Home

Jump to heading

Share on LinkedIn Print page
Guidance

Charitable purposes soft opt-in and fundraising marketing

A guide to help you meet the Code of Fundraising Practice when you are carrying out fundraising marketing.

Jump to heading

Last updated:

This guide is not legal advice and is non-exhaustive. It will help you comply with the Code of Fundraising Practice (the code). If you are carrying out marketing relating to charitable fundraising, whether or not it involves processing personal data, you must follow the guidance provided by the Information Commissioner’s Office (ICO) and the applicable law.

You should also follow all parts of the code that apply, whether or not they are referred to in this guide.

Where we say ‘you’ or ‘your’ in this guide, it means a ‘charitable fundraising institution’. This includes its staff, on-behalf-of volunteers and/or its trustees. Where we say ‘soft opt-in’ we mean ‘charitable purposes soft opt-in' unless we say otherwise. When we say ‘processing’ personal data in this guide we mean the same as the UK GDPR definition.

We recommend you read this guide together with our guide to Data privacy and fundraising. You may also find it helpful to read some of our other guides, including Documenting your fundraising decisions, Monitoring your fundraising partners, Due diligence and fundraising, and Donors in vulnerable circumstances.

Contact the Code Advice Service with any enquiries about this guide and the Code of Fundraising Practice. 

Introduction

See more in the code, including at: 1.1.1, 1.1.2, 2.1.1, 2.1.5, and section 8

This is a guide to fundraising marketing to help you comply with the Code of Fundraising Practice (the code). All charitable fundraising organisations must comply with code rule  1.1.1 as follows:

          “Your fundraising must be legal, open, honest and respectful”. 

Whenever you carry out direct electronic mail marketing for fundraising purposes with or without using someone’s personal data, electronic marketing legislation is likely to apply. This means you must comply with The Privacy and Electronic Communications Regulations 2003 (PECR) as it applies to you. PECR is the legislation that governs electronic marketing. If you are using personal data when sending marketing you must also comply with the General Data Protection Regulation 2016 (UK GDPR) and the Data Protection Act 2018 (DPA), as applicable.

The UK GDPR and the DPA is the legislation that governs the processing of personal data. Whenever you are carrying out electronic marketing using personal data, known as direct electronic mail marketing, you must comply with PECR, UK GDPR and the DPA as well as any other laws and regulations that apply to your activity. All three pieces of legislation were amended by the Data (Use and Access) Act 2025. As a consequence, for example, PECR includes the ‘charitable purposes soft opt-in’ option for electronic direct marketing (see more below). 

The Information Commissioner’s Office (ICO) is the UK regulator of data privacy and information rights and you must follow their guidance as it applies to you because it will help you to comply with the law. 

It is your responsibility to understand how the legislation applies to your fundraising marketing and to obtain professional specialist advice where needed.

Direct marketing 

See more in the code, including at: section 8, and 14.2.1 

Marketing often relates to selling products and services, but even if it does not it can still be marketing. Marketing can also relate to promoting aims and ideals, such as when promoting your charity and asking for donations. When you are promoting opportunities to donate or raise money for your charity, you will normally be carrying out marketing.

Direct marketing is sending or directing any marketing material or advertising to a particular individual. It might involve using a person’s name or any other personal data from which they can be directly or indirectly identified.

You might carry out direct marketing to invite general donations, promote a specific fundraising appeal, or raise awareness of opportunities for the public to fundraise in aid of your charity. Direct marketing might be by post, phone, email, text message, or direct social media message, for example.

If you carry out research into individuals or collect data about them, for example, for the purpose of seeking donations from them later, you are also likely to be processing their personal data for the purposes of direct marketing. 

Whenever you carry out fundraising direct marketing using personal data it will be considered direct marketing in law and you must follow the legislation that applies, including PECR and UK GDPR. Even if your marketing does not involve processing personal data, PECR still applies wherever you are communicating the marketing using electronic means.

Sending direct marketing electronically, such as by email, text and direct social media message, is called direct electronic mail marketing

If you only need to contact an individual for administrative purposes it will not normally be considered a marketing message. 

If you email or phone a supporter to let them know their Direct Debit payment has not been successfully processed or a fundraising event they were registered to attend has been cancelled due to bad weather, these will be administrative messages only, or ‘service messages’ as they are called by the ICO. In these cases, PECR will not normally apply.

Find out whether your fundraising marketing is considered to be direct marketing by using the ICOs identifying direct marketing guidance. The ICO has also created a handy checklist for sending direct marketing messages by different communication methods. You can also find out more from the UK Government about marketing, advertising and the law.

See more in our guide to Data privacy and fundraising.

Using personal data for direct marketing

See more in the code, including at: 1.1.1, 1.1.2, 2.1.6, 4.1.1, 5.2.2, 14.2.1 and section 8

Direct marketing can be communicated to an individual using their personal data either in their personal, business/employment or volunteering capacity. Whenever you are making contact by telephone, email, text or post, if the data used relates to a person who can be directly or indirectly identified, it will involve processing personal data.

Lawful basis for processing personal data for direct marketing

Under UK GDPR, you must have a lawful basis for sending direct marketing to individuals before doing so. 

The two most likely lawful bases for sending direct fundraising marketing will be ‘consent’ or ‘legitimate interest’, although it may depend on the type of direct marketing you will be using. Always make sure you can justify the lawful basis you are using.

See more about processing personal data in our guide to data privacy and fundraising

Direct electronic mail marketing

See more in the code, including at: 1.1.1, 1.1.2, 2.1.6, 4.1.1, 5.2.2, 14.2.1 and section 8

PECR and UK GDPR applies whenever you use someone’s personal data to send fundraising direct electronic mail marketing, whether in their individual or work capacity. This includes if you are sending it to someone using their work email address that includes their name, for example. 

Consent as a lawful basis for direct marketing 

Whenever you send direct electronic mail fundraising marketing to individuals you must usually obtain their consent. This is because you are likely to be processing their personal data, such as their individual email address or a mobile phone number when marketing by text and must comply with PECR and UK GDPR.

Consent is normally the only lawful basis on which you can send direct electronic mail marketing, apart from the ‘products and services’ or ‘charitable purposes soft opt-in’ exceptions (see more below). More information about the lawful bases for processing personal data can be found in our guide to Fundraising and data privacy

PECR distinguishes between sending electronic mail marketing to individuals and to organisations. The rules that apply depend which recipient the marketing is being sent to: 

  • Individual subscriber - an individual person or sole trader, 
  • Corporate subscriber - an incorporated organisation of any kind (such as a limited company, some charities, or community interest companies) and some types of partnership. 

Be aware that the term ‘subscriber’ does not mean that a person or organisation has necessarily consented to receive marketing from you. ‘Subscriber’ is simply the term used in PECR to indicate whether the law treats someone as an individual or an organisation. 

If you send emails to one or more limited companies to tell them about your charity, including to explore sponsorship opportunities with them, this is likely to be fundraising direct mail marketing. In