Soft Opt-In for Charities: Preparing for Low-Risk Direct Marketing Changes
The UK’s Data (Use and Access) Act, which received Royal Assent on 19 June 2025, introduces a significant change for charities engaging in direct marketing. Once the relevant provisions commence, charities will be able to send direct marketing via electronic mail (including emails, texts, and social media messages) to individuals who have previously expressed interest in or supported their organisation – without needing prior consent.
This new ‘soft opt-in’ option will only apply to electronic communications, not telephone marketing, and it will rely on the ‘legitimate interests’ lawful basis under the UK GDPR. The UK GDPR Article 21 Right to Object still exists, and this change does not affect this right for Data Subjects.
What are the Key Changes for Charities?
- Direct marketing without prior consent: Charities can contact future supporters unless they opt out.
- Phased implementation: The soft opt-in cannot be used until the relevant part of the Act comes into effect, expected in the coming months.
- Future-focused only: It will not apply retrospectively; charities must give individuals the chance to opt out when their data is first collected.
- Increased fundraising potential: Supporter engagement could increase with simplified outreach, leading to more opportunities for donations.
What Practical Steps should Charities take?
Charities should begin preparing now, even before the provisions take effect. Recommended actions include:
1. Review donor communications policies to ensure future compliance.
2. Update email systems to include precise opt-out mechanisms in all communications.
3. Conduct a GDPR legitimate interest assessment to confirm the soft opt-in is appropriate.
4. Train staff, volunteers, and contractors on new procedures before the law comes into effect.
5. Stay informed via the Fundraising Regulator and ICO websites, as detailed guidance will be published in the coming months.
Example Scenario
A charity could use the soft opt-in to send email appeals to donors or supporters (who donated after the new law was enacted) who have previously engaged with the organisation.
If the donor was informed about the option to opt out at the time of data collection and hasn’t opted out, the charity can continue to send them marketing messages.
What are the Consequences and risks of non-compliance?
Section 64 of the Data (Use and Access) Act 2022, effective from 19 June 2025, raises the maximum fine for breaches of the Privacy and Electronic Communications Regulations (PECR) to match UK GDPR levels up to £17.5 million, removing the previous assumption that PECR posed only limited financial risk. Between 2019 and 2025, there were 16 fines issued for GDPR breaches compared to 119 for PECR infringements, highlighting both the high volume and low cost of prosecuting PECR violations such as unsolicited marketing calls or texts. With the new alignment of maximum fines, even routine PECR breaches now carry financial exposure on par with GDPR. Data controllers in charities must therefore recognise that the legal threshold for severe sanctions has lowered significantly, and the historic focus on GDPR compliance alone is no longer sufficient post-2025; PECR compliance must be treated with equal priority to avoid substantial financial and reputational harm.
References
- Fundraising Regulator. (2025). Information for charities on changes to direct marketing rules. Retrieved from: https://www.fundraisingregulator.org.uk
- Information Commissioner’s Office (ICO). (2025). Direct marketing guidance. Retrieved from: https://ico.org.uk
- UK Government. (2025). Data (Use and Access) Act 2025. Retrieved from:
https://www.gov.uk
Written by: Nigel Gooding, LLM Information Rights Law & Practice, FBCS, FEPRI, FCMI
