Charity email marketing: What you need to know about new 'soft opt-in' changes

What is changing?

In January 2025, the Data & Marketing Association UK (DMA UK) announced that the government had accepted the inclusion of email marketing 'soft opt-in' for charities in the Data (Use and Access) Bill. This change, which could come into force as early as mid-2025, represents a significant shift in how charities can approach email marketing.

The amendment to the Privacy and Electronic Communications Regulations 2003 (PECR) will allow charities to email supporters based on legitimate interest rather than requiring explicit consent, bringing the third sector in line with high street retailers and e-commerce online businesses for the first time.

What is considered a 'soft opt-in'?

A soft opt-in allows charities to email existing supporters without explicit consent, provided they meet certain conditions. Essentially, if someone has already interacted with a charity - by donating, taking part in a challenge event, or engaging in other activities for example - the charity can email them about related topics, as long as it’s clear the supporter can opt-out at any time.

This approach is based on the charity having a "legitimate interest" to stay connected, rather than needing explicit permission. Commercial businesses have benefited from this more flexible rule for years, and now, thanks to the upcoming changes under PECR, charities will finally have the same opportunity.

Why is this significant for charities?

The change represents a potential opportunity for charities to:

• Reach more supporters through email marketing
• Create more consistent communication journeys
• Potentially increase fundraising revenue

The ICO's warning

While this change has been welcomed by many in the sector, the Information Commissioner's Office (ICO) has issued clear guidance that charities should “tread carefully” when implementing these new rules.

Information Commissioner John Edwards has stated that while he supports the soft opt-in extension "as it will help charities better communicate with people who support their purposes," he emphasised that "organisations will need to carefully assess their interests and balance them against the impact on individual rights and freedoms”, ensuring that charities follow UK GDPR obligations.

The ICO specifically warned that in some cases, it may not be appropriate to rely on the soft opt-in. For example, where someone accesses an organisation's crisis service, subsequently sending them direct marketing emails could result in harm and would therefore not be appropriate to rely on "legitimate interests" as a legal basis of communication.

Key considerations for your charity

Before implementing any changes to your email marketing strategy:

1. Conduct a Legitimate Interest Assessment (LIA)
   Clearly document your reasoning for using legitimate interest as the basis for emailing supporters, balancing your charity’s needs against supporter privacy.
   
   
2. Review your supporter data and collection methods
   Evaluate the quality and accuracy of your existing data to ensure it's suitable for legitimate interest-based email communication. As noted above, potentially not all of your contacts would be eligible for the soft opt-in. For example if you offer support or crisis services, it wouldn’t be appropriate to add them as marketable contacts to your email marketing lists.
   
   
3. Update your privacy policies
   Inform supporters clearly about how their data will be used under the new soft opt-in approach, ensuring transparency and maintaining trust. You may wish to supplement this with a quick announcement about why you’re considering the changes and some brief instructions to your audience on how to opt-out if they don’t wish to be included in the change.
   
   
4. Ensure content relevance
   Emails sent using soft opt-ins should always align with your supporters’ previous interactions or interests, maintaining the relevance they expect.
   
   
5. Plan carefully for implementation
   Develop a clear, step-by-step timeline for transitioning to soft opt-ins, allowing your team sufficient time for adjustments. Remember that even with the soft opt-in provision, all UK GDPR obligations still apply - you must respect individuals' rights to access, rectification, erasure and other data rights. It's particularly important to ensure your processes don't accidentally re-opt-in individuals who have previously opted out, as this would violate both PECR and GDPR requirements.
   
   Consider how you will introduce these new contacts to your email communications strategy. If you were to bulk send to all new contacts on a single day, you may see a significant spike in bounces, unsubscribes and spam complaints. This is definitely something you’ll want to avoid, as it can have a significant negative effect on your sender reputation and consequently, your deliverability.

Practical steps to prepare

Ahead of the potential changes, you can start preparing for the impact.

1. Audit your current supporter data
   Identify segments within your supporter database suitable for legitimate interest communications, clarifying who meets the new criteria.
   
2. Review and improve your opt-out processes
   Make opting out straightforward for supporters, reinforcing their control over communications.
   
3. Communicate changes internally
   Educate your teams about the upcoming changes, including their responsibilities under legitimate interest guidelines.
   
4. Seek expert guidance if required
   Consider external advice to ensure your approach complies with PECR and ICO guidance, minimising risk and maximising opportunities.

Latest update: February 2026 - Soft opt-in for charities is now in force

Since this article was first published, the Data (Use and Access) Act (DUAA) has formally entered into force. On 5 February 2026, most of the Act’s data protection provisions commenced, confirming that charities can now rely on a soft opt-in for email marketing under PECR, where the relevant conditions are met.

Based on our understanding of the legislation and the ICO’s published statements, this means charities may now email existing supporters about their own charitable purposes on the basis of legitimate interest, provided that supporters have previously expressed interest or support, communications are relevant and expected, a clear opt-out is included in every email, and all UK GDPR obligations continue to be met. The soft opt-in does not apply to third-party or co-branded marketing, where consent is still required.

The ICO has been clear that organisations should apply the soft opt-in cautiously, particularly where individuals may be vulnerable or where marketing communications could reasonably cause distress. In some contexts, explicit consent may still be the more appropriate lawful basis.

Alongside these changes, the ICO now has significantly enhanced enforcement powers under PECR, including the ability to issue fines of up to £17.5 million or 4% of global turnover. This increases the importance of careful decision-making, clear documentation (including Legitimate Interest Assessments), and robust opt-out processes.

This update is provided for general information only and does not constitute legal advice. Charities should seek independent legal advice to understand how the soft opt-in applies to their specific circumstances before making changes to their email marketing practices.

What might charities consider before relying on the soft opt-in?

Although the new provisions provide greater flexibility, charities should avoid treating the soft opt-in as a blanket permission to contact all historic supporters.

Before implementing a soft opt-in strategy, charities should consider:

1. Reviewing and segmenting supporter data to identify individuals who are most likely to reasonably expect communications, taking into account factors such as the nature of their relationship with the charity and how recently they engaged. For example, a donor is likely to be a more engaged prospect than someone who has not yet donated.
2. Conducting and documenting a Legitimate Interests Assessment (LIA) to demonstrate why the communications are necessary, proportionate and unlikely to override the rights and freedoms of recipients.
3. Developing a risk-based communications plan, with input from legal, compliance and governance teams where appropriate, rather than adopting a one-size-fits-all approach.
4. Starting with a limited pilot or phased rollout, focusing on lower-risk supporter groups and monitoring unsubscribe rates, complaints and engagement levels before expanding the programme.
5. Reviewing privacy notices, suppression lists and opt-out processes to ensure supporters receive clear information and can easily stop communications at any time.
6. Keeping records of decision-making and ongoing monitoring, particularly given the ICO's enhanced enforcement powers under PECR.