Disclosure of Recipients in Copy Field of Email
Sending an email to a list of recipients using the "To" “Cc” field
Scenario
A company sends an email announcement to its entire clients or subscribers list but mistakenly uses the "To" or carbon copy (“Cc”) field instead of the blind carbon copy (“Bcc”) field to address the email. As a result, every recipient can see the email addresses of all other subscribers. This constitutes a breach of privacy as it involves the unauthorized disclosure of personal information.
Privacy Law Violations
1. Unauthorized Disclosure of Personal Information
General Data Protection Regulation (GDPR) (EU)
Article 5 (1) (a): Personal data must be processed lawfully, fairly, and transparently. This includes obtaining a legitimate basis for processing.
Article 6 (1): Data controllers must have a lawful basis for processing personal data, such as obtaining consent, fulfilling contractual obligations, or complying with legal obligations. Unauthorized disclosure violates these principles.
Article 5 (1) (f): Data must be processed in a manner that ensures its security, including protection against unauthorized disclosure.
UK GDPR
Similar provisions to GDPR under Articles 5(1) (a), 6(1), and 5(1) (f), adapted to UK law post-Brexit.
Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
Principle 3 (Consent): Organizations must obtain an individual’s knowledge and consent for the collection, use, or disclosure of personal information, except where inappropriate.
California Consumer Privacy Act (CCPA) (US)
Section 1798.100(b): Businesses must inform consumers about the purposes for which their personal information is collected and obtain explicit consent for specific data-sharing practices.
2. Failure to Implement Adequate Technical Safeguards
GDPR (EU)
Article 32(1) requires controllers and processors to implement appropriate measures ensuring a level of security appropriate to the risk.
PIPEDA (Canada)
Principle 7 (Safeguards) mandates protection against unauthorized disclosure using suitable security measures.
CCPA (US)
Section 1798.81.5 requires businesses to implement reasonable security procedures to protect consumer information.
3. Unfair and Deceptive Practices
Federal Trade Commission Act (US)
Section 5(a) (15 U.S.C. § 45(a)) prohibits unfair or deceptive acts, including misleading privacy policies that do not align with actual data handling practices.
GDPR (EU)
Article 12 requires transparency in communications related to data processing.
Example:
Eli Lilly Case: a pharmaceutical company disclosed the email addresses of 669 of patients who had subscribed to a reminder service to its Prozac Reminder Service. The breach revealed sensitive health-related information. The company claimed in their privacy policy that they protect privacy and take necessary measures. FTC found that Lilly's claim of privacy and confidentiality was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive information. Therefore, the representation in the Privacy Policy was false or misleading. This constitutes unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
Key Takeaways
Do not post misleading and unfair privacy policies.
Create written internal policies and manuals on how to properly use email. Regularly train employees.
Implement technical and organizational measures to secure personal data - blocking emails with a large number of CC recipients, etc.