Claim For A Failure To Use BCC Data Breach

In this article, we are going to look at when you could claim for a data breach caused by a failure to use BCC in emails.

As a result of the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), any data that could identify you (the data subject) must not be shared or disclosed without a lawful reason.

Failure to use bcc data breach claims guide

Failure to use bcc data breach claims guide

The Blind Carbon Copy (BCC) feature of an email system prevents recipients from seeing who else was sent the same message. Therefore, this could help organisations meet their data protection obligations.

However, if they fail to use it, you could suffer from distress, anxiety or embarrassment. You could even be affected financially too. As a result, you could claim for this harm in a data breach compensation claim.

Our advisors can help if you do decide to make a claim. We provide a telephone consultation where your case will be assessed and you’ll be given free legal advice on how to proceed.

For cases that appear to have a reasonable chance of success, we could connect you with a solicitor from our panel. If they accept your failure to use BCC data breach claim, they’ll process your claim on a No Win No Fee basis. As a result, you won’t need to pay for your solicitor’s work unless you are paid compensation.

We’re here to help when you’re ready to start your claim. To contact us right away, you can call on 0800 408 7825. To find out more about your options before contacting us, please read on.

Select A Section

What Are Failure To Blind Carbon Copy Data Breaches?

In this guide, we’ll try to answer questions like:

  • Is not using the BCC field a breach of GDPR?
  • Can you get compensation for a data protection breach?
  • What is a No Win No Fee claim?

You might think that sending an email to multiple recipients without obfuscating their email addresses is not a serious error. However, the UK GDPR defines personal data as information about somebody that could be used to identify them directly or indirectly.

As a result, an email address could help to identify somebody if it contains both their forename and surname or links to a photo. It could even help identify them if it doesn’t contain their name.

That’s especially true when the email is sent to a group of people who could mix socially, professionally or live in the same area.

Let’s look at an example:

A London HIV clinic sent an email to its mailing list but failed to use the BCC field. While the email itself didn’t contain any personal information, it meant that some of the recipients could potentially have been identified by others.


Importantly, even if an email address doesn’t contain the recipient’s name, it could still lead to their identification in conjunction with other information.

If you believe that you’ve suffered because of a data breach caused by the failure to use BCC, please call for free legal advice.

How Should BCC And CC Be Used When Sending Bulk Emails?

The Carbon Copy (CC) field in emails is used to allow the same email to be sent to a group of people. It is often used in workplaces and can be a useful way of facilitating group conversations. Recipients can choose to ‘reply to all’ or ‘reply to sender’ when responding.

The BCC field, however, should be used when sending bulk emails to hide who else the message is being sent to. Examples of where this should be used include mailing lists, newsletters and other scenarios where there isn’t a lawful reason to share personal information.

Is Not Using BCC A Breach Of UK GDPR?

The two items to check for to see if a data breach has occurred are:

  1. Does your email contain your name i.e. Alternatively (or in addition), does the email contain personal information? If not, it’s unlikely that a data breach has occurred.
  2. Does the sender have your permission or another lawful basis to share your email address? If they don’t, a data breach may have occurred.

To be eligible to start a claim, you will need to show that:

  • An organisation was supposed to protect your personal data. However, their positive wrongful conduct led to a personal data breach and your personal data was affected.
  • You have suffered psychologically or financially (or both) as a result of the data breach.

If you have been harmed by the effects of your email address being exposed in a bulk email, please call to check your options.

What Damages Could Be Awarded For A BCC Data Breach?

Data breach claims, including those relating to failure to use BCC, can be made for two different forms of suffering:

  • Material damage. This part of your claim will relate to costs, expenses or financial losses caused by the breach.
  • Non-material damage. This is where you’d claim for any mental harm caused by the data breach. As mentioned earlier, you could be compensated if the breach resulted in any type of distress.

When making a claim, you should aim to begin as soon as possible. That’s due to the fact that, like car accident claims, workplace accident claims or council accident claims, you’ll need to abide by time limits.

