How To Use BCC In Business Emails Without Breaching NZ Privacy Law

If you run a small business, email is probably one of your main tools for staying in touch with customers, clients, suppliers and your wider network.

But there’s a common “simple” email feature that can quietly create legal risk: using BCC in business emails.

When you use BCC properly, it can help you protect people’s privacy and keep communications tidy. When you use it carelessly, it can lead to accidental disclosure of personal information, complaints, reputational damage, and (in serious cases) regulatory consequences under the Privacy Act 2020.

Note: This article provides general information only and doesn’t constitute legal advice. If you want advice for your specific situation, it’s best to get tailored guidance.

Below, we’ll break down how BCC works, what the Privacy Act 2020 expects from your business, and the practical steps you can put in place so you’re protected from day one.

What Does BCC Mean In Business Emails (And Why It Matters)?

BCC stands for blind carbon copy. When you add recipients to the BCC field, they’ll receive the email, but other recipients won’t see their email address.

This sounds privacy-friendly (and often it is), but it’s important to understand what BCC does and doesn’t do:

• BCC hides recipients from each other in that email thread.
• BCC does not stop forwarding - a recipient can still forward your email to others.
• BCC does not stop replies - a recipient can still reply to you (and depending on how you set up the email, a “reply all” can create confusion).
• BCC does not erase your responsibility to keep personal information safe and only disclose it where permitted.

In other words, BCC can be part of good privacy practice, but it isn’t a complete privacy strategy on its own.

How The Privacy Act 2020 Applies To BCC In Business Emails

The Privacy Act 2020 applies to most New Zealand businesses because you’ll usually be handling personal information in some form - even if it’s just names, phone numbers, email addresses, delivery addresses, or appointment details.

An email address is often personal information because it can identify an individual (directly or indirectly). That means when you’re emailing a group, you’re potentially handling and disclosing personal information.

Under the Privacy Act 2020, businesses are expected to follow the Information Privacy Principles (IPPs). You don’t need to memorise them, but you do need to understand the practical outcome:

• Collect and use personal information for a proper business purpose (and don’t collect more than you need).
• Tell people what you’re doing with their information in a clear and transparent way.
• Keep personal information secure (this includes how you handle emails and mailing lists).
• Only disclose personal information where the Privacy Act permits it (for example, for the purpose it was collected, where the individual has authorised it, or where an exception under IPP11 applies).

A helpful way to think about BCC is this:

If you accidentally put all recipients in the “To” or “CC” fields, you may be disclosing each recipient’s email address to every other recipient.

If that disclosure wasn’t expected or permitted, you may have created a privacy issue - even if it was a genuine mistake.

Because privacy compliance is largely about systems and “reasonable steps”, it’s worth making sure your business has a clear approach to group emails and mailing lists (not just individual staff habits).

Many businesses support this transparency with a clear Privacy Policy that explains what personal information they collect, how they use it, and how people can get in touch if they have concerns.

When Is BCC Appropriate In Business Emails (And When Should You Avoid It)?

BCC can be appropriate, and sometimes it’s the safest option - but it depends on why you’re emailing and what recipients would reasonably expect.

Common Situations Where BCC Is Usually Appropriate

• Sending a one-off update to multiple customers (e.g. a service interruption notice), where recipients don’t know each other and don’t need to be introduced.
• Sending an event reminder where attendees haven’t consented to have their details shared with other attendees.
• Supplier or contractor announcements where recipients are not part of the same organisation.
• Responding to multiple enquiries where you’re not trying to “group” the people together, just delivering the same information.

In these cases, using BCC can help you avoid unnecessary disclosure of email addresses.

