BCC is hard, OK? Quite a lot of orgs blurted your email addresses in GDPR mailouts

Amid the chaos of new European data protection rules coming into force at the end of last week, organisations are apparently struggling to grasp even the most basic of technical challenges, sending out non-blinded emails to their users.

Topping the irony charts is ad-blocker Ghostery, which sent users an email with more than 500 addresses in the "To" field, the text of which assured them that the biz was on top of the General Data Protection Regulation and had put stringent measures in place to protect their data.

"We at Ghostery hold ourselves to a high standard when it comes to users' privacy," stated the mass email – sent to El Reg by a reader who described the company "a shower of pillocks".

HELL YES @Ghostery JUST SENT ME A GDPR EMAIL WITH FIVE HUNDRED EMAIL ADDRESSES CC'ED ON IT!! THANKS GHOSTERY!!!! pic.twitter.com/y0Xas28wd1

— Linguica (@andrewrstine) May 25, 2018

Other users seized the opportunity to offer their services, with one Reg reader suggesting that, as a bus driver, they might be better suited to a role at the biz.

"If a bus driver knows to avoid CC and use BCC instead while you don't, I would respectfully suggest that you are in the wrong job," the user said in an email addressed to Ghostery. "May I suggest you resign immediately and that Ghostery should raise their standards by employing former bus drivers in future?"

The company has since apologised for the error, saying that it had recently stopped using a third-party email automation platform and was managing emails in its own system in a bid to be more secure.

“Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users,” it said.

"We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again."

Seriously, though, those fields are close together

But Ghostery wasn't the only company foiled by the most basic of technical issues when trying to brag about their newfound interest in data protection.

Nutrition biz Vitl – which pushes "tailor-made" diet and liefstyle plans – also experienced a technical hitch, sending out an email to multiple users rather than BCCing them.

Oh dear @VITLhealth cares about our privacy, yet doesn't seem to mind giving everyone's email address out to complete strangers- awkward #oops #gdpr #gdprfail pic.twitter.com/KLUY62nzrN

— Ash Stronge (@ashstronge) May 24, 2018

The firm apologised to the "small number" of affected users, although it tried to do so without trumpeting it – an idea that infuriated users, with one posting the apology note in full:

Well nothing that couldn’t have been said openly on Twitter. “Small number” is a cop out, I’ve seen a few people mentioning it on Twitter, and no matter how small, it is serious! And what point is there in me contacting them, the damage has been done. pic.twitter.com/9eY43Rh1m5

— Chris Kyle (@ChrisPKyle) May 24, 2018

Elsewhere, users have reported GDPR email fails from MPs, university computing clubs, restaurants, shops, writers' groups and local councils, including Hastings Borough Council.

Received a GDPR email from my old university computing society. They didn't BCC people when sending it out or send it as individual emails. Received 1000 ex/current member emails. #ffs #gdpr #amateurhour

— Mike P (@mike_palfrey) May 24, 2018

One of our suppliers just sent us an email, addressed to all of their customers, about GDPR. They forgot to BCC all 720 email addresses. pic.twitter.com/xnQYsmW2c8

— Pete (@Kibbled) May 23, 2018

Although some decided not to name and shame the smaller firms that had made the error – the bigger organisations didn’t get off so lightly.

That includes the New York Times, which – according to multiple Twitter users – accidentally cc'd a number of freelancers and vendors into its GDPR notice, unleashing upon the unwitting recipients a flurry of reply-all emails to add to the existing pile of GDPR missives.

However, showing that there's nearly always a silver lining if you look hard enough, some saw this sort of mistake as a possible networking opportunity.

Vendor, not customers. Essentially all the freelancers. The list is now organizing drinks in some cities. 😀 I still haven’t replied all. I should, right? Right? https://t.co/pxHOQhfc39

— zeynep tufekci (@zeynep) May 26, 2018

The foul-ups follow a series of US websites – including newspapers owned by Tronc – shutting down services for EU users on Friday, in an attempt to dodge the much-publicised – and overblown – megabucks fines touted by many ahead of the enforcement date. ®