means they didn’t follow GDPR and still retain data on user(s).
It’s in the GDPR jurisdiction but Reddit accounts are anonymous AFAIK. IMO the GDPR does not protect anonymous data.
E-mail counts as user identifying information per the GDPR, so clearly they have kept user identifying information so the GDPR applies.
Even an IP address is user identifying information per the GDPR, which is why if for example a website wants to be compliant without obtaining explicit user authorization, it needs to do things like not maintain logs with IP addresses for longer than it would be necessary to track down problems with the website or intrusion attempts.
Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.
Did you delete the account or ask for data deletion?
Ding ding ding we have a winner. Unless you’ve done an official “right of erasure” request they’re perfectly entitled to keep your data, account deletion and all.
I think the whole discussion is moot when the data is “anonymous”.
But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.
An e-mail is “user identifying information” per GDPR.
So it’s not considered anonymous.
That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?
According to the Commission, “an email address such as [email protected];” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)
The EC also says “an email address such as [email protected]” is not an example of personal data.
This should really be covered by an EDPB Guideline, but I’m not finding one.
Yeah, you are correct and the wording is inded “personal data”.
I vaguelly remember it was treated the same as a phone number.
It’s been years since I had to look into the GDPR.
I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.
GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.
Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.
Is a right of erasure possible at this stage?
I assume they still store the context of a deleted post somewhere and that the AI would still access it.
With cloud or tape backups, it’s nearly impossible to fully delete all data.
By design, you would want to protect it from accidental or intentional deletion.
I don’t know how any company can fully comply with GDPR to be honest.
I did the whole “GDPR, delete my stuff dance”. They replied with “you have to delete your posts yourself”. I didn’t budge, gave them the required 30 day ultimatum, but they gave zero fucks.
I did the same, but i deleted my comments and posts, they brought all back, i guess they fuck around.
They’ll communicate through “[email protected]”. The mark of professionals…
it say’s “be US resident”. Why do they believe your a US resident? Maybe using vpn when signing up huh.
If only they were so smart on reddit to check such stuff before sending the email. I also got the email here in EU and I never used VPN in my life.
Same here in Canada.
I’d be curious what the “cutoff” date is for eligibility for this. It could be that they generated the list of accounts they’d be sending this offer to some time ago, and OP deleted his account after that point.
I’ve never used a VPN, and from numerous posts, many of them in my native, non-english language, it would be easy to derive that I’m not an American citizen. I’ve even stated that fact in a number of posts.
I still got an invitation. I reported it as spam.