The ICO published its final guidance on the charitable purposes soft opt-in on 27 April 2026. This guide reflects that. The Privacy and Electronic Communications Regulations (PECR) sit alongside UK GDPR and set the rules for direct marketing by email, text, and social media direct message. If your organisation sends marketing messages electronically, these rules apply to you. The good news? They’re not as complicated as they look and the latest changes are genuinely positive for the sector. Here’s what you need to know. Why this moment matters The charitable purposes soft opt-in came into force on 5 February 2026 as part of the Data (Use and Access) Act 2025. Most charities sensibly held off using it while the ICO finalised the detail. That detail is now published. The sector-wide potential is significant, with estimates that the new rules could unlock around £290 million in additional annual donations. The principle is straightforward: many well-intentioned supporters never tick a consent box when they give, and charities have historically lost contact with them as a result. The new rules close that gap. Emily Keaney, Deputy Commissioner for Regulatory Policy at the ICO, noted that charities are being given more opportunities to connect with their supporters, build meaningful relationships, and promote their work. The Fundraising Regulator has welcomed the guidance too, with Chief Executive Gerald Oppenheim highlighting that it provides valuable clarity for charities about how they may legally use the new provision. Who does this apply to? PECR applies to anyone who sends or instigates electronic marketing. If you’re asking another organisation to send emails on your behalf, you’re the instigator and you’re still responsible for compliance. The organisation sending the messages is too. Both parties are on the hook. Using a bulk email platform like Mailchimp or Dotdigital doesn’t make the platform responsible. You remain accountable. If you’re working with a third-party sender, make sure you have a written contract setting out their responsibilities and do your due diligence before you sign anything. The basic rule: consent or soft opt-in For unsolicited emails, texts, or social media DMs to individual subscribers (which includes sole traders), you need either: Valid consent, or To meet the requirements of a soft opt-in For corporate subscribers (companies and most other organisations), you can send unsolicited marketing without consent. But you must always identify yourself clearly and include an opt-out option, regardless of who you’re contacting. What counts as valid consent? Consent means someone has actively agreed to receive your marketing. Under PECR, it follows the UK GDPR standard. To be valid, consent must be: Freely given: no bundling it into terms and conditions, and no making it a condition of accessing your services Specific and informed: it should name your organisation and cover the exact type of message you’re planning to send (email, text, etc.) Unambiguous: no pre-ticked boxes, no silence, no inactivity treated as agreement Active: the person must do something to opt in Good example: ☐ I’d like to receive email updates about your work and events. Not good enough: By submitting this form, you agree to receive our emails. Consent must be specific to each channel. If you want to send both emails and texts, ask separately for each. Keep records: who consented, when, and how. The soft opt-ins: a lifeline for charities Soft opt-ins allow you to send unsolicited marketing to individual subscribers without explicit consent, in limited circumstances. There are two: The products and services soft opt-in: available to all organisations, including charities The charitable purposes soft opt-in: available to charities only (in force since February 2026) The shift from the old world to the new is subtle but significant. Instead of asking supporters to opt in to hear from you, you can now contact them by default — so long as you’re transparent and give them a clear, easy way to opt out. Products and services soft opt-in You can use this if all of the following apply: You collected the contact details directly from the person (no bought-in lists) You did so while selling or negotiating to sell a product or service You’re only marketing your own similar products and services You gave them a clear opportunity to opt out at the point of collection You include an opt-out option in every subsequent message What counts as “negotiating a sale”? The person doesn’t need to have bought anything. Submitting an enquiry, requesting a quote, or signing up for a free trial all count. Simply browsing your website does not. What’s a “similar” product or service? Think about what the person would reasonably expect. If someone bought a ticket to your charity’s garden tour, they’d probably expect emails about future events — but not about something completely unrelated. Important for charities: This soft opt-in does not cover fundraising appeals, donation requests, or volunteering asks — even to existing supporters. For those, use the charitable purposes soft opt-in. Your gift shop newsletter and your fundraising appeal are now formally separate, and they need to go out as separate communications. Example: Your charity runs an online shop selling ethically sourced gifts. A customer buys a product and gives you their email address. You give them a clear, prominent opt-out option. They don’t tick it. You can now email them about similar products — but not to ask them to donate or volunteer. Charitable purposes soft opt-in This is the big one for most charities. It lets you send marketing to further your charitable purposes (without consent) if all of the following apply: You’re a registered charity under UK law (England, Scotland, or Northern