Report them, you say? Many DPC's such as the Irish DPC are very friendly in terms of their lax approach to the regulation, just ask Max Schrems, he's been at this for years. I think the EU and the regulators do not have resources to enforce the law, so whilst there are requirements to protect customer data, nothing bad happens if you don't. Just check the top of HN as I write this [1] "Checkout.com hacked, refuses ransom payment, donates to security labs". Will anyone be arrested, charged, fined, or otherwise penalized? Nope, not a chance. I 100% guarantee absolutely nothing will happen as a result of this article. GPT makes it so easy to capture user data these days and people will just willingly hand it over.
The truth is, you should be very careful what data you hand out, always. Use an alias, use privacy tools, always be weary and check if they have a privacy policy, check to see if it works (make a dummy account, do GDPR request, if no reply, be weary).
If they are not serious about privacy, stop, think and act accordingly. While it is a disgrace what these individuals have done, individuals need to take personal responsibility just as in a real world, would you trust a random stranger giving you pills? Hopefully not!
[1]: >>45912698