While personal injury claims have a 3-year time limit, data breach claims can involve a 1-year or 6-year limitation period. Please use live chat to check how long you have to make your claim.

Failure To Use BCC Data Breach Compensation Calculator

In an important data breach case at the Court of Appeal (Vidal-Hall and others v Google Inc [2015]), a ruling was made that altered the right to claim compensation for mental harm. Previously, you needed to prove you’d lost money because of a data breach before you could claim for psychological injuries. Following the hearing, this is no longer the case. You could claim for both financial loss and psychological harm, or either.

Additionally, in the hearing of Gulati & Others v MGN Limited [2015], the Court held that compensation payment amounts for any injuries caused by a data breach should be awarded using the same amounts that are paid in personal injury claims.

Therefore, to show you how much you might receive for any psychiatric harm following a failure to use BCC data breach, our compensation table below uses data from the Judicial College Guidelines. (Legal professionals use these guidelines to help them value injuries.)

Harm Severity Compensation Range Further Details
PTSD Severe (a) £56,180 to £94,470 A return to pre-trauma levels of functioning (or work) will not be possible due to permanent PTSD symptoms that will cause problems in all aspects of life.
PTSD Moderately Severe (b) £21,730 to £56,180 With professional help, the claimant should be able to improve despite significant initial symptoms.
PTSD Moderate (c) £7,680 to £21,730 In this category some minor symptoms might persist but, in the main, the claimant will mostly have recovered.
General Psychiatric Damage Factors considered: The ability to cope with life and work; Relationship problems; Whether treatment will help; Future vulnerability; Medical prognosis.
General Psychiatric Damage Severe (a) £51,460 to £108,620 A very poor prognosis with problems with all factors listed.
General Psychiatric Damage Moderately Severe (b) £17,900 to £51,460 Initially, there will be significant symptoms but there will be a more optimistic prognosis.
General Psychiatric Damage Moderate (c) £5,500 to £17,900 All factors will have affected the claimant but a good prognosis will be given with the chance of a good recovery.

You will need a medical assessment to help establish how much you’ve suffered. It can also help prove that your injuries were caused or worsened by an accident that wasn’t your fault. Our panel of data breach lawyers can usually book these locally for you.

Should I Go With A No Win No Fee Damages Solicitor?

Are you thinking of claiming for a failure to use BCC causing a data breach? Are you concerned about losing money on solicitor fees if the claim isn’t successful? If so, we can help. Our panel of data breach solicitors provide a No Win No Fee service.

No Win No Fee Claims

If you’re connected with a solicitor, they’ll check that they’re happy to work on your case. If they are, they’ll provide you with a Conditional Fee Agreement (CFA). (This is the formal term for No Win No Fee agreement.) This contract will explain what your solicitor needs to achieve before you need to pay them.

The CFA will discuss the success fee you’ll pay if the claim works out in your favour. This fee is an agreed percentage of your compensation which, by law, is capped. As per the No Win No Fee phrase, you won’t pay the success fee if your case is lost.

Our panel offer their services on a No Win No Fee basis. To see if you can get connected, why not reach out?

Get In Touch Now

We are ready to help if you’ve decided to proceed with a ‘failure to use BCC’ data breach claim. The best methods of contacting us include:

Archives And Related Articles

Here are some additional resources that could help you if you’re thinking about claiming for a failure to use BCC resulting in a data breach:

Privacy and Electronic Communications Regulations Guide – Information on another law relating to data protection.

The Information Commissioner’s Office (ICO) – The body responsible for data protection enforcement in the UK.

PTSD Symptoms – Advice from the NHS about the symptoms of Post-Traumatic Stress Disorder.

Claiming For Lost Wages – A look at when you could claim for lost income as part of your claim.

Read More Data Breach Claims Guides

We also have some other guides you may find useful:

You’ve reached the end of our guide on failure to use BCC claims.

Article by RA

Publisher UI