Reddit sent me invitations to their IPO to my "deleted" accounts! That's a GDPR violation!
Any pointers on how to report them?
As requested, I'm posting the full text of the email into this post body. I hope it's screen reader friendly:
u/USERNAME,
tl;dr – you’re invited to a special program that lets redditors purchase stock at the same price as institutional investors when we IPO. Details about eligibility and next steps follow. This (long, dense) email has all the info we can provide due to legal restrictions.
As you may have heard, Reddit has taken steps toward becoming a publicly traded company with the initial public filing of our registration statement with the U.S. Securities and Exchange Commission on February 22, 2024. Yes, it’s happening.
And because you have helped make Reddit what it is today, you now have the opportunity to become Reddit owners at the same price as institutional investors.
We’re offering a Directed Share Program (“DSP”) that invites eligible users and moderators who have contributed to Reddit to participate in our initial public offering (“IPO”). (Including you!)
Program Requirements
While being selected to pre-register is the first step, there are certain legal and regulatory requirements to participate in the DSP that are outside of Reddit’s control. Bear with us here…
To be eligible for the DSP, you must:
• Be a current U.S. resident;
o You will be asked to provide the DSP Administrator a valid social security or permanent resident number, along with other personal information. Reddit will not have access to this data.
o Please note that U.S. residents using a VPN may face application limitations if the VPN locates them in certain non-U.S. jurisdictions.
• Be at least 18 years old;
• Provide your full legal name and an email address;
• Not be a current or former Reddit employee (FTE).
When the DSP launches (a few weeks after pre-registration ends), individuals who have been confirmed for the program will be contacted by our external DSP Administrator. You will then be asked to provide additional information securely to the DSP Administrator to confirm your eligibility.
How to pre-register
The number of people who can participate in the DSP is limited; we will offer this opportunity to as many redditors as we are able to accommodate. If capacity is reached before the deadline, you will be added to the waitlist. Based on demand, we may also limit the number of shares available.
If you are interested in being part of Reddit’s DSP, please go to https://reddit.com/dsp on desktop to complete the pre-registration form. If you are one of the confirmed participants, we will follow up with an email with more details in the coming weeks. You can also refer to the Frequently Asked Questions for more information. Due to regulatory restrictions (yeah… we know…) we are not able to respond to further inquiries or questions.
Pre-registering does not guarantee that you will be invited or able to participate in the DSP; it also does not obligate you to purchase shares.
As with any investment opportunity, you should make an individual decision based on your own personal circumstances and risk tolerance. Therefore, we urge you to review the preliminary prospectus, when available, before deciding whether to invest in Reddit.
The deadline for pre-registering for the DSP is March 5, 2024. If capacity is reached before the deadline, you will be added to the waitlist.
What happens next?
While there won’t be a confirmation email immediately after you pre-register, everyone who pre-registers will receive an email in the coming weeks from “[email protected]”, telling them whether they can proceed with the next steps for the DSP.
This is an automated message (beep, boop, beep) and does not receive replies. Please refer to the FAQ for more information. Per our lawyercats, we are not able to respond to further inquiries or questions.
Prospectus and Important Disclosures
The offering will be made only by means of a prospectus. When available, a copy of the preliminary prospectus related to the offering may be obtained from:
Morgan Stanley & Co. LLC, Prospectus Department, 180 Varick Street, New York, New York 10014, or email: [email protected]; Goldman Sachs & Co. LLC, Attention: Prospectus Department, 200 West Street, New York, New York 10282, telephone: 1-866-471-2526, facsimile: 212-902-9316, or email: [email protected]; J.P. Morgan Securities LLC, Attention:c/o Broadridge Financial Solutions, 1155 Long Island Avenue, Edgewood, New York 11717, telephone: 1-866-803-9204, or email: [email protected]; and BofA Securities, Inc., NC1-022-02-25, 201 North Tryon Street, Charlotte, North Carolina 28255-0001, Attention: Prospectus Department, telephone: 1-800-294-1322, or email: [email protected].
A registration statement relating to these securities has been filed with the U.S. Securities and Exchange Commission but has not yet become effective. These securities may not be sold nor may offers to buy be accepted prior to the time the registration statement becomes effective. This notification shall not constitute an offer to sell or the solicitation of an offer to buy these securities, nor shall there be any sale of these securities in any state or jurisdiction in which such offer, solicitation, or sale would be unlawful prior to registration or qualification under the securities laws of any such state or jurisdiction.
No offer to buy the securities can be accepted and no part of the purchase price can be received until the registration statement has become effective, and any such offer may be withdrawn or revoked, without obligation or commitment of any kind, at any time prior to the notice of its acceptance given after the effective date. An indication of interest in response to this notification will involve no obligation or commitment of any kind.
You are receiving this email because a Reddit account, USERNAME, is registered to this email address.
548 Market St., #16093, San Francisco, CA 94104–5401
I haven't used my reddit account the API change, beyond maybe 3 or 4 comments. I got an invite. How the fuck was I one of their top 35k most active users? Seems like their site isnt nearly as active as they're claiming
Yeah I just got an invite as well and I haven't logged in since the protest that brought the first wave of us here. So karma has to be a deciding factor, I had over 100k I think so that would be the only reason I got an invite.
