Our Chief Revenue Officer, J Cromack, and Consultant Analyst, Rob Dyer, joined May 2025’s Chartered Institute of Fundraising 20:20 Insight session to share how Wood for Trees’ data analysis was used to support the Data & Marketing Association (DMA) UK in successfully lobbying for the inclusion of the charity soft opt-in in the Data (Use & Access) Bill, along with best practice guidance on email marketing and consent and preference management.
Several questions were put to our panellists about how charities can navigate the new soft opt-in rules in the DUA Act becoming law. While the Bill has since received Royal Assent on 19 June 2025 (becoming an Act), practical implementation guidance is still emerging. In the meantime, here’s J’s view of what’s currently known during this period and how charities and not-for-profits can turn compliance into an increased income and improved supporter engagement opportunity.
CIOF 20:20 Insight charity soft opt-in Q&A
1. Can we resume emailing people we couldn’t prove consent for?
Answer: No. Soft opt-in only applies to data captured under the new regime. Any contacts you can’t show were given an opt-out at point of capture must re-engage (e.g., tick a box or take a new action) before you email them.
2. Can we append email addresses to current supporters?
Answer: No. You cannot retrospectively add emails to existing records, it must be provided by the supporter if you intend to communicate with them via email (this is part of the Fundraising Regulator’s Code of Practice), plus an opt-out must be offered when the email address is captured to be able to email the supporter under soft opt-in.
3. If someone didn’t tick the opt-in box but gave an email at donation, can we email them when the law passes?
Answer: No – unticked boxes don’t count. Soft opt-in demands a clear opt-out option at point of data capture, so those supporters must re-engage under the new rules.
4. What are the key dates and timelines?
Answer:
- Bill passed: The DUA Act became law on 19 June 2025.
- Implementation period: The new rules (including charity soft opt-in) aren’t live yet, organisations and regulators need time to prepare.
- Go-live estimate: Soft opt-in for charities is likely about six months after Royal Assent.
- Current requirement: Until then, charities must still secure explicit consent for all electronic marketing.
- Preparation tips: Now is the time to audit your data capture processes and touchpoints, update opt-out mechanisms, train teams and refresh privacy notices, so you can switch smoothly from consent to soft opt-in when it launches.
- Bill text: https://bills.parliament.uk/bills/3825.
5. Is Scotland included?
Answer: Yes – the Act applies UK-wide (England and Wales, Scotland and Northern Ireland).
6. What are some practical steps for existing data and updating opt-in forms?
Answer:
- Existing data: For now, we believe only records collected under the new regime can benefit from soft opt-in. Others must re-engage. We are awaiting further guidance from both the DMA, ICO and Fundraising Regulator on this point.
- Opt-in forms: Replace “consent” tick-boxes with a clear statement of future communications plus separate email/SMS opt-out checkboxes.
- Privacy policy: Update to explain soft opt-in and notify supporters (e.g., via website banner or service email).
7. Must we contact all records to say our privacy policy changed?
Answer: You should update your policy and make a general announcement (website banner, footer or newsletter), but you don’t need an individual email sent to every contact – unless your existing terms required direct notification.
8. Does soft opt-in cover SMS, WhatsApp or phone?
Answer: It covers first-party email, SMS, MMS and messaging apps (e.g., WhatsApp) but not telemarketing or postal mail.
9. Can we use Legitimate Interest (LI) for pre-Act sign-ups?
Answer: Only for data collected under the new rules. Historic hand-raisers without an opt-out box cannot be reclassified under LI until they take a fresh action.
10. Soft opt-in: scope of content and “prior relationship”?
Answer:
- Scope: Any communications that further your charitable mission (not just “similar” asks).
- Prior relationship: Hand-raisers, donors or anyone who’s shown genuine interest qualify.
- Engagement window: No fixed cutoff – document your case-by-case reasoning in a Legitimate Interest Assessment (LIA)*.
*Whilst soft opt-in doesn’t require a LIA under PECR, it must still meet certain conditions. Both the Fundraising Regulator and ICO recommend charities document decisions made, hence why we’d recommend a LIA to document why you believe you can email a person using soft opt-in.
The conditions in the DUA Act that must be met by charities are:
- The charity obtains personal data directly from individuals.
- The personal data was obtained in the course of the individual expressing an interest in, offering or providing support to one or more of its charitable purposes.
- The sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes.
- The individual is given the opportunity to opt-out at the time the charity obtained their personal data.
- The individual is given the opportunity to opt-out in each subsequent communication.
11. Can someone who opted out but then re-engages be contacted again under soft opt-in?
Answer: We await further guidance on this point. My view is yes, but I would suggest not, unless a decent amount of time has passed since the initial opt-out and the form presented when the individual reengaged made it very clear they would receive emails unless they opted out.
12. What about emails from third-party platforms (e.g., JustGiving)?
Answer: Data from third parties must come with consent for the named charity collected at point of capture. You cannot import those contacts unless the platform offered a compliant consent capture mechanism and you have evidence to support this.
13. Can you give an example of a compliant opt-out design?
Answer: A visible opt-out box at capture with clear information on the types of communications you plan to send, plus an unsubscribe link in every message, is best practice. Alternatively, a clear link to a preference centre also suffices – so long as opting out is frictionless.
Example: We [Charity A] would like to send you communications to update you on our impact, ask for your continued support or take part in other events and activities, so we can continue our mission. If you’d prefer not to hear from us, please tick the relevant boxes below:
[ ] SMS
You can change your mind at any time by unsubscribing from us in future communications. For more information, please visit our privacy policy.
Prepare for charity soft opt-in success
This charity soft opt-in is as much about opportunity as it is compliance. Charities that build transparent opt-out journeys, document their reliance on soft opt-in and weave mission-focused storytelling into every communication can not only stay on the right side of the law, but also drive stronger supporter engagement – and unlock fresh income streams in the process.
Disclaimer: This is our interpretation of the guidance issued so far (July 2025) and cannot be relied upon as legal advice. Always consult your legal team, the ICO or DMA for additional guidance.
Our team is here to help you every step of the way – to discuss the charity soft opt-in opportunity further or how to improve your email marketing compliantly, get in touch.
