Failure To Use BCC Data Breach Compensation Claims

By Stephen Moreau. Last Updated 29th February 2024. Is not using BCC a breach of UK GDPR? In some cases, yes it could be. A failure to use BCC could be caused by human error.

And when such an error results in your personal data, which is protected by law being exposed, it could be possible to claim compensation for a failure to use BCC data breach.

We may not answer every question you have in this guide. Each claim is unique in some way. But we can still provide you with answers if you speak to one of our claim advisors. You can call us on 020 3870 4868 or request a call-back using our contact form. Our advisors can also help you to get a claim started as soon as possible. So don’t delay, call us today.

A man holding a digital sphere in his fingers with the words 'data breach' hovering next to it.

Select A Section:

What Is A Failure To Use BCC Data Breach?

Is revealing my email address a breach of data security laws? It can be in certain circumstances. When UK data protection and privacy laws have been broken and this has led to personal information being breached then a data breach victim could be eligible to claim compensation. One way a data breach can happen via your email address is in a failure to use BCC.

Generally, when a mass email is sent to lots of people who are unaware of each other, the email address of recipients should be hidden from all other recipients by using the BCC box. However, mistakes can be made, such as using the CC box by mistake (more on this below).

Data breaches can happen for all different types of reasons. Not every data breach that occurs will mean those affected can make a data breach compensation claim. A successful data breach claim requires you to prove that your personal data was affected. It will also show a liable party. This means proving that those who should have been protecting your data failed to do it adequately. This will need to have caused you emotional harm and/or financial costs.

What Is The Difference Between CC and BCC?

If you are unsure of how an email system works, you might not understand the difference between CC and BCC. So we have explained them below.

  • Carbon Copy (CC) – Email addresses added to the CC box will show to all recipients of the email. The CC box is used when you want everyone to know that other people have copies of the email. And when everyone to who the email was sent is allowed access to everyone else’s email address.
  • Blind Carbon Copy (BCC) – Email addresses added to the BCC box are not visible to any recipients. The BCC box is used when sending mass emails. It protects every recipient from their email address being shared with everyone else. When BCC is not used appropriately, it could result in a data breach.

When To Use Blind Carbon Copy

What happens if you forget to BCC? Every email address the email is sent to is visible to all other recipients. If you accidentally didn’t use BCC, you may have exposed personal data and caused a data breach. Generally, you should always use BCC when mass emailing people outside of your organisation.

Is Sharing An Email Address A Breach Of GDPR Under UK Law?

An email address is considered personal data because it could be used to identify a person. Therefore sharing an email address is a breach of the GDPR under UK legislation if the sharing does not meet one of the lawful bases of processing.


  • Consent: If it is shared in a way that the person did not consent to
  • Contract: If the sharing was not necessary to fulfil a contract you had with the person
  • Legal obligation: If the sharing was not necessary to comply with the law
  • Vital interest: If the sharing was not done to save someone’s life
  • Public task: If the sharing was not in the public’s interest
  • Legitimate interests: If you cannot present legitimate reasons for the sharing of a person’s personal data.

Sharing an email address without permission in the UK could lead to a data breach claim.

If your email address was shared unlawfully, please reach out to an adviser now to discuss if you are eligible to claim.

How Could Organisations Reduce The Risk Of Email Data Breaches?

A lack of awareness is one reason why a failure to use BCC data breach can happen. Staff should be trained in what data privacy laws require from them. Some examples are shown below.

  • Foster a corporate culture that places data privacy at the fore.
  • Ensure staff receive updated training when data privacy laws change.
  • Make individuals responsible for ensuring they approach data privacy correctly.

What To Do If Impacted By A CC Instead Of BCC Mistake Under UK GDPR?

In the UK, the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) protect personal data. Under these legislations, unless there is a lawful basis for doing so, sharing emails without permission could be considered a personal data breach. This is because an email address is considered to be personal data.

You may wonder what you could do after a data breach caused by a CC instead of BCC mistake. The GDPR, under UK legislation, allows you to claim compensation should this occur. However, you must be able to prove that:

  • The breach occurred as a result of wrongful conduct.
  • It affected your personal data.
  • You suffered financial or emotional harm.