Situations Where BCC Can Still Be Risky

Even if you use BCC, you can still create problems in these scenarios:

• Workplace emails about staff issues (performance, complaints, medical information, investigations). These often involve sensitive personal information and should be handled through more controlled channels.
• Customer disputes or complaints, where people’s identities, purchase history, or allegations could be exposed if the email gets forwarded.
• Emails that invite replies (“Reply to confirm your attendance”), because recipients may assume they’re in a group conversation and respond inappropriately.
• Marketing blasts sent through normal email, where unsubscribe and consent management becomes messy.

If you’re doing regular marketing emails, it’s smart to step back and make sure you’re also meeting your obligations under New Zealand’s anti-spam rules, including the Unsolicited Electronic Messages Act 2007. A practical starting point is understanding email marketing laws and aligning your internal process with those requirements.

When You Should Not Use BCC

Some emails simply shouldn’t be sent as a BCC group email at all. For example:

• Anything involving sensitive personal information (health information, financial hardship, disciplinary matters, or allegations).
• Anything that could reasonably cause harm or distress if it’s forwarded or mishandled.
• Anything that needs careful access control, such as a document that should only be seen by specific recipients.

If you’re communicating with staff about internal matters, you’ll often want a clear workplace privacy approach (including rules for email use and handling personal info). Many businesses document these rules in an Acceptable Use Policy and/or an Employee Privacy Handbook so everyone knows what “good practice” looks like.

What Counts As A Privacy Breach When Using BCC (And What Are The Consequences)?

A privacy breach is not limited to hacking or ransomware. A privacy breach can be as simple as sending an email to the wrong group or exposing email addresses by using CC instead of BCC.

Common BCC-Related Privacy Mistakes We See

• Using CC instead of BCC when emailing a customer list (everyone can see everyone else’s email address).
• Autofill errors (typing “jo” and selecting the wrong “John/Joanna” contact).
• Attaching the wrong document (e.g. an invoice or spreadsheet with personal details).
• Forwarding an email chain that contains hidden personal details in the thread.
• Copying a list from a spreadsheet that includes more data than intended.

Why Email Address Disclosure Can Be Serious

It’s tempting to think, “It’s just an email address.” But disclosure can still matter because:

• It can identify a person and link them to your business (e.g. as a customer, patient, member, or client).
• It may expose someone’s personal circumstances (for example, if the email relates to debt collection, counselling services, or medical appointments).
• It can lead to follow-on harm (spam, phishing, embarrassment, complaints, or loss of trust).

What Can Happen If You Get It Wrong?

Consequences will depend on the facts, but risks can include:

• Customer complaints (including to the Office of the Privacy Commissioner).
• Reputational damage (particularly if customers feel you’re careless with their information).
• Operational disruption while you investigate, notify affected people, and fix systems.
• Regulatory escalation in serious cases, including compliance steps you may be asked to take.

Where a breach creates (or is likely to create) serious harm, your business may have obligations around notification. Having a plan ready is one of the easiest ways to reduce the stress of an incident - many businesses formalise this in a Data Breach Response Plan and (where needed) a Data Breach Notification process.

A Practical Checklist For Using BCC In Business Emails Safely

If you want to keep using BCC in business emails (without constantly worrying you’ll slip up), the key is to make your approach consistent and repeatable.

Here’s a practical checklist you can apply in your business.

1) Decide Whether You Should Be Using Email At All

Ask yourself:

• Is this a one-off operational update (BCC might be fine)?
• Is this marketing (you may need a proper marketing system and opt-out process)?
• Does this contain sensitive information (use a more secure channel)?

Sometimes the best privacy move is choosing a different tool (for example, a secure client portal for documents rather than attachments).

2) Use BCC For Recipients, And Put Your Business Email In “To”

A simple habit that reduces mistakes is:

• Put your own business email address in the “To” field (or a generic address like accounts@ / info@).
• Put all external recipients in the BCC field.

This prevents the awkward situation where the “To” field is blank (which can make recipients suspicious) and reduces the chance you’ll accidentally reveal a list by using CC.

