The charitable purpose soft opt-in: If you work in a charity, you’ve probably felt the tension.
You want to keep supporters informed. You also want to respect privacy and choice. Until recently, that balance often meant “consent or nothing” for many fundraising and supporter messages.
The ICO has now issued clear guidance on a new route: the charitable purposes soft opt-in. It gives charities more flexibility, but it comes with strict safeguards.
This post explains what changed, what you must include in your first message, and how to prepare for the new data protection complaints process that becomes a legal requirement on 19 June 2026.
What changed (in plain English)
From 5 February 2026, UK charities can send direct marketing by electronic mail (for example, emails, texts, and direct messages) to people who have shown genuine interest in, or offered support for, the charity’s purposes — without getting consent first.
This change came in via the Data (Use and Access) Act 2025, and the ICO has published final guidance to help charities apply it correctly.
Important: this is not a free pass. It is a controlled exemption with conditions.
“Soft opt-in” is not “do whatever you like”
A useful way to think about this is simple:
Soft opt-in is about trust, not shortcuts.
If you use it well, you reduce friction and keep supporters engaged.
If you use it badly, you create complaints, unsubscribes, and reputational harm.
That’s why the ICO’s emphasis is consistent: charities should understand the safeguards and use the option with confidence only when the conditions fit.
The charitable purposes soft opt-in: the core checklist
To rely on this route, you should design your process around these practical controls:
1) Only use it for charitable purposes
Your message must further your charity’s own charitable purposes.
Don’t stretch it into general commercial promotion or partner advertising.
2) You must get the contact details directly
The ICO’s guidance highlights risk around third-party collected details.
In particular, “third-party marketing lists” don’t magically become compliant. Treat third-party data as a separate compliance decision.
3) Give a clear opt-out at the point of data collection
When you collect the email address or mobile number, you must offer a simple way to say “no marketing”.
Do this in the moment, not buried in a policy.
4) Include an opt-out in every message
Every email, text, or DM must make opting out easy.
This is not optional. It is the safety valve that makes the approach workable.
5) Don’t apply it retrospectively
Only use this soft opt-in for contact details you collected on or after 5 February 2026.
If you collected the details before that date, use consent (or another appropriate route) instead.
What your first message should say (and why it matters)
Your first message sets the tone. It should feel like a respectful continuation of an existing relationship.
Aim to include four clear points:
- Who you are (your charity name and identity)
- Why you are contacting them (high-level is fine)
- How you got their details (again, high-level is fine)
- How to opt out (simple and immediate)
Here’s the thought-provoking bit:
If you feel awkward writing that first paragraph, your supporter might feel worse reading it.
That discomfort is a signal. Use it. Tighten your wording and improve transparency.
Practical steps you can take this week
You don’t need a huge project plan. You need clean, auditable controls.
Update your data capture points
Check the places where you collect details:
- donation forms
- newsletter sign-ups
- volunteering forms
- event registrations
Make sure the opt-out choice appears at collection.
Add a date rule in your CRM
Record the date you collected each contact detail.
Then segment: pre–5 Feb 2026 vs 5 Feb 2026 onwards.
Refresh your privacy notice
Make it easy for people to understand:
- what messages they might receive
- why you send them
- how to opt out
- how to complain
Consider a Legitimate Interests Assessment (LIA)
Many advisers recommend documenting an LIA to support this approach.
It helps you show that you balanced your needs with individuals’ rights.
The next change: data protection complaints (from 19 June 2026)
A second change matters just as much.
From 19 June 2026, organisations must provide a data protection complaints process. The ICO says there are no exemptions.
At a glance, you must:
- give people a way to complain to you
- acknowledge the complaint within 30 days
- investigate and respond without undue delay
- keep the person informed
- provide an outcome without undue delay
This also changes the journey for individuals.
People should raise the complaint with the organisation first. If they feel unhappy with the response, they can then escalate to the ICO.
Why these two changes belong in the same conversation
Here’s the reality:
Marketing complaints often become data protection complaints.
A supporter might say, “Stop emailing me.”
Then they might ask, “Where did you get my details?”
Then they might say, “I never agreed to this.”
If your controls are solid, you can respond calmly, quickly, and consistently.
If your controls are messy, you create risk.
So, treat soft opt-in readiness and complaints readiness as one joined-up improvement.
A simple “ready check” for charities
Use this as a quick internal sense-check:
- We can show which contacts qualify (post–5 Feb 2026).
- We collect details directly (or we can evidence our position).
- We offer opt-out at collection and in every message.
- Our first message explains who, why, source, and opt-out.
- We have a complaints route, ownership, and a 30-day acknowledgement step.
If any line feels uncertain, fix that line before you scale sending.
✅ Take Action Now
Contact Cyber & Data Protection today to discover how our tailored data protection solutions to help with polices/processes and extensive Managed Data Protection services can keep your business within compliance.
📧 Email: [email protected]
📞 Call: +44 1743 644404