There are other steps you may wish to take as well. Some of these could help support a data breach claim. You could:

  • Contact the organisation that you suspect breached your personal data. They may confirm that your personal data was breached with a letter of notification. An organisation must inform you of a breach of your personal data without undue delay if it presents a risk to your rights and freedoms. 
  • Report the breach to the ICO. As part of its role in protecting data rights, the ICO can investigate certain data breaches and issue fines. However, they cannot pay compensation. If you decide to report to the ICO, you must do so within three months of your last meaningful communication with the organisation. 
  • Gather any evidence relating to the harm you have suffered. For example, credit card and bank statements could help with proving your financial losses. A copy of your medical records could help with proving the psychological harm you have endured.

You can discuss your potential options following a breach of your personal data with one of our advisors using the contact details at the top of the screen.

Calculating Damages For A Failure To Use BCC Data Breach

We cannot provide you with an overall average for failure to use BCC data breach compensation. Because all claims are different. There was a case in the Court of Appeal in 2015, Vidal-Hall and others v Google Inc. This case set the precedent for claiming only non-material damages for a data breach.

We used the guidelines that are followed by the legal system to create the example data breach compensation table below. These guidelines are produced by the Judicial College. It should be noted that the top row is not from the JCG. We’ve included it to show you how you could be compensated for severe psychological harm, such as anxiety after a data breach and your financial losses.

Psychological Injury Information How Bad? Damages
Severe psychological harm and economical losses The claimant could receive a payout for both a very severe psychological injury and any resulted financial losses, such as harm caused by a damaged credit score. Very Severe Up to £250,000+
Psycholgical Injuries People with severe mental illnesses have difficulties with their work, home lives, and education, for example. Their chances of recovering are slim. Severe £54,830 to £115,730
Psycholgical Injuries Work, relationships, and other activities may be challenging for the sufferer. Moderately Severe £19,070 to £54,830
Psycholgical Injuries The chances of such a person making a full recovery are high, despite their mental health concerns initially. Moderate £5,860 to £19,070
Psycholgical Injuries A patient in this category will receive compensation depending on how much and how long he or she suffered from the mental injury. Less Severe £1,540 to £5,860
PTSD (Post Traumatic Stress Disorder) Individuals suffering from PTSD will be severely affected by the disorder and will not be able to function normally. Severe £59,860 to £100,670
PTSD (Post Traumatic Stress Disorder) The impact of PTSD on an individual’s life may be significant, but they have a good likelihood of some recovery. Moderately Severe £23,150 to £59,860
PTSD (Post Traumatic Stress Disorder) Since the patient has almost entirely recovered, residual symptoms will not cause significant disability. Moderate £8,180 to £23,150
PTSD (Post Traumatic Stress Disorder) In this category the claimant should be recovered from any PTSD symptoms in 2 years. Less Severe £3,950 to £8,180

The table only covers non-material damages for the harm you suffered mentally such as stress caused by a data breach. You may have also lost out monetarily due to the data breach, You would try to claim material damages to recoup such losses.

You will need to submit documented evidence of losses in order to be able to try and claim for them. Additionally, you can claim for past losses or future predicted losses. Please talk to one of our claim advisors for more help with this.

Begin Your Failure To Use BCC Data Breach Claim Today

If you have valid grounds to make a failure to use BCC data breach claim, then our advisors could connect you with a No Win No Fee solicitor on our panel.

The solicitors on our panel can support your personal data breach claim under a Conditional Fee Agreement (CFA). If you claim under such a No Win No Fee agreement, you won’t need to pay your solicitor for their work before your claim begins or while it’s being processed. You also won’t need to pay your solicitor for their services if the claim fails.

If you win your claim, then your solicitor will take a success fee. This means that they will take a small and legally capped percentage of the compensation awarded for your case.

To learn more about working with a No Win No Fee solicitor, contact our advisors today. They can provide free advice about your case and the steps to making a data breach claim. You can get in touch by:

Learn More About Breaches Of The UK GDPR

More links for you to check out.

Here are other guides you might like to read.

  • Information about lost devices and how to claim compensation if your personal data is breached in this way.
  • Guidance on how to claim compensation for personal data breached via stolen paperwork and what sensitive data paperwork may contain.
  • An article for members of the armed forces who suffered harm due to an army personal data breach.