Business just emailed me their entire mailing list

[PickyEaters]

Isn't this a breach of data protection or something?

I received a marketing email from a local cafe/workspace. All the recipients (including me) are listed in the "To" field. I would say around 400 email addresses.

I'm annoyed as I'm now expecting a deluge of spam, phishing attempts etc. Should I complain to them, or just forget about it?

That's odd. I would email or call them directly.

I'd just e-mail them and tell them as they may be able to recall the e-mail. They should have used bcc. To be honest tge ICO wouldn't be interested in this sort of thing so I'd just let them know and then move on.

The police once did this to me - along with all the other witnesses to a widespread (but not particularly serious) crime

I'd certainly make them aware.

I would absolutely raise this. They need to report this to the ICO.

It's a mistake, a fairly rookie one but mistakes do happen.

I'd email them and make them aware. Sounds like someone either needs training or to be more careful in future.

Someone has fucked up here but I very much doubt it was intentional. Personally I'd forget it, if you raise the issue it may cost someone their job.

I’m a Data Protection Officer. Yes, my advice would be to raise it with the company, because there’s a possibility they can at least partially remediate the issue, by recalling the email for those who’ve yet to read it. It will also enable them to take steps to prevent a similar thing happening again if there is indeed a knowledge gap with the colleague who made the error. This wouldn’t necessarily be a reportable breach, because seeing someone else’s email address in isolation isn’t particularly sensitive/high risk information, particularly as the content of the email was presumably generic marketing. But the company still need to be aware in order to properly log and investigate it.

Yes, they need to be made aware of it and take steps to minimise the damage it may cause. At a minimum to advise people to be aware of the increased risk of phishing scams, to investigate what enabled the problem to occur and how they intend to ensure it doesn't happen again.

(Assuming you haven't agreed to some terms and conditions about sharing your email address of course.)

Our council did this with the emails of all those hosting Ukrainian guests under their council. I notified them. They basically didn't care and decided no harm was done so they wouldn't report themselves!

That was for about 800 people

Thanks all. I will let them kknow.

If you raise the issue then someone will hopefully get training and not make the same mistake again.

It's hardly a sackable offence, the risk of any actual impact is pretty low (how many people on an a cafe's mailing list are going to be scammers?*) but best to let them know so it doesn't happen again - the risks will get higher if it keeps on happening.

(*the biggest risk here is that someone local may now know your email address and you don't want them to)

It's a big GDPR no-no. I would complain.

I would certainly make them aware.

This should be covered in basic data protection training, so I'd be concerned about any other errors staff might be making in that respect.

I’ve had this happen as well - twice, with two different companies. Once, I was contacted by someone else in the list of addressees who was very upset about the lapse and wanted to get support to complain formally.

The second time, it was a company I’d done work for asking about financial arrangements and at least one addressee hit 'reply all' so I got a copy of their response. A serious no-no and I was very unimpressed. I emailed the company to remind them they had GDPR responsibilities…..they couldn’t have been less bothered. Quite alarming.

@TheSmallAssassin

’it’s hardly a sackable offence’

I think you’ll find it very much is. Ever heard of GDPR?

I had something similar from the marketing department of a hotel. I did let them know and they thanked me and told me that they would do more training regarding GDPR in the department. i seemed to have got a upgrade the next time I stayed there.

It's a mistake. They happen. I'm sure someone's mortified.

I don't think email addresses are particularly sensitive info on their own unless they're attached to other details about you.

We can froth or accept that a small business made a mistake and let them know without acting like an arse.

No one would be sacked for this. Its a minor breach with no sensitive data involved. It was just e-mail addresses.

I would emial and tell them there's probably an admin worker hiding in the toilets pooping themselves about it as we speak so be nice

Yes, but it isn't automatically gross misconduct! For any data breach you'd be looking at impact, this is low impact so the most appropriate action would be training. No need to be so trigger happy.

As a small business owner I'm relieved, I live in fear of accidentally doing this!

I did this a few years ago, shortly after the GR PR rules came into affect - it was an accident but I was mortified & hauled over the coals by my boss. She contacted ICO but no further action was needed.
We then moved all our email marketing comma to MailChimp (other email providers available!) go avoid this happening in future.

Grrr GDPR & comms!
Oh for an edit button!!!

It's a data breach and yes it is a big deal!