Emotional Perception — how UK AI patents are now being assessed
We explain how AI patent applications are now being assessed and what this means for innovation and patent strategies.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
AuthorsEleanore BeardEsme Steiger
5 min read
Data Protection, Technology, Media & Telecoms, Charities, Not-For-Profits & Social Enterprises
The Data (Use and Access) Act (DUA Act) is set to reshape how charities manage their marketing communications and uphold data protection standards. Designed to strengthen transparency and compliance, the DUA Act introduces opportunities for more meaningful engagement with supporters but also brings new challenges for organisations that rely on data-driven strategies.
Here, Eleanore Beard and Esme Steiger explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
What are the proposed changes?
The DUA Act will amend the current rules for charities under the Privacy and Electronic Communications Regulations (PECR). The current rules allow an organisation to send marketing emails, texts and social media messages without explicit consent if the information was collected during a sale of goods or services or when someone has shown interest in a product. This is known as a ‘soft opt-in’.
Since charities don’t sell goods or services commercially, they have to rely on explicit consent from individuals. The proposed changes mean that this will no longer be the case, provided that certain conditions are met.
The three conditions are as follows:
- The sole purpose of the direct marketing must be to further one or more of the charity’s charitable purposes.
- The charity must have obtained the potential recipient’s contact details when the recipient either:
- Expressed an interest in one or more of the charity’s charitable purposes.
- Offered or provided support to further one or more of those purposes.
- The potential recipient must've been given the chance to opt out when their details were collected and must continue to be offered an easy opt-out option with every subsequent message.
The ability for charities to use the ‘charitable purpose soft-opt in’ will likely be in place by June 2026. These changes require further secondary legislation to bring them into effect, so charities mustn’t use this approach until then.
Why is this change important to charities?
The proposed changes will allow charities to expand their mailing lists, helping to boost the public’s engagement with their work. By broadening their reach, charities can promote fundraising events more effectively and encourage greater participation.
It’s also expected to reduce supporter drop-offs. Since individuals receiving marketing communications will already have expressed an interest in the charity, organisations will be able to maintain a connection with supporters to ensure that they can stay in touch with those who care about their cause.
Are there any other restrictions?
Charities only
The soft opt-in only applies to charities as defined by Section 1 of the Charities Act 2011. According to this Act, a UK charity is an organisation that operates solely for charitable purposes — such as helping people in need, advancing education, promoting health or protecting the environment — and provides a clear public benefit under charity law.
In addition, it can’t be set up to make private profit. Every charity must show that its efforts benefit the public rather than just a small group or individuals.
Charities are regulated by the Charity Commission which makes sure that they follow the rules, use funds appropriately and report on their activities.
Forward-looking
The proposed change won’t apply retrospectively, meaning that charities can’t use the charitable purpose soft opt-in to send electronic marketing to people whose contact details were collected before the provision comes into force.
Managing this change may be challenging as some contacts will be ‘processed’ lawfully on the basis of consent. For others, the legal basis for processing will be that the charity has a ‘legitimate interest’ — for example, sending direct marketing to seek funds from supporters.
To remain compliant and avoid confusion, charities should:
- Maintain accurate records that identify which legal basis applies to each contact.
- Demonstrate compliance by keeping those records up to date.
- Retain an audit history of consents and opt-outs to ensure accountability.
What should charities do to prepare?
There are a number of steps you can take to get ready and stay compliant:
- Identify all contact points where individuals may express interest in or offer support to your charity.
- Update your privacy policy to reflect the upcoming legal changes, clearly stating the legal basis for using personal data for direct marketing and specifying the types of communications that supporters will receive.
- Create new opt-out statements to add to your website and all emails sent out to supporters.
- Conduct a legitimate interest assessment (LIA) to ensure that the interest in processing data is balanced against individuals’ rights and freedoms.
- Plan and deliver training for relevant staff and volunteers on how to apply the charitable purposes soft opt-in effectively.
ICO consultation
The Information Commissioner’s Office (ICO) has commenced a consultation seeking feedback on its proposed approach to the charitable purpose soft opt-in that will inform updates to the relevant sections of its existing guidance. The consultation is open until 27 November 2025 for charities and other interested parties to provide responses, with full details available on the ICO’s consultation page.
Talk to us
Our data protection specialists and charities, not-for-profits & social enterprises team bring practical and sector‑specific expertise to help organisations to stay compliant.
Together, they can:
- Clarify whether your organisation is a charity.
- Review your privacy policy to ensure that it’s GDPR-compliant and aligned with the DUA Act.
- Review your opt-in and out-out messages across your website and emails.
- Carry out an LIA.
- Provide support with policy review and training for staff and volunteers
- Advise on implementing compliant consent mechanisms and updating privacy frameworks.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
Deepfakes & AI fraud — the new digital battlefield for retailers
We explore why retailers are particularly affected by deepfakes and the implications around data protection, IP, advertising compliance and more.
Implementing AI at work — your legal obligations
We explore how AI is transforming data protection, the risks that organisations now face and what effective compliance looks like today.
Key takeaways from the Future of Tech conference 2026 — AI, sustainability & responsible innovation
We break down the key insights from each panel, exploring AI's real-world impact and why it’s crucial to balance innovation with long‑term sustainability.
AI in elite sport — key legal considerations around ‘performance enhancing technology’
AI is enhancing performance and even scouting future talent in elite sport. Sports technology and data are key to success, but come with legal risks.
The rise of sustainable tech — opportunities, challenges & the role of AI
We discuss the key opportunities and considerations shaping the future of sustainable AI and quantum‑powered technology.
Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
The UK’s path to 2030 — clean energy in an era of tech acceleration & infrastructure reform
We explore how the UK’s shift to clean power is reshaping industry, infrastructure and the future of energy security.
Am I a data controller? GDPR for social media users explained
We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.
The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
3 potential ways generative AI could lead to defamation claims
We explain where generative AI has the potential to damage individuals’ reputations and examine relevant case law from other jurisdictions.
Deepfakes & AI-powered cybercrime in sport — how can athletes & clubs protect themselves?
We discuss the mounting dangers of AI-powered cybercrime across the world of sport with David Andrew — the Founder and Managing Partner of Tiaki.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
Supreme Court unlocks the door to UK patents for AI & computer-related inventions
We explain the importance of the Supreme Court decision and what it means for innovators looking to gain patent protection for computer-related inventions.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
AI, intellectual property & game development — key insights from Games Tech Connect
We outline the key takeaways from our Games Tech Connect session on how generative AI is being used in video game development.
New UK IPO fees list for patents, trade marks & registered designs
The UK IPO's new fee structure marks its most substantial increase in decades. See the list of what's changing and why.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Tech & IT contracts — how to future-proof for sustainability, AI & cybersecurity
Some tech businesses are exploring how their commercial frameworks could evolve through smarter, values-driven contracting.
Is your AI patentable? Lessons from the Court of Appeal’s landmark ruling
We explore the key issues from the case and consider the practical implications for those operating in the tech, creative and data-driven sectors.
AI Growth Zones — what the £31bn tech investment means for the North
We explore the potential of AI Growth Zones to transform the region through investment and job creation while also highlighting ongoing environmental concerns.
Getty Images v Stability AI — key intellectual property lessons for AI developers
We break down the key takeaways from the final ruling and consider what they mean for the evolving relationship between IP law and AI development.
AI in football — innovation, risks & the role of human judgement
We explore how AI is influencing football on and off the pitch, highlighting the real-world examples of its impact and the risks that come with it.
Can ChatGPT and other AI chatbots give legal advice?
We explore the confusion surrounding OpenAI’s recent policy update on legal, medical and financial advice.