Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
Read more
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
AuthorsEleanore BeardEsme Steiger
5 min read
Data Protection, Technology, Media & Telecoms, Charities, Not-For-Profits & Social Enterprises
The Data (Use and Access) Act (DUA Act) is set to reshape how charities manage their marketing communications and uphold data protection standards. Designed to strengthen transparency and compliance, the DUA Act introduces opportunities for more meaningful engagement with supporters but also brings new challenges for organisations that rely on data-driven strategies.
Here, Eleanore Beard and Esme Steiger explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
What are the proposed changes?
The DUA Act will amend the current rules for charities under the Privacy and Electronic Communications Regulations (PECR). The current rules allow an organisation to send marketing emails, texts and social media messages without explicit consent if the information was collected during a sale of goods or services or when someone has shown interest in a product. This is known as a ‘soft opt-in’.
Since charities don’t sell goods or services commercially, they have to rely on explicit consent from individuals. The proposed changes mean that this will no longer be the case, provided that certain conditions are met.
The three conditions are as follows:
- The sole purpose of the direct marketing must be to further one or more of the charity’s charitable purposes.
- The charity must have obtained the potential recipient’s contact details when the recipient either:
- Expressed an interest in one or more of the charity’s charitable purposes.
- Offered or provided support to further one or more of those purposes.
- The potential recipient must've been given the chance to opt out when their details were collected and must continue to be offered an easy opt-out option with every subsequent message.
The ability for charities to use the ‘charitable purpose soft-opt in’ will likely be in place by June 2026. These changes require further secondary legislation to bring them into effect, so charities mustn’t use this approach until then.
Why is this change important to charities?
The proposed changes will allow charities to expand their mailing lists, helping to boost the public’s engagement with their work. By broadening their reach, charities can promote fundraising events more effectively and encourage greater participation.
It’s also expected to reduce supporter drop-offs. Since individuals receiving marketing communications will already have expressed an interest in the charity, organisations will be able to maintain a connection with supporters to ensure that they can stay in touch with those who care about their cause.
Are there any other restrictions?
Charities only
The soft opt-in only applies to charities as defined by Section 1 of the Charities Act 2011. According to this Act, a UK charity is an organisation that operates solely for charitable purposes — such as helping people in need, advancing education, promoting health or protecting the environment — and provides a clear public benefit under charity law.
In addition, it can’t be set up to make private profit. Every charity must show that its efforts benefit the public rather than just a small group or individuals.
Charities are regulated by the Charity Commission which makes sure that they follow the rules, use funds appropriately and report on their activities.
Forward-looking
The proposed change won’t apply retrospectively, meaning that charities can’t use the charitable purpose soft opt-in to send electronic marketing to people whose contact details were collected before the provision comes into force.
Managing this change may be challenging as some contacts will be ‘processed’ lawfully on the basis of consent. For others, the legal basis for processing will be that the charity has a ‘legitimate interest’ — for example, sending direct marketing to seek funds from supporters.
To remain compliant and avoid confusion, charities should:
- Maintain accurate records that identify which legal basis applies to each contact.
- Demonstrate compliance by keeping those records up to date.
- Retain an audit history of consents and opt-outs to ensure accountability.
What should charities do to prepare?
There are a number of steps you can take to get ready and stay compliant:
- Identify all contact points where individuals may express interest in or offer support to your charity.
- Update your privacy policy to reflect the upcoming legal changes, clearly stating the legal basis for using personal data for direct marketing and specifying the types of communications that supporters will receive.
- Create new opt-out statements to add to your website and all emails sent out to supporters.
- Conduct a legitimate interest assessment (LIA) to ensure that the interest in processing data is balanced against individuals’ rights and freedoms.
- Plan and deliver training for relevant staff and volunteers on how to apply the charitable purposes soft opt-in effectively.
ICO consultation
The Information Commissioner’s Office (ICO) has commenced a consultation seeking feedback on its proposed approach to the charitable purpose soft opt-in that will inform updates to the relevant sections of its existing guidance. The consultation is open until 27 November 2025 for charities and other interested parties to provide responses, with full details available on the ICO’s consultation page.
Talk to us
Our data protection specialists and charities, not-for-profits & social enterprises team bring practical and sector‑specific expertise to help organisations to stay compliant.
Together, they can:
- Clarify whether your organisation is a charity.
- Review your privacy policy to ensure that it’s GDPR-compliant and aligned with the DUA Act.
- Review your opt-in and out-out messages across your website and emails.
- Carry out an LIA.
- Provide support with policy review and training for staff and volunteers
- Advise on implementing compliant consent mechanisms and updating privacy frameworks.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
AI in football — innovation, risks & the role of human judgement
We explore how AI is influencing football on and off the pitch, highlighting the real-world examples of its impact and the risks that come with it.
Read more
Can ChatGPT and other AI chatbots give legal advice?
We explore the confusion surrounding OpenAI’s recent policy update on legal, medical and financial advice.
Read more