I hate my isp. Just lost wall of text. So will try to be short:

6 and 15 are fine. 16 needs improvements - there are people who have one account for forum and one for games (for sake of privacy), who wont fit into this (not scammers, just worry about privacy. Its easy to track tho - if one account receive games from one winner, its ok. If multiple accounts receive games from one winner, or one account receive keys from multiple winners - thats no-no). And part about family members shouldnt be there at all - these will rather use same account for everyone (so no reason to gift stuff to anybody), or have their owns (in that case, re-gifting remains re-gifting). You are basically doubling what you've already said, but specifically mentioning some group, which serves no point

I don't understand why anyone would need multiple accounts for privacy. If you make all of your information private, everyone will get the GOG bear when they try to access your profile, list of games, list of friends or wishlist. You can still have chat set so you can chat with anyone or only people on your friends list.

I don't understand how it would be easy to track what keys were redeemed by what account. Only the donor can see what account redeemed the key, and only if the donor actually purchased the game, as opposed to it having been gifted by a staff member. This means that the only way that I could track what keys were redeemed by what account would be if I were to require every donor to tell me what account redeemed what key, and that's probably not something every donor would be willing to do, and it could lead to fewer donations. As it's written now, I'm just asking that if a donor notices that a key was redeemed by a different account than the one that requested it, they can PM me, and the issue can be investigated.

In my experience, most people have their own account instead of sharing accounts with family members and friends. This is why the Steam family sharing service exists. People sometimes mention that they want to request a key for a friend or family member, so I figured this specific situation should be explained.

What does everyone else think, though? I want this giveaway to work as well as it can, and for it to be as fair as it can be, and I'd like to discuss how the rules should be written and enforced. My thoughts above are just that: My thoughts, not what I've decided should be the rules. I'd like for all of us to discuss what should be the rules and come to a general consensus, and if we can't, I'll just have to go with what I think will probably work best.

The rules and the new changes are perfectly fine. You're doing a great job, don't worry, finkleroy. If some folks have trouble with privacy, downvotes or other sorts of things, then it might be best for them not to participate in public giveaways, simple as that. "Don’t look a gift horse in the mouth".

from security side: gog nickname == gog login.
from social side: forum account is forum account. You chit-chat there, sometimes tell things not everyone like to hear. Games account is games account. It contains lot of valuable data - games, money on gog wallet, probably your credit card info.

Remember when bunch of active forum members lost access to their accounts after getting PMs from imposters of others? Or when some dude has reported accidently gained access to other's account just via their login? (or was it on steam? I dont remember, to be honest. But it was a big thing back when it was discovered) Its nothing serious, if your account is just for chat. But if it contain valuable data - you may get real problems

No, I don't remember anything like that. Maybe I haven't been around here for long enough. What does everyone think? Should I change the rule to state that everyone is required to always use the same account to redeem donated keys, and if that account is different from their forum account, they have to tell me what it is so if a donor is concerned about it, I can let them know what's up? If I were to implement this rule, the user would only be allowed to redeem keys with that specific alternate account. They wouldn't be allowed to redeem keys with their forum account, and they wouldn't be allowed to change which alternate account they use to redeem them. It would be like linking your Steam account to your GOG account for GOG Connect: "This action cannot be undone."

Rule 15 is nice for people who might otherwise awkwardly break it because of their low social skills. It might sound obvious to the majority but I can't see what harm it can do to write it down. Rule 16 seems fair, but I understand how it is problematic for someone with multiple accounts, which must also be rare tbh. I wanted to suggest to implement an alternate account on request for those cases, but was refraining fearing that it could be too much of an hassle for finkleroy, but as the proposal comes from Their Feline Majesty themselves while I was writing here, I can say that I totally endorse it.

That would work I guess, but it requires a fair bit of work for you, to remember that an account is paired with another and check that it works that way each time.
Now between the two sayings quoted above, not looking a gift horse in the mouth and throwing something good you do in the sea, I really go with the latter, you do something nice because you want to, not for any returns, even as mere thanks. But that goes as far as rule/recommendation 15 goes, with the thanks. The account situation can get tricky, and while I can see Gekko_Dekko's arguments for it... As I said above, would require a fair bit of work, and more so a lot of attention and care, from finkleroy to ensure that anyone making use of this concept does it just like that.

Oh, and I believe the issues Gekko_Dekko referred to would be these:
https://www.gog.com/forum/general/warning_massive_security_risk_on_gog/page1
https://www.gog.com/forum/general/warning_dont_click_links_from_your_chat_unless_youre_sure_about_the_sender/page1
And their concern about privacy: https://www.gog.com/forum/general/what_s_with_new_privacy_policy/page1

EDITED
[damn, duplicate comment, my previous one was not showing up.]
I would add that I don't think many people have an alternate account and the GOG edition is smaller in size than the non-GOG, so the amount of extra work should be contained. In any case, they should remind finkleroy about it in private when they receive the key.

Ah, ok, so only in case of a complaint. Was thinking you'd keep that file and have to check yourself, to make sure it's the same account and also that such a "paired" account never redeems games on itself instead of the alternate one. That works then, yeah.
Taking that as a given...

Out of curiosity, was this before or after two factor authentication became available? I'm not sure when that happened. It's not the best 2FA I've ever seen, but it seems to get the job done. I haven't had any issues with it, anyway.

I updated rule #16. How does it look?

Looks good to me, if you're willing to go through the trouble.

And well after. While searching, found https://www.gog.com/forum/general/friendly_reminder_make_sure_you_have_2_factor_authentication_on_your_gog_account/page1 too, so it already existed then.

It looks like that hacking attempt was made after 2FA was introduced, but 2FA thwarted it, so as far as I can tell, 2FA should be enough to keep an account secure. It would be nice if there were proper 2FA where it sends you a text message or makes you enter a code from an authenticator app, but so far it does seem to suffice.

^This, totally.

For me, it's about fair play; we — who uses single profile for everything including giveaways, accounts for whatever kind of participation we do in the forum.
If we join giveaways — we risk being downvoted, being envied for winning or being 'first' on first-come-first-serve basis, or being branded by names like 'leech' etc.

If we act like an ass intentionally or unintentionally / commit mistakes, misinformations — we 'own' it.

And people will treat/judge you based on all of those. It's too easy to create a "separate account" and have that account take all the heat/hit, while your main account is sitting from behind relaxing.

In all honesty, I failed to see any privacy implications because of the new rule.