I got the email, also... And like you, I've not used reddit since the api BS. I've not logged in, commented or anything since just before sync stopped working.
Did you post a lot? Do you have email notifications turned on?
My old account has... a lot (six digits worth), of comment karma. But I think I posted a grand total of three times in the last ten years or so. I also have notifications turned off. So, no IPO notification for me.
it's getting more obvious they are going to pull the rug, admittedly I haven't followed too much on the situation or on reddit at all since I stopped using reddit almost a decade ago. the site really went to shit didn't it. I just grab my popcorn when new updates pop up these days, all reddit is for me now is an end result from a google search about a problem.
Youre telling me, they sent me TWO invitations for two of my accounts. One of which I retired years ago because the username was kinda insensitive. Its been inactive for years, yet apparently it has enough karma for them to message me about it.
You should be very VERY vocal about how your account, insensitive name, was asked to own part of Reddit and how willing you are to do that, in order to make sure that the world knows that reddit is owned in part by insensitive name..
The price for these shares is probably not cheap for the individual, but won't raise a ton of money internally in the grand scheme of things. At least, that's how it works for employee options and phantom stock. The disparity here is due it's utility as a retention mechanism. The idea is that, if invested, you're less likely to jump ship until after IPO. With options and phantom stock, they typically have a "vestment period", so you have to wait before you can get your money back out.
In this case, Reddit knows it needs its moderators and power users, but can't afford to employ those people. So we get this weird middle-ground where they entice people to stick around, but they're still not employees. As a bonus to Reddit Inc., these "investors" will provide ballast for the IPO, because I'm betting this stuff has a vestment period that extends well past the IPO date. Seeing this all on a balance sheet will make other investors feel a lot better about buying or even holding shares when the IPO kicks off.
What I really don't like about this is that they mention the "DSP" and define it, but are coy about what the actual investment instrument is. What kind of shares are these? What is the price per share?
They once sent me an email, about their new privacy conditions on my deleted account too. If you live in EU I'd recommend forwarding this message and the confirmation of your account being deletes to your local data authorities. It's pretty easy to file a compliant
That's true, but if OP is European and received this Mail, it is a GDPR violation regardless of if the content is relevant or not. As far as I know, not a lawyer.
Just checked my old empty (now) account i didnt get such an email and im european. Maybe they do a send all in steps or something and see who bites. Anyway if ppl want to file a compllaint here is a link with countries and departments to file a gdpr complaint:
On purpose GDPR violation is 4% of global yearly revenue fine for the company, which in reddit's case would be 32M USD.
Still I assume OP has not actually done "forget me" request for reddit, just deleted the account. Delete is not same thing, as requesting to destroying all identifiable data of you.
GDPR doesn't care were company is located, if you handle European citizens data, you must comply.
Upon leaving the EU any laws that were in use were 'enshrined' into UK law. In order for the UK to remove EU laws we'd need to actively remove them through an act of parliament. (At least that's my vague understanding..) https://www.legislation.gov.uk/eu-legislation-and-uk-law
I'm happy to keep the EU laws, it'll save time when we rejoin.🇪🇺🇬🇧
Yeah, EU directives need to be adopted into local country legislature (with some deadlines), whereas EU delegated acts (usually hierarchically under a directive) automatically apply to all EU members. Hehe, members.
The UK has its own version of GDPR. That's actually how the EU works, it sets guidelines and the countries create their own laws within those guidelines.
Ding ding ding we have a winner. Unless you’ve done an official “right of erasure” request they’re perfectly entitled to keep your data, account deletion and all.
I think the whole discussion is moot when the data is “anonymous”.
But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.
I did the whole "GDPR, delete my stuff dance". They replied with "you have to delete your posts yourself". I didn't budge, gave them the required 30 day ultimatum, but they gave zero fucks.
Does your law specify that deleting an account must perform the full data deletion? GDPR doesn't, one needs to manually request the procedure via email or postcard. Iirc, they are in fact forced to maintain personal data for X years in case the user requests it.
Kind of. Yes you really should make an Art.17 request to ensure having a strong GDPR case in the event of non-compliance, but technically there is still an Art.5 data minimization rule that applies to data that is no longer needed for performance of the contract.
It cheeses my beans so goram much that they took a perfectly good web site and made it terrible so they could sell it to "the public", notionally the same people who were using the site!!!
I can only conclude that this is some kind of scam and actually most of the thing is going to end up owned by deliberately nebulous "institutional investors" and not the community members who constitute and deserve ownership of the community. Or even the people at Reddit Inc. who did the work of making the thing.
I can only conclude that this is some kind of scam
That depends on your framing.
Is it a legitimate attempt to sell shares? Absolutely. Completely legal, disregarding OP's claim of a GDPR violation. There might be wiggle-room to suggest this is some flavor of price manipulation, but I'm not a lawyer or SEC investigator. In order to IPO, there's a compliance framework that makes this functionally identical to any other IPO on the market.
