Articles

Can the ‘soft’ opt-in for charities deliver hard results? What charities need to know

23 Jun 2025 | 3 minute read

What is soft opt-in?

Soft opt-in is a limited exception to the general rule that you need explicit consent to send e-marketing (i.e., marketing emails and texts). It allows businesses (but currently not charities) to send e-marketing to individuals that it has a pre-existing relationship with without explicit consent, provided certain conditions are met.

What is changing?

The Data (Use and Access) Act 2025 ("DUAA") (formerly the Data (Use and Access) Bill) amends the rules governing direct e-marketing under the Privacy and Electronic Communications Regulations 2003 ("PECR"). This extends the ability to rely on soft opt-in to the charity sector.

The ICO has confirmed that the changes under the DUAA will be phased in between June 2025 and June 2026.

What are the benefits for charities?

It is anticipated that the ability to rely on soft opt-in will help charities increase donations by making it easier for them to connect with, and engage, supporters who have previously interacted with them, e.g., when signing up for volunteering opportunities or events.

The Data and Marketing Association, which has been advocating for the expansion of the soft opt-in to charities, estimates that this change could lead to an additional £290 million in donations per year.

What conditions must be met to rely on the soft opt-in?

This change does not give charities the ability to send e-marketing to any and all individuals.

There are very specific requirements that a charity must comply with in order to rely on the soft opt-in.

Under the DUAA (which, as above, amends PECR), a charity may send direct e-marketing to an individual where:

the sole purpose of the direct marketing is to further one or more of the charity's charitable purposes

the charity obtained the contact details of the recipient in the course of the recipient expressing an interest in, or offering or providing support to further one or more of the charity's charitable purposes

the recipient was given a simple means of opting out of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of their details, at the time of each subsequent communication (e.g., by way of an unsubscribe option)

In addition to the requirements under PECR, charities will also need to consider their obligations under the UK GDPR, e.g. in relation to transparency and the lawful basis for processing contact details for marketing purposes.

Please see our "Practical tips" section below for information on how charities can meet the above requirements in practice.

Scope of the soft opt-in requirements

It is not currently clear how some of the soft opt-in requirements (set out in the DUAA) will be interpreted by the ICO (e.g., we do not know how widely or narrowly "charitable purposes" is going to be interpreted. Will a charity have to demonstrate what its charitable purposes are?) and what approach it will take to enforcement (presumably unless there is flagrant disregard for the rules we will see it trying to educate charities as it has done with businesses).

The ICO is currently in the process of updating its guidance on direct marketing and PECR to include the amendments from the DUAA and this is due for publication in winter 2025/2026. This updated guidance will hopefully confirm the scope of the relevant requirements set out in the DUAA. In the meantime, we recommend that charities "play it safe" when interpreting these requirements since, as below, the consequences of getting it wrong may be significant.

What are the consequences of getting it wrong?

Charities should note that the DUAA increases the maximum fine for non-compliance with PECR from the current £500,000 to £17.5 million or 4% of global annual turnover, whichever is higher. As such, the consequences of getting it wrong may be significant and it is important charities put in place robust processes to ensure their marketing strategies are in line with the legislation.

Practical tips

If you are considering making changes to your marketing strategies to rely on the soft opt-in exemption, we recommend you take into account the following practical tips:

Charities will need to keep a record of the individuals who have opted in to receiving e-marketing on the basis of the consent model and those individuals whose data is being processed on the basis of the soft opt-in exemption.

Charities should carefully consider whether it is appropriate to rely on the soft opt-in to send e-marketing communications to individuals who are deemed to be “vulnerable”. The ICO has specifically stated that, “it may not be appropriate to rely on the soft opt-in, for example where someone accesses an organisation’s crisis service and subsequently sending them direct marketing mail could result in harm.”

Charities should carefully consider the purpose of the proposed e-marketing. As above, in order to rely on the soft opt-in, the sole purpose of the marketing must be to further one or more of the charity’s charitable purposes. This means that charities could not, for example, rely on the soft opt-in to advertise a third-party’s unrelated products.

Charities will be relying on legitimate interests (rather than consent) as their lawful bases for processing under the UK GDPR when sending e-marketing on the basis of soft opt-in. When relying on legitimate interests, it is best practice to conduct a legitimate interest assessment which considers the purpose of such processing, its necessity and how the charity balances the aims of the marketing campaign against individuals’ personal rights to privacy. This will be particularly important where, for example, the recipients may be vulnerable or negatively affected by receiving direct marketing.

In order to comply with the transparency obligations under the UK GDPR, a charity must review and amend their privacy policies to reflect any reliance on soft opt as part of its marketing practices.