Failure To Use BCC Data Breach Compensation Claims

By Danielle Fletcher. Last Updated 6th October 2023. Is not using BCC a breach of UK GDPR? In some cases, yes it could be. A failure to use BCC could be caused by human error.

And when such an error results in your personal data, which is protected by law being exposed, it could be possible to claim compensation for a failure to use BCC data breach.

We may not answer every question you have in this guide. Each claim is unique in some way. But we can still provide you with answers if you speak to one of our claim advisors. You can call us on 020 3870 4868 or request a call-back using our contact form. Our advisors can also help you to get a claim started as soon as possible. So don’t delay, call us today.

Failure To Use BCC Data Breach Compensation Claims

Failure To Use BCC Data Breach Compensation Claims

Select A Section:

What Is A Failure To Use BCC Data Breach?

Is revealing my email address a breach of data security laws? It can be in certain circumstances. When UK data protection and privacy laws have been broken and this has led to personal information being breached then a data breach victim could be eligible to claim compensation. One way a data breach can happen via your email address is in a failure to use BCC.

Generally, when a mass email is sent to lots of people who are unaware of each other, the email address of recipients should be hidden from all other recipients by using the BCC box. However, mistakes can be made, such as using the CC box by mistake (more on this below).

Data breaches can happen for all different types of reasons. Not every data breach that occurs will mean those affected can make a data breach compensation claim. A successful data breach claim requires you to prove that your personal data was affected. It will also show a liable party. This means proving that those who should have been protecting your data failed to do it adequately. This will need to have caused you emotional harm and/or financial costs.

How Common Are Email Data Breaches?

According to statistics provided by the ICO from the first financial quarter of 2019/20 to the third financial quarter of 2021/22, there were 4,138 incidents reported to the ICO where personal data had been emailed to the incorrect recipient.

The UK Government has provided data, from a survey that included 1,244 businesses sampled. It estimates how often, in 2022, firms last created, updated, or reviewed their cyber security policies or documentation.

  • In the last 3 months – 25%
  • 3 to under 6 months ago – 19%
  • 6 to under 12 months ago – 29%
  • 12 to under 24 months ago – 14%
  • 24 months ago or earlier – 8%

Data Privacy Laws

We have several sets of laws in the UK that pertain to data privacy and security. This includes the Data Protection Act 2018 (DPA). Also, there is the UK version of the General Data Protection Regulation (UK GDPR). It is these laws that a data breach solicitor will leverage to proceed with a claim.

There is a governing body, the Information Commissioner’s Office (ICO), that polices these laws. It is also the ICO you would report a data breach to.

What Is The Difference Between CC and BCC?

If you are unsure of how an email system works, you might not understand the difference between CC and BCC. So we have explained them below.

  • Carbon Copy (CC) – Email addresses added to the CC box will show to all recipients of the email. The CC box is used when you want everyone to know that other people have copies of the email. And when everyone to who the email was sent is allowed access to everyone else’s email address.
  • Blind Carbon Copy (BCC) – Email addresses added to the BCC box are not visible to any recipients. The BCC box is used when sending mass emails. It protects every recipient from their email address being shared with everyone else. When BCC is not used appropriately, it could result in a data breach.

When To Use Blind Carbon Copy

What happens if you forget to BCC? Every email address the email is sent to is visible to all other recipients. If you accidentally didn’t use BCC, you may have exposed personal data and caused a data breach. Generally, you should always use BCC when mass emailing people outside of your organisation.

Is Sharing An Email Address A Breach Of GDPR Under UK Law?

An email address is considered personal data because it could be used to identify a person. Therefore sharing an email address is a breach of the GDPR under UK legislation if the sharing does not meet one of the lawful bases of processing.


  • Consent: If it is shared in a way that the person did not consent to
  • Contract: If the sharing was not necessary to fulfil a contract you had with the person
  • Legal obligation: If the sharing was not necessary to comply with the law
  • Vital interest: If the sharing was not done to save someone’s life
  • Public task: If the sharing was not in the public’s interest
  • Legitimate interests: If you cannot present legitimate reasons for the sharing of a person’s personal data.

Sharing an email address without permission in the UK could lead to a data breach claim.

If your email address was shared unlawfully, please reach out to an adviser now to discuss if you are eligible to claim.

How Could Organisations Reduce The Risk Of Email Data Breaches?

A lack of awareness is one reason why a failure to use BCC data breach can happen. Staff should be trained in what data privacy laws require from them. Some examples are shown below.

  • Foster a corporate culture that places data privacy at the fore.
  • Ensure staff receive updated training when data privacy laws change.
  • Make individuals responsible for ensuring they approach data privacy correctly.