Ireland) You collected the contact details directly from the person They expressed an interest in (or offered or provided support for) your charitable purposes at the time The sole purpose of your marketing is to further your charitable purposes You gave them a clear opportunity to opt out at the point of collection You include an opt-out option in every subsequent message This soft opt-in only applies to contact details collected on or after 5 February 2026. What counts as “expressing an interest or providing support”? The ICO has taken a usefully broad view here. It includes people who: Donated money or goods Volunteered their time Signed up to receive your newsletter or campaign updates Registered on your website Requested information about your charitable work Attended or registered for a fundraising event Someone doesn’t need to be a traditional supporter. People who access your services (e.g. clients of an advice line, families using a hospice, beneficiaries of a food bank) may also fall within “expressing an interest,” depending on the context. If your charity works at the intersection of service delivery and support, it’s worth thinking this through carefully (and that’s exactly where the vulnerable persons considerations below become relevant). It does not include someone who simply used your Wi-Fi, visited your café, or made an incidental purchase without any meaningful engagement with your mission. Yes: Someone donates through your website. They provide their email address and are given a clear chance to opt out of future emails about your work. They don’t opt out. No: Someone buys a coffee from your charity café and gives their email for a digital receipt. That’s a transactional interaction with no signal of interest in your charitable purposes. What can you send under this soft opt-in? You can use it to send messages that further your charitable purposes, including: Fundraising appeals and donation requests Requests for donated goods (clothes, food, etc.) Volunteer recruitment Event invitations Campaign updates and petitions Impact reports and programme updates What you can’t send Products or merchandise: even if every penny goes back to the charity, these sit under the commercial soft opt-in or need explicit consent Mixed content: a fundraising appeal under the charitable purposes soft opt-in cannot also include a promotion for your Christmas card range; they must go out as separate communications Promotions for other organisations: including partner charities or your own trading subsidiary; each entity needs its own lawful basis Messages to contacts collected by someone else: details must be collected directly by your charity. There is genuine uncertainty in the sector about details collected via professional fundraisers or third-party donation platforms. The ICO is clear that there is no such thing as a “soft opt-in compliant” third-party list. If you use external donation platforms, this is worth examining carefully. A note on vulnerable people If someone gave you their details while accessing a crisis service, sending them a fundraising ask later could cause real harm. The ICO is explicit on this. Review your Vulnerable Persons policy alongside this work to make sure people in sensitive situations aren’t being over-marketed or pressured. Using both soft opt-ins together If you’re a charity, you may be able to use both soft opt-ins at the same time. For example, where someone both bought something from your shop and donated to your cause. If so, offer separate opt-out boxes for each when collecting contact details, and give people the chance to opt out of each type of marketing individually in every subsequent message. Keep clear records of which soft opt-in applies to which person. A simple preference flag in your CRM will do the job. What about your existing database? Your existing database is still your existing database. If you’ve been relying on consent for years, those records remain valid and you can keep emailing those supporters under that lawful basis. The soft opt-in is an additional tool for new contacts going forward, not a replacement for what you’ve already built. You cannot apply the soft opt-in retrospectively. It doesn’t cover: Anyone whose details were collected before 5 February 2026 Anyone whose details you collected after 5 February 2026 but before you updated your forms with a compliant opt-out Existing consent-based supporters: keep them on consent; don’t try to migrate them across Mixing lawful bases on the same record is a recipe for database pain and potential compliance gaps. Consent supporters stay on consent; new contacts from properly updated forms can go on soft opt-in. Bought-in lists If you’re considering buying, renting, or licensing a marketing list, the people on it must have explicitly consented to receive marketing from your organisation specifically, via the specific channel you plan to use. “Consent to hear from trusted partners” is not good enough. If the consent doesn’t name you, it’s not valid. Soft opt-ins do not apply to bought-in lists. Publicly available contact details Finding someone’s email address on their website or LinkedIn profile doesn’t mean they’ve consented to your marketing. Publicly available doesn’t mean freely usable. The same consent rules apply. Refer-a-friend schemes If you encourage supporters to forward your marketing to friends and family, you’re likely instigating those messages, which means PECR applies to you. Soft opt-ins won’t work here. You’d need valid consent from the recipients, which is rarely practical to obtain. You can run referral schemes without instigating, as long as you don’t actively encourage people to send emails or texts. Explain the scheme and let supporters decide if and how they share it. Opt-outs and withdrawing consent