The Data Use and Access Act 2025 (DUA) is a new Act of the Parliament implemented to promote innovation and economic growth and make compliance easier for organisations, whilst it still protects people and their rights.
It’s important to understand that the DUA doesn’t replace the UK GDPR or the Data Protection Act; rather, it amends certain areas to make them clearer and more practical, particularly for charities. One of the key changes that is helpful to charities is a new ‘soft opt-in’ for email marketing. This is a welcomed change, as this allows charities to now engage in fundraising and marketing without consent, when certain conditions are met (also referred to as soft opt-in).
Whilst we wait for further guidance from the ICO, here is our analysis of the soft opt-in and how it applies to charities.
What is Soft Opt-In?
Traditionally, the Privacy and Electronic Communications Regulation 2003 (PECR) has required organisations to obtain consent before sending direct marketing via electronic means like email or text.
The DUA introduces a ‘soft opt-in’ exception for charities in certain circumstances. This allows direct marketing communications to be sent without consent, provided specific conditions are met. This presents a major opportunity for charities to more efficiently engage their supporter base and expand their fundraising efforts.
When can charities use the soft opt-in?
There are clear conditions for when the soft opt-in can be appropriately relied upon.
- Firstly, the email must directly relate to furthering the charity’s charitable purposes. This means the message must clearly connect to your charity’s registered objectives, such as promoting health, providing education, or supporting those in need. For fundraising charities, this could involve promoting a fundraising walk for research or seeking donations to support an individual with a cause.
- Secondly, the person you wish to contact has either expressed interest in your charitable purposes (e.g., attended an event, signed up for updates) or provided support (e.g., donated, volunteered, signed a petition). For instance, a past online donor or someone who registered for a fundraising run could fit this criterion. It’s important to note that, as we understand it, this likely doesn’t apply if you’ve purchased data or acquired it from a third party.
- Finally, you must have offered a simple, free way to opt-out of marketing emails when the contact details were first collected and continue to offer this option with each subsequent communication. This could be an opt-out checkbox on a donation form or an unsubscribe link at the bottom of every email. The key is that the opt-out must be easy, accessible, and cost-free.
How can charities stay on the right side of the rules?
Before your organisation uses this soft opt-in feature, certain requirements need to be met. Having the right documentation is important, and with staying compliant in the evolving data landscape involves having good systems in place.
Rules for communications defined under the PECR would continue to apply when it concerns opting out of such communications.
Having updated documents reflecting your practice (including privacy notices, record of processing activities, legitimate interest assessments) is vital, and training your staff to understand the new legislation is extremely important to ensure compliance with the requirements of the legislation.
While understanding these changes can feel like a lot, you don’t have to go it alone. For more tailored guidance and to explore how these updates specifically impact your charity, we’re here to help. Please feel free to get in touch with Hope and May, at info@hope-may.com.