3) Keep Distribution Lists Tight And Up To Date

If you maintain a spreadsheet or contact list, make sure:

• You know where it came from (how the addresses were collected).
• You can explain why you’re emailing those people (what purpose).
• You remove outdated contacts where appropriate.
• You store the list securely and limit staff access.

If your business grows, it’s worth documenting who can access lists and what they can be used for (especially if you have staff turnover).

4) Add A Short Privacy Line In The Email (Where It Makes Sense)

You don’t need a long legal disclaimer on every email, but for group emails it can be helpful to include a simple line like:

• “You’re receiving this email because you’re a customer of [Business Name]. We’ve sent this as a BCC to protect recipients’ privacy.”
• “If you’d prefer not to receive these updates, reply to let us know.”

The right wording depends on what you’re sending and whether it’s operational vs marketing. The key is: be transparent and give people a clear way to contact you.

5) Double-Check Before You Hit Send

This is basic, but it’s where most breaches happen. Build a “pause point” into your process:

• Check you used BCC (not CC).
• Check attachments are correct and necessary.
• Check you’re emailing the right group.
• Check the subject line doesn’t reveal private details.

If your team sends bulk emails frequently, consider a two-step approval workflow for higher-risk communications.

6) Train Staff And Set Clear Policies

For small businesses, privacy issues often come down to “everyone does it their own way.” That’s risky.

Consider setting a simple internal rule like:

• “If an email goes to more than X external recipients, it must be sent using BCC or an approved mailing tool.”
• “Customer lists must not be exported to personal devices.”
• “Sensitive personal information must not be emailed unless encrypted or sent via an approved secure system.”

Documenting these expectations can also help if a privacy complaint is raised, because you can show you took reasonable steps to prevent issues.

Do You Need Anything Else Besides BCC To Stay Compliant?

BCC is only one small part of privacy compliance. If you want to be confident you’re not missing something, it helps to look at the bigger picture of how your business collects, stores, uses and shares personal information.

Your Privacy Documents Matter

Depending on your business, you may benefit from having (at minimum):

• A clear Privacy Policy (especially if you collect personal information through a website, online forms, or subscriptions).
• Workplace privacy rules (particularly if staff handle customer data or sensitive information), often supported by an Employee Privacy Handbook.
• An internal Acceptable Use Policy covering devices, email accounts, access control, and safe handling of information.
• A Data Breach Response Plan, so you’re not scrambling if something goes wrong.

These documents don’t just “tick a box”. They help you run a more organised business, reduce confusion across your team, and build trust with customers.

Use The Right Tool For The Right Message

If you’re doing frequent newsletters, promotions, or customer updates, you’ll often be better off using a proper marketing platform that:

• manages consent and unsubscribe requests properly
• reduces the chance of “reply all” confusion
• logs delivery and opt-outs in one place
• prevents manual copy/paste errors

And remember: compliance is rarely just about privacy. If your email is marketing, you should also align with anti-spam requirements (including the Unsolicited Electronic Messages Act 2007), which is why understanding email marketing laws is so important.

Key Takeaways

• BCC can be a smart way to protect recipients’ privacy, but it’s not a complete privacy strategy on its own.
• Under the Privacy Act 2020, an email address is often personal information, so accidentally disclosing it (for example by using CC instead of BCC) may create a privacy issue.
• BCC is generally appropriate for one-off operational updates where recipients don’t need to know each other, but it may be inappropriate for sensitive matters or communications that invite replies.
• Reducing privacy risk is largely about repeatable systems: standard sending practices, double-check steps, access controls, and team training.
• Having the right privacy framework in place (like a Privacy Policy, internal staff guidance, and a breach response plan) can help your business show it took reasonable steps to protect personal information.
• If you’re sending marketing emails, make sure your approach also aligns with consent and unsubscribe requirements under New Zealand’s anti-spam rules, including the Unsolicited Electronic Messages Act 2007.

If you’d like help putting practical privacy protections in place (including policies, staff guidelines, and advice tailored to your business), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.