People can change their mind at any time. If someone withdraws consent or opts out, you must stop sending them marketing immediately. Make it easy: Include a clear unsubscribe link in every email Include a STOP code in every marketing text Don’t ask people to log in or create an account to opt out Don’t charge for opting out Add anyone who unsubscribes to a suppression list and check it before every send. The Fundraising Preference Service and anyone’s right to object also still apply. If a supporter unsubscribes, they’re unsubscribed, regardless of which lawful basis you were using. Your practical to-do list Here’s what to do in the next few weeks. Some of this is straightforward; some will need a proper conversation with your data and development team. Update your privacy notice: Your privacy notice needs to clearly explain that you may use contact details for direct marketing under the charitable purposes soft opt-in, and that people can opt out at any time. If your policy hasn’t been touched in a couple of years, this is the moment. Carry out a Legitimate Interests Assessment (LIA): The soft opt-in is a PECR exemption from consent, but it doesn’t replace the need for a UK GDPR lawful basis for processing personal data. In practice, that’s almost always legitimate interests — which means documenting an LIA. This is a written record of: the legitimate interest you’re pursuing, why the processing is necessary, and how you’ve balanced that against the rights and expectations of your supporters. It doesn’t need to be a 20-page policy, but it does need to exist. Audit every form on your website: Every donation form, newsletter sign-up, event registration, volunteer enquiry, and petition needs: A clear opt-out option at the point of collection Plain-English wording explaining what you’ll send and why A genuine, easy way to unsubscribe Restructure your contact lists: Your CRM or email platform now needs to handle at least three separate audiences: People who’ve given explicit consent for marketing People you’ll contact under the charitable purposes soft opt-in (collected after 5 February 2026) People you contact under the commercial soft opt-in, for trading or merchandise Review your supporter journey copy: The opt-out must appear at the point of collection — not in a confirmation email, not in the welcome series. Rewrite confirmation pages and thank-you messages to set expectations clearly. “We’ll keep you updated about our work and how you can support us. You can unsubscribe at any time” is the kind of plain, confident wording that works. Train your team Anyone who handles supporter queries needs to know what’s changed. The ICO specifically recommends training staff on how to respond to questions and complaints about marketing communications. Note the June 2026 deadline By 19 June 2026, all organisations — charities included — must have a documented process for handling data protection complaints. If you don’t have one yet, now is a good time to write it. Don’t forget the Code of Fundraising Practice The soft opt-in doesn’t override the Fundraising Regulator’s Code. Rule 8.4.4 requires charities to balance the need to communicate with not bombarding people. Just because you can email someone doesn’t mean you should do it every week. A quick checklist before every send [ ] Do I have valid consent, or does a soft opt-in apply? [ ] Did I collect the contact details directly from this person? [ ] Did I offer a clear opt-out at the point of collection? [ ] Am I only sending marketing permitted under the basis I’m using? [ ] Is this email purely fundraising/mission-related, or does it mix in commercial content? (If the latter, split it.) [ ] Does every message include a clear, simple way to opt out? [ ] Have I checked against my suppression list? Frequently asked questions Does the soft opt-in apply to email only? No. It covers email, SMS (text messages), and social media direct messages. Postal marketing isn’t covered here, but charities can already send marketing by post under legitimate interests. Can we pre-tick marketing consent boxes now? No. Pre-ticked boxes are still not allowed under UK GDPR. The shift is away from consent entirely, you’re now offering an opt-out, not relying on an opt-in. Can we use this for our existing database? No. The soft opt-in only applies to contact details collected on or after 5 February 2026. Existing contacts must still be managed under their original lawful basis. What if someone’s details were collected via a third-party donation platform? This is a genuinely uncertain area. The ICO’s position is that contact details must be collected directly by your charity. If details passed through a third-party platform, you may not be able to rely on the soft opt-in for those contacts. Take advice if this affects a significant portion of your database. Is SMS treated the same as email? Legally, yes. In practice, be more cautious: SMS is more immediate and can feel more intrusive, so frequency and relevance matter even more than with email. Does this replace consent entirely? No. Consent is still valid and useful. The soft opt-in is an additional option for new contacts going forward, it doesn’t replace your existing consent-based marketing. Can someone opt out at any time? Yes. And if they do, you must stop marketing to them, regardless of whether you were relying on consent or soft opt-in. This guide is intended as a plain-language overview of the PECR electronic mail marketing rules, incorporating ICO guidance published on 27 April 2026. It is not legal advice. For the full regulatory text, refer to the ICO’s official guidance at ico.org.uk.
Subscribe Keep updated with our latest news, trends and case studies. Email(Required) CommentsThis field is for validation purposes and should be left unchanged.
