This article is more than 1 year old

BCC is hard, OK? Quite a lot of orgs blurted your email addresses in GDPR mailouts

Ad blocker Ghostery, UK councils, vitamin sellers all in the blabtastic mix

Amid the chaos of new European data protection rules coming into force at the end of last week, organisations are apparently struggling to grasp even the most basic of technical challenges, sending out non-blinded emails to their users.

Topping the irony charts is ad-blocker Ghostery, which sent users an email with more than 500 addresses in the "To" field, the text of which assured them that the biz was on top of the General Data Protection Regulation and had put stringent measures in place to protect their data.

"We at Ghostery hold ourselves to a high standard when it comes to users' privacy," stated the mass email – sent to El Reg by a reader who described the company "a shower of pillocks".

Other users seized the opportunity to offer their services, with one Reg reader suggesting that, as a bus driver, they might be better suited to a role at the biz.

"If a bus driver knows to avoid CC and use BCC instead while you don't, I would respectfully suggest that you are in the wrong job," the user said in an email addressed to Ghostery. "May I suggest you resign immediately and that Ghostery should raise their standards by employing former bus drivers in future?"

The company has since apologised for the error, saying that it had recently stopped using a third-party email automation platform and was managing emails in its own system in a bid to be more secure.

“Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users,” it said.

"We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again."

Seriously, though, those fields are close together

But Ghostery wasn't the only company foiled by the most basic of technical issues when trying to brag about their newfound interest in data protection.

Nutrition biz Vitl – which pushes "tailor-made" diet and liefstyle plans – also experienced a technical hitch, sending out an email to multiple users rather than BCCing them.

The firm apologised to the "small number" of affected users, although it tried to do so without trumpeting it – an idea that infuriated users, with one posting the apology note in full:

Elsewhere, users have reported GDPR email fails from MPs, university computing clubs, restaurants, shops, writers' groups and local councils, including Hastings Borough Council.

Although some decided not to name and shame the smaller firms that had made the error – the bigger organisations didn’t get off so lightly.

That includes the New York Times, which – according to multiple Twitter users – accidentally cc'd a number of freelancers and vendors into its GDPR notice, unleashing upon the unwitting recipients a flurry of reply-all emails to add to the existing pile of GDPR missives.

However, showing that there's nearly always a silver lining if you look hard enough, some saw this sort of mistake as a possible networking opportunity.

The foul-ups follow a series of US websites – including newspapers owned by Tronc – shutting down services for EU users on Friday, in an attempt to dodge the much-publicised – and overblown – megabucks fines touted by many ahead of the enforcement date. ®

More about

More about

More about


Send us news

Other stories you might like