What To Do If Impacted By A CC Instead Of BCC Mistake Under UK GDPR?

In the UK, the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) protect personal data. Under these legislations, unless there is a lawful basis for doing so, sharing emails without permission could be considered a personal data breach. This is because an email address is considered to be personal data.

You may wonder what you could do after a data breach caused by a CC instead of BCC mistake. The GDPR, under UK legislation, allows you to claim compensation should this occur. However, you must be able to prove that:

  • The breach occurred as a result of wrongful conduct.
  • It affected your personal data.
  • You suffered financial or emotional harm.

There are other steps you may wish to take as well. Some of these could help support a data breach claim. You could:

  • Contact the organisation that you suspect breached your personal data. They may confirm that your personal data was breached with a letter of notification. An organisation must inform you of a breach of your personal data without undue delay if it presents a risk to your rights and freedoms. 
  • Report the breach to the ICO. As part of its role in protecting data rights, the ICO can investigate certain data breaches and issue fines. However, they cannot pay compensation. If you decide to report to the ICO, you must do so within three months of your last meaningful communication with the organisation. 
  • Gather any evidence relating to the harm you have suffered. For example, credit card and bank statements could help with proving your financial losses. A copy of your medical records could help with proving the psychological harm you have endured.

You can discuss your potential options following a breach of your personal data with one of our advisors using the contact details at the top of the screen.

Calculating Damages For A Failure To Use BCC Data Breach

We cannot provide you with an overall average for failure to use BCC data breach compensation. Because all claims are different. There was a case in the Court of Appeal in 2015, Vidal-Hall and others v Google Inc. This case set the precedent for claiming only non-material damages for a data breach.

We used the guidelines that are followed by the legal system to create the example data breach compensation table below. These guidelines are produced by the Judicial College.

Psychological InjuryInformationHow Bad?Damages
Psycholgical InjuriesPeople with severe mental illnesses have difficulties with their work, home lives, and education, for example. Their chances of recovering are slim.Severe£54,830 to £115,730
Psycholgical InjuriesWork, relationships, and other activities may be challenging for the sufferer.Moderately Severe£19,070 to £54,830
Psycholgical InjuriesThe chances of such a person making a full recovery are high, despite their mental health concerns initially.Moderate£5,860 to £19,070
Psycholgical InjuriesA patient in this category will receive compensation depending on how much and how long he or she suffered from the mental injury.Less Severe£1,540 to £5,860
PTSD (Post Traumatic Stress Disorder)Individuals suffering from PTSD will be severely affected by the disorder and will not be able to function normally.Severe£59,860 to £100,670
PTSD (Post Traumatic Stress Disorder)The impact of PTSD on an individual's life may be significant, but they have a good likelihood of some recovery.Moderately Severe£23,150 to £59,860
PTSD (Post Traumatic Stress Disorder)Since the patient has almost entirely recovered, residual symptoms will not cause significant disability.Moderate£8,180 to £23,150
PTSD (Post Traumatic Stress Disorder)In this category the claimant should be recovered from any PTSD symptoms in 2 years. Less Severe£3,950 to £8,180

The table only covers non-material damages for the harm you suffered mentally such as stress caused by a data breach. You may have also lost out monetarily due to the data breach, You would try to claim material damages to recoup such losses.

You will need to submit documented evidence of losses in order to be able to try and claim for them. Additionally, you can claim for past losses or future predicted losses. Please talk to one of our claim advisors for more help with this.

Begin Your Failure To Use BCC Data Breach Claim Today

Did you know it is possible to make data breach claims using a No Win No Fee lawyer? The advantage here is that you are not expected to pay your lawyer a fee until the claim is complete. If the claim is won, your lawyer will expect to be paid a small, legally limited success fee. If the claim is a failure, you don’t pay your lawyer a fee at all.

You might have additional questions related to starting a claim or the claim process in general. Or you might find yourself in a position where you believe you are ready to start a claim for a failure to use BCC data breach. In either case, our team of expert claim advisors is here to help you. You can use the contact detail below to get in touch.

You can call us on 020 3870 4868 or request a call-back using our contact form. Our advisor can also help you to get a claim started as soon as possible. So don’t delay, call us today.

Learn More About Breaches Of The UK GDPR

More links for you to check out.

Finding Out What Data Has Been Stored About You

How To Report A Data Breach

Here are other guides you might like to read.

Lost Device Data Breach Compensation Claims

Stolen Paperwork Data Breach Compensation Claims

What is an Army Data Breach Compensation Claim?

Writer CE

Checked by IE.