Are some people who buy this IPO going to be left holding the bag? In a round-about "we're all playing the same game, but also not" way, yes. For an instant, people will be holding shares in Reddit at the IPO price, and speculation on value will drive that up on the back of the IPO itself. It might plummet later the same day, it may not. But what is going to really burn people is when the primary shareholders "cash out" and sell a huge chunk of that stock. That usually has the effect of signaling that the company isn't worth what it was anymore. It's a gamble where the house can destroy your bid before you can manage to pawn your chips off onto the next guy.
From a spectator standpoint, where this may get interesting is where Reddit IPO intersects with r/wallstreetbets.
Edit: dividends are also a thing, but I never hear about that outside of what mutual funds and 401ks are up to. As someone who has no idea how Reddit does or can actually make money, I'm going to guess that's not going to be a benefit of being a long-term shareholder.
Let’s assume that the dude requested for a deletion of his account (specifically - not all his data) of the basis of gdpr and the execution of his data subject rights; that doesn’t exclude the possibility for reddit to keep his contact details for specific purposes based on the legitimate interest of reddit. Or at least they could play with the argument.
I received one for a dormant account, but am Canadian so I couldn't use their IPO insider advantage even if I wanted to
Makes me think this thing is gonna Drill immediately after launch, take everyone's lunch, and eventually rebound (or get bought by Meta/Alphabet/Microsoft/Apple on the cheap)
Well… now I’m glad I didn’t bother trying to scrub my data off the site ;-)
Never really bought the notion that they weren’t backing it all up.
But I gotta say thank you for helping to make Reddit great! The only thing I still regret is not trying harder to contribute when I was enjoying the site.
You might want to crosspost your story to [email protected]. But if you do that be clever with your phrasing so as to not seem to be asking for advice, but rather for information. E.g. is there any case law for this situation..
(I’m assuming you’re in the UK because other commenters focused on UK law)
It isn't illegal but I'm not to sure that they will be selling voting shares to the average redditors. They tightly control who can actually make decisions.
I'd be curious what the "cutoff" date is for eligibility for this. It could be that they generated the list of accounts they'd be sending this offer to some time ago, and OP deleted his account after that point.
I've never used a VPN, and from numerous posts, many of them in my native, non-english language, it would be easy to derive that I'm not an American citizen. I've even stated that fact in a number of posts.
You are on a privacy-offending Cloudflare site (#LemmyWorld), so Tor users are blocked from seeing your Cloudflare-jailed image. If you care about privacy you will bounce from that instance.
Without seeing the image, I have to ask how an anonymous user gets #GDPR rights. Or has #Reddit started supporting an identification mechanism of some kind? When I start the reg process, it asks for an email address, username, and pw, not a first + lastname (but my test stopped when a Google reCAPTCHA push was attempted). I have zero sympathy for Reddit -- they are rotten to the core scumbags, but I do not see how the GDPR can be applied to anonymous accounts.
(edit) I gather from other comments you must have posted an email. Would be great if you could copy the text of the email into the body of your post so everyone can see it and so people using screen readers can hear it. Thanks!
The To: address in the header would be interesting. Of course, you wouldn’t want to disclose it verbatim here but it might be useful to have a rough idea. Was it [email protected] or some variation of that, or was it more like [email protected]? Some people here think it doesn’t matter, that it’s inherently personal info, but the European Commission says it matters. It’s not hard and fast; there are varying shades of gray here. Maybe they kept logs of your IP address and maybe that makes a difference. You might want to read WP136 (I have yet to read that).
I would love to see action taken against Reddit, if anything just to burden their lawyers and create some costs for them. But I doubt it will go anywhere. GDPR enforcement is such a shit-show in Europe. Even dealing with clearly blatant violations that are wholly internal to Europe which should irrefutably incur penalties, simple obvious cases are being ignored by DPAs. So I have little confidence that this cross-border case against a non-EU data controller would actually get results when the law is not really concrete. The one factor in your favor is that Reddit is somewhat high-profile which might take a DPA’s interest.
I don’t think a “delete my account” button constitutes an Article 17 request. It removes the purpose of processing to some extent, which then relies on the data minimization principle (Art.5). Reddit can do a bit of hand-waving to make excuses like needing to retain your email address in case one of your posts sparks a legal inquiry. Your case would be stronger if you had submitted an explicit Art.17 request to Reddit.
From the email:
Per our lawyercats, we are not able to respond to further inquiries or questions.
I wonder if that statement might be actionable. Art.12 and 13 require Reddit to identify a data controller with a point of contact and to tell you your GDPR rights (IIUC). And here they are outright stating in effect “we don’t want to hear from you”. I would stress that in your GDPR complaint, not just the misuse of your email which you expected to be deleted. But note they do provide an address at the bottom of that msg. Although that angle of attack might require Reddit having a way to know you have ties to a GDPR region after the supposedly “deleted” your acct.
Also, I would look into any anti-spam laws your country has. There may be a higher degree of legal actionability there.