This guide will explain what to do if a company or an organisation sends a bulk email and the BCC field was not filled out.
Organisations may collect email addresses for a number of reasons, from marketing to important communications. Under the UK General Data Protection Regulation (UK GDPR) Data Protection Act 2018 (DPA), data controllers and processors must take the necessary steps to protect your personal data, including your email address. The legislation above is upheld by the Information Commissioner’s Office (ICO).The ICO is an independent, UK based data protection watchdog.
A data controller decides how and why they intend to use your personal data. A data processor goes on to process this data by following the controller’s instructions.
If a personal data breach has harmed you, you may be able to claim compensation for the distress or financial losses caused. Please contact our team of advisors today to see if you are eligible to claim compensation.
- Call 0161 696 9685
- Contact us online
- Or, ask an advisor a question directly using the Live Support feature
Select A Section
- What Are BCC And CC?
- Is It A Breach Of The UK GDPR if The BCC Field Was Not Filled Out?
- What Happens If The BCC Field Was Not Filled Out?
- Types Of Data Which Could Be Sent Via Email
- The BCC Field Was Not Filled Out – What Payout Could You Claim?
- Start A Claim Today
The blind carbon copy (BCC) feature and the carbon copy (CC) features allow organisations to send batch emails out to multiple recipients. The BCC feature anonymises the recipients of a batch email. The CC feature allows organisations to send batch emails without anonymising the email addresses of the recipients.
If an organisation uses the CC field instead of the BCC field, this could allow unauthorised parties to view your email address, which could be a personal data breach. For example, if an HIV clinic were to send a batch email out to their patients but fail to use the BCC feature, this could allow recipients to infer information about each others’ HIV statuses.
A personal data breach is a security incident that affects your personal data’s integrity, confidentiality, or availability. Your email address is personal data, as is your phone number and full name, as this information could identify you.
When Should The BCC Field Be Used?
When sending a batch email, using the BCC field can anonymise the email addresses of the recipients. Because of this, organisations should use it when they need to anonymise the recipients of an email under data protection law.
To learn more about how to make a claim if the BCC field was not filled out, and this caused a breach of your personal data, get in touch with our team.
If a personal data breach occurs because the BCC field was not filled out, this could be a breach of the UK GDPR. The UK GDPR also sets out the criteria for who can claim compensation following a personal data breach.
Under the UK GDPR, if you want to make a claim, you must be able to prove that the breach:
- Includes your personal data
- Occurred due to the data controller or processor’s wrongful conduct
- Has caused you to experience harm, either mentally or financially
BCC Data Breach Statistics
When a data controller or processor breaches personal data, they should report the incident to the ICO within 72 hours if the data security incident jeopardises the data protection rights and freedoms of the victim.
The ICO also publishes quarterly data security incident trends based on reports they receive. According to these numbers, there have been 128 incidents of failure to use the BCC feature reported so far in 2022. This is in comparison to the 279 incidents of the same nature in 2021.
Our advisors can give you free legal advice and more information on how to make a personal data breach claim. If the BCC field was not filled out in an email and this caused you harm, get in touch today.
You may wonder what happens if an organisation fails to use the BCC column in a batch email.
If you believe you have discovered an email data breach, please contact the organisation responsible. They may be able to advise you on what to do to protect your data in the aftermath and may be able to provide more information on the breach.
If they do not respond, or if the response you receive is unsatisfactory, you can make a complaint to the ICO. They could investigate the breach, and have the power to fine organisations that do not comply with data protection laws. But please wait no more than three months since the incident to make the complaint.
If you have suffered harm due to a personal data breach because the BCC field was not filled out in an email, you may be able to claim. Contact our advisors today to learn more.
In order to make a claim for compensation, the breach must affect your personal data. Personal data is information that could identify you. Emails can contain a variety of personal data. For example, an email could contain your:
- First names and surname
- Home address
- Date of birth
- Email address
- Bank account details
- Debit card number
- Credit card number
- Phone numbers
An email can also contain special category data. This is a kind of personal data that needs extra protection according to the UK GDPR and DPA. Special category data can include information that relates to your:
- Health, such as information found in your medical records
- Sexual orientation
- Trade union membership
- Race or ethnic origin
- Religious views
If your personal data breach claim succeeds, you could receive material and non-material damage. Non-material damage aims to address the psychological injuries caused by the breach. For example, if you suffer from stress due to a data breach, or if a data breach affects your mental health, you could claim for this under non-material damage.
Below, you can find a table that showcases guideline compensation amounts from the Judicial College Guidelines (JCG). These help solicitors value compensation claims. Please note that these figures are guidelines only, and the amount of compensation you could receive can differ.
|Severity||Form Of Injury||Damages||Notes|
|A - Severe||Psychological Damage||£54,830 to £115,730||The person has a generally poor prognosis and faces significant issues in coping with areas of daily life.|
|B - Moderately Severe||Psychological Damage||£19,070 to £54,830||Whilst still facing significant issues, there is a better prognosis.|
|C - Moderate||Psychological Damage||£5,860 to £19,070||An improvement in symptoms garners a more optimistic prognosis.|
|D - Less Severe||Psychological Damage||£1,540 to £5,860||The impact of the symptoms and the length of time affected are considered in this bracket.|
|A - Severe||Anxiety Disorder||£59,860 to £100,670||Trauma has impacted all parts of this person’s life. They are not able to return to functioning or working at pre-trauma levels.|
|B - Moderately Severe||Anxiety Disorder||£23,150 to £59,860||A better prognosis and some recovery can be attained through professional help.|
|C - Moderate||Anxiety Disorder||£8,180 to £23,150||A large recovery occurs, though some non-disabling symptoms remain.|
|D - Less Severe||Anxiety Disorder||£3,950 to £8,180||A virtually full recovery takes place within 2 years, with only minor symptoms extending past this point.|
Material damage aims to address the financial impacts of the breach. For example, if you need to take time away from work to recover from the psychological injuries caused by the breach, you may experience a loss of earnings. In this case, you could claim these losses back under material damage.
Contact our advisors today to get a free consultation of your claim. Or, read on to find out how a solicitor from our panel could help you.
You may be wondering how legal representation could benefit your claim. A solicitor from our panel could represent you under a Conditional Fee Agreement (CFA). Under this kind of No Win No Fee arrangement, you typically will not have to pay any upfront or ongoing fees to your solicitor. If your claim succeeds, the only fee taken by your solicitor would be a success fee. This is a small percentage of your compensation award. However, if your claim does not succeed, you do not pay this fee.
Contact Advice.co.uk today to see if you can claim compensation:
- Call 0161 696 9685 to talk to a claims expert.
- Contact us via our website.
- Or, use the Web Chat service to speak to an advisor.
Email And Organisational Data Breach Cases
We have included some internal and external guides about data breaches and protecting your personal data.
- How To Make A Lost Records Data Breach Compensation Claim
- How To Claim For A Witness GDPR Data Breach
- Recruitment Agency UK GDPR Data Breach – When Could You Claim Compensation?
Or, for more resources:
Thank you for reading our guide on what to do if your email address was shared because the BCC field was not filled out.
Page by AE
Published by EN