Sophie Peach
- Solicitor
- Charities & Not-for-Profit
ICO publishes “soft opt in” guidance – so what should charities do now?
Following the introduction of the “charitable purposes soft opt‑in” earlier this year, the Information Commissioner’s Office (ICO) has now published final, practical guidance aimed specifically at charities that want to contact supporters by email, text and other direct messaging channels without having obtained prior consent. This is a significant development for the sector (and one the fundraising community has been watching closely) with predictions of a meaningful uplift in fundraising where charities can use the provision confidently and compliantly.
What has changed and why it matters?
The “charitable purposes soft opt‑in” came into force on 5 February 2026 as part of the Data (Use and Access) Act 2025, which amended the rules under the Privacy and Electronic Communications Regulations 2003 (PECR) for direct marketing by electronic mail. In broad terms, the change allows charities (where specific conditions are met) to send direct marketing by electronic mail without prior consent to individuals who have expressed an interest in, or offered to support, the charity’s purposes. The ICO’s guidance is designed to explain how to apply those conditions in practice, and where charities should not rely on the new route. The final guidance was published after a consultation that received more than 140 responses, and includes anonymised examples and additional clarification on areas that charities raised as difficult in practice, particularly direct collections and the role of third parties.
Key messages:
1.Not every interaction with a charity equals “support”
If someone buys something from a charity, that might indicate they’re backing the charitable cause – but sometimes it’s purely a straightforward transaction, with no reasonable basis for assuming that person wants to hear from the charity about fundraising or its wider work. In those cases, the ICO’s steer is that charities should not rely on the charitable soft opt‑in. For charities with trading activity (think shops or ticketed events) the practical takeaway is to draw sensible lines about which types of interactions count as genuine engagement with the charitable purpose, and to be ready to explain, at least internally, why a particular group is eligible to receive messages under the new provision. Strong signals for “support” may include donations, volunteering, signing up for updates about the cause, and requesting information about the charity’s work.
2. Charities remain on the hook for third‑party lists and instigators
The ICO has warned that there is “no such thing” as a soft opt‑in compliant third‑party marketing list for this purpose. So charities cannot assume they can rely on the charitable soft opt‑in if someone else collected the details for them – even where the third-party is another organisation within its wider group.
It is worth remembering that, under the ICO’s broader PECR guidance, responsibility does not just sit with whoever presses send. PECR can catch the organisation that instigates the marketing (for example, where an agency or partner is asked to send messages on the charity’s behalf). In those cases, both parties may bear responsibility and the ICO expects the charity to do some basic due diligence and have a written contract that clearly sets out who is doing what, especially where personal data is involved.
3. Make opt-out easy, and repeat it
Even where a charity can rely on the soft opt‑in, the ICO’s message is familiar: recipients must be given a clear opportunity to opt-out, and that opportunity should be provided in every subsequent communication. In reality, the challenge will typically be operational rather than legal – CRM and campaign tools should record which legal basis is being relied on for each contact, opt-outs should be actioned quickly across channels, and messaging templates should consistently include unsubscribe/STOP options to enable easy opt-out.
So what should charities do now?
- Identify which engagements show genuine “support” (vs purely transactional) before relying on charitable soft opt‑in.
- Separate contacts being messaged under charitable soft opt‑in vs other routes (such as consent), and make sure the CRM can evidence that split.
- Bake in opt‑outs everywhere, including a clear refusal at collection and an easy opt‑out in every subsequent message.
- Avoid third‑party lists and don’t assume group-sourced lists are soft opt-in compliant for this purpose.
- If anyone else sends on the charity’s behalf, remember PECR can treat the charity as an instigator too – so use written contracts and compliance checks.
In the ICO’s announcement of the guidance, it also reminded charities (separately from marketing rules) that by 19 June 2026 organisations must have a process in place for handling data protection complaints. This is not limited to marketing, but it is relevant to supporter communications and trust. See further details in our article here.
This article is for general information purposes only and does not constitute legal advice or a comprehensive statement of the law. Specific legal advice should always be sought in relation to individual circumstances.
Meet the team: