Data Protection Network
CONTACT US
NEWSLETTER

How charities can use the soft opt-in

Philippa Donn
April 2026

How the ICO sees the exemptions to consent for electronic marketing working in practice

Giving charities the option to rely on their own ‘soft opt-in’ (i.e. exemption to consent) for marketing by email, SMS or direct message was hailed as a significant step; a levelling of the playing field with commercial organisations who had been enjoying a similar exemption for over 20 years.

At DPN we warmly welcomed this change. However, after reading the final guidance from the ICO, there are plenty of nuances charities need to keep in mind. This is especially true if you’re looking to rely on exemptions for sending messages about both ‘charitable purposes’ and ‘products and services’.

We’ve poured over the guidance, which can be found within updated PECR guidance, so here’s a summary and our thoughts. Any text in italics is lifted from the ICO guidance.

How has the law changed?

The Privacy and Electronic Communications Regulations (PECR), which lays down the rules for electronic marketing were amended as of 5th February 2026. The changes allow charities to send direct marketing by email, SMS and direct message to further their charitable purposes as long as they can meet certain criteria. This amendment to PECR was introduced by the Data (Use and Access) Act.

The two ‘soft opt-ins’

There are now two exemptions to consent known as ‘soft opt-ins’. Each exemption has its own set of criteria which needs to be met, and applied to different kinds of marketing content. The ICO is referring to them as:

  1. The charitable purposes soft opt-in – the new one which is ONLY available to charities.
  2. The products and services soft opt-in – the existing one which has been around since 2003 and is available to ALL organisations. It should be noted the ICO guidance on this has been refined and it now has this new name.

A choice between soft opt-ins and consent

Organisations have a choice; rely on one or both soft opt-ins provided you can meet the criteria, or request consent. The ICO guidance states: Even if the soft opt-ins could apply, you might decide to get people’s consent instead. For example, if you want to send marketing content not allowed by the soft opt-ins, or if you want more assurance that people are happy to receive your electronic mail marketing.

The regulator adds that charities must consider the circumstances in which they use consent or soft opt-in(s) and be mindful of whether it’s appropriate to send vulnerable individuals marketing in the first place.

The charitable purposes soft opt-in

This allows charities to send marketing emails, SMS and direct messages without consent, subject to specific requirements being met, where such messages are about furthering their charitable purposes.

Crucially, this can’t be used retrospectively. It can only be used if you obtained a person’s contact details from 5 February 2026 onwards, when the change in law took effect.

The six requirements

  1. You’re a charity – as defined under the law in England, Scotland or Northern Ireland.
  2. The sole purpose of your direct marketing is to further one or more of your charitable purposes.
  3. You obtained the contact details directly from the recipient.
  4. You obtained the details in the course of the recipient expressing an interest in one or more of your charitable purposes OR offering or providing support to further one or more of your charitable purposes.
  5. You gave a clear opportunity to refuse or opt out when you collected their details.
  6. You give a simple opportunity to refuse or opt out in every subsequent communication.

What are ‘charitable purposes’?

The Charities Act 2011 and equivalent legislation in Scotland and Northern Ireland provides a non-exhaustive list of examples which can be considered charitable purposes, if done for the public benefit. The ICO gives examples of activities such as:

Requesting donations, including financial contributions and donations of clothes, food or other items
Requesting volunteers help
Providing information about your charity’s mission-related activities, such as your programmes, projects and campaigns.

What does ‘directly from the recipient’ mean?

The ICO says: You must obtain the contact details directly from the person you want to send the direct marketing to. The soft opt-in doesn’t apply if someone else obtains the contact details for you, even if it’s another organisation closely connected to your charity, such as a trading subsidiary. There is no such thing as a third-party marketing list that is ‘soft opt-in compliant’.

What constitutes ‘expressing an interest’?

Expressing an interest would be where someone engages with a charity regarding a charitable purpose. This might be asking for information about the work you do. The ICO tells us this is unlikely to stretch to situations where your interactions with an individual don’t reveal anything about their interest in your charitable purposes.

What constitutes ‘offering or providing support’?

This includes situations where someone donates money or other items, or volunteers to help your charity.

The ICO says: When someone buys something from a charity, this usually falls within the products and services soft opt-in. However, the regulator recognises for a number of charities, purchases can be way for someone to support their charitable purposes.

If it’s clear someone is engaging as a supporter, and the payments they’re making are a way of supporting your charitable purposes, this will fall under the criteria of ‘providing support’ under the charitable purpose soft opt-in. For example, this might be:

purchasing an annual membership
sponsoring an animal
entering a charity raffle
paying to take part in a fundraising event

This is really helpful and clarifies some very grey areas in the previous draft guidance. However, this will still present challenges for some charities – I did warn of nuances. The ICO says: There will be situations where an interaction is clearly just transactional. Sometimes there will be no reasonable basis for you to conclude the person was providing support to further your charitable purposes. In these cases, you must not use the charitable purposes soft opt-in.

It looks like a clear distinction will need to drawn about where the charitable purpose soft opt-in can and can’t be deployed.

The products and services soft opt-in

This existing exemption to consent, now renamed by the ICO, can be relied upon to send electronic marketing (e.g. emails and texts) if ALL of the following conditions are met:

A person’s contact details are collected directly by your organisation while selling or negotiating to sell a product or service.
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication.
You only send marketing messages about your own similar products and services (not those of a third party).

Ten ICO do’s and don’ts

  1.  Charities, political parties and other not-for-profit organisations must not use the products and services soft opt-in to send electronic mail marketing about their campaigning or fundraising, even to existing supporters.
  2.  This soft opt-in doesn’t apply if someone else obtains the contact details for you, even if it’s another organisation within your own group structure.
  3. There is no such thing as a third-party marketing list that is compliant with either of the soft opt-ins.
  4. A person doesn’t need to actually buy anything from you. It’s enough if ‘negotiations for the sale’ took place. This means that they must actively express an interest in buying your products or services. This includes signing up to a free trial of your product or service, requesting a quote or asking for more details about what you offer.
  5. You must have some form of express communication from the person and it must involve them buying your products or services. It’s not enough for someone to send any type of query.
  6. You must give people a simple way to opt out of your electronic mail marketing when you collect their contact details.
  7. An opt-out box hidden within your privacy policy is not a simple way for people to refuse your electronic mail marketing.
  8. You must offer the opt-out when you collect the contact details.
  9. Including an opt-out in an order confirmation email is not sufficient.
  10. You must make it simple for people to change their mind and opt out or unsubscribe from marketing. You should make it for people to reply directly to your messages or to click a clear ‘unsubscribe’ link. With text messages you could offer an opt-out by telling people to send a stop message to a code number. You must make this free of charge, apart from the other cost to people of sending the message.

What happens if both soft opt-ins apply?

This is where is gets even more nuanced and may become complex for charities to implement effectively. The ICO makes it very clear it considers these two exemptions to be separate and distinct:

  1.  The charitable purposes soft opt-in – allowing you to send marketing which furthers your charitable purposes.
  2. The products and services soft opt-in – allowing you to send marketing about your own products and services.

There’s a glimmer of good news with the ICO saying you can use both at the same time. In other words, you can send a communication which includes content about both your charitable purposes and your own products and services. But, and it’s quite a big BUT … in this the situations the ICO expects you to do the following:

Provide separate opt-out boxes for each soft opt-in when you collect someone’s details. Try writing that in a clear and simple way!
Give the ability in all subsequent communications to opt-out distinctly from each type of marketing (charitable purposes, or products and services).

Yikes! Essentially any charity looking to rely on both soft opt-ins will need a sophisticated CRM, clear methods for flagging the SOI statuses of records and very clear rules about different types of communications which can be sent to each group.

And that’s before we start factoring in all the historical supporters who gave or withdrew their consent.

At this point, am I the only one scratching my head wondering why this was hailed as such a great idea? Has it become much too complicated?

What about UK GDPR?

Once you’ve managed to navigate your way through the soft opt-in requirements, don’t forget you still need a lawful basis under UK GDPR. If you rely on either of the soft opt ins, the only appropriate lawful basis is legitimate interests.

When relying on legitimate interests you need to balance your interests and make sure these don’t negatively impact on the recipient’s rights and freedoms. To comply with the law the regulator says you should conduct a Legitimate Interests Assessment. This will help you to ask the right questions and objectively weigh up people’s reasonable expectations and any impact your activities could have on them. This really doesn’t need to be detailed if your confidence all is compliant with PECR.

I must say, this (pretty important) bit about lawful basis was not obvious when reading the ICO’s guidance, but I did eventually stumble across it here: How does legitimate interests work for the soft opt-ins.

In summary, I do wish this had all been a lot more straightforward. There’s an awful lot for charities to consider. For those currently getting healthy opt-in rates relying on consent, they might be well give the whole soft opt-in debate a big swerve.

For more detail you can read the ICO guidance on the soft opt-ins here: How do we comply with the PECR electronic mail marketing rules

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.
Data Protection Network