Any pointers on how to report them?

As requested, I’m posting the full text of the email into this post body. I hope it’s screen reader friendly:

u/USERNAME,

tl;dr – you’re invited to a special program that lets redditors purchase stock at the same price as institutional investors when we IPO. Details about eligibility and next steps follow. This (long, dense) email has all the info we can provide due to legal restrictions.

As you may have heard, Reddit has taken steps toward becoming a publicly traded company with the initial public filing of our registration statement with the U.S. Securities and Exchange Commission on February 22, 2024. Yes, it’s happening.

And because you have helped make Reddit what it is today, you now have the opportunity to become Reddit owners at the same price as institutional investors.

We’re offering a Directed Share Program (“DSP”) that invites eligible users and moderators who have contributed to Reddit to participate in our initial public offering (“IPO”). (Including you!) Program Requirements While being selected to pre-register is the first step, there are certain legal and regulatory requirements to participate in the DSP that are outside of Reddit’s control. Bear with us here…

To be eligible for the DSP, you must: • Be a current U.S. resident; o You will be asked to provide the DSP Administrator a valid social security or permanent resident number, along with other personal information. Reddit will not have access to this data. o Please note that U.S. residents using a VPN may face application limitations if the VPN locates them in certain non-U.S. jurisdictions. • Be at least 18 years old; • Provide your full legal name and an email address; • Not be a current or former Reddit employee (FTE). When the DSP launches (a few weeks after pre-registration ends), individuals who have been confirmed for the program will be contacted by our external DSP Administrator. You will then be asked to provide additional information securely to the DSP Administrator to confirm your eligibility. How to pre-register The number of people who can participate in the DSP is limited; we will offer this opportunity to as many redditors as we are able to accommodate. If capacity is reached before the deadline, you will be added to the waitlist. Based on demand, we may also limit the number of shares available.

If you are interested in being part of Reddit’s DSP, please go to https://reddit.com/dsp on desktop to complete the pre-registration form. If you are one of the confirmed participants, we will follow up with an email with more details in the coming weeks. You can also refer to the Frequently Asked Questions for more information. Due to regulatory restrictions (yeah… we know…) we are not able to respond to further inquiries or questions.

Pre-registering does not guarantee that you will be invited or able to participate in the DSP; it also does not obligate you to purchase shares.

As with any investment opportunity, you should make an individual decision based on your own personal circumstances and risk tolerance. Therefore, we urge you to review the preliminary prospectus, when available, before deciding whether to invest in Reddit.

The deadline for pre-registering for the DSP is March 5, 2024. If capacity is reached before the deadline, you will be added to the waitlist. What happens next? While there won’t be a confirmation email immediately after you pre-register, everyone who pre-registers will receive an email in the coming weeks from “[email protected]”, telling them whether they can proceed with the next steps for the DSP.

This is an automated message (beep, boop, beep) and does not receive replies. Please refer to the FAQ for more information. Per our lawyercats, we are not able to respond to further inquiries or questions. Prospectus and Important Disclosures The offering will be made only by means of a prospectus. When available, a copy of the preliminary prospectus related to the offering may be obtained from: Morgan Stanley & Co. LLC, Prospectus Department, 180 Varick Street, New York, New York 10014, or email: [email protected]; Goldman Sachs & Co. LLC, Attention: Prospectus Department, 200 West Street, New York, New York 10282, telephone: 1-866-471-2526, facsimile: 212-902-9316, or email: [email protected]; J.P. Morgan Securities LLC, Attention:c/o Broadridge Financial Solutions, 1155 Long Island Avenue, Edgewood, New York 11717, telephone: 1-866-803-9204, or email: [email protected]; and BofA Securities, Inc., NC1-022-02-25, 201 North Tryon Street, Charlotte, North Carolina 28255-0001, Attention: Prospectus Department, telephone: 1-800-294-1322, or email: [email protected].

A registration statement relating to these securities has been filed with the U.S. Securities and Exchange Commission but has not yet become effective. These securities may not be sold nor may offers to buy be accepted prior to the time the registration statement becomes effective. This notification shall not constitute an offer to sell or the solicitation of an offer to buy these securities, nor shall there be any sale of these securities in any state or jurisdiction in which such offer, solicitation, or sale would be unlawful prior to registration or qualification under the securities laws of any such state or jurisdiction.

No offer to buy the securities can be accepted and no part of the purchase price can be received until the registration statement has become effective, and any such offer may be withdrawn or revoked, without obligation or commitment of any kind, at any time prior to the notice of its acceptance given after the effective date. An indication of interest in response to this notification will involve no obligation or commitment of any kind.

You are receiving this email because a Reddit account, USERNAME, is registered to this email address. 548 Market St., #16093, San Francisco, CA 94104–5401

  • coffeeClean@infosec.pub
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    9 months ago

    I think the whole discussion is moot when the data is “anonymous”.

    But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.

    • Aceticon@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      An e-mail is “user identifying information” per GDPR.

      So it’s not considered anonymous.

      • coffeeClean@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        9 months ago

        That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?

        According to the Commission, “an email address such as [email protected];” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)

        The EC also says “an email address such as [email protected]” is not an example of personal data.

        This should really be covered by an EDPB Guideline, but I’m not finding one.

        • Aceticon@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Yeah, you are correct and the wording is inded “personal data”.

          I vaguelly remember it was treated the same as a phone number.

          It’s been years since I had to look into the GDPR.

          • coffeeClean@infosec.pub
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            9 months ago

            I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.

            GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.

            Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.

            • Aceticon@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              9 months ago

              Well, from your second source an e-mail is personal data (as explicitly said so in that document), related by “content” and in this specific case if Reddit is indeed sending IPO e-mails to some rather than others depending on Karma also by “result” (though it would be the combination of e-mail and Karma that is the related by “result” part as it’s not the e-mail itself that causes the differentiated treatment between individuals) to an “identifiable” individual (possibly also “identified” depending if the e-mail address contains the person’s full name) (the example in that document for dynamic IP addresses seems the one relevant for e-mails).

              As for the 4th condition, that of being a natural person, as long as the OP received the e-mail on a personal address rather than a company address, that’s pretty obviously fullfilled.

              As per that document, if the piece of data they hold fullfills all 4 conditions, it’s covered by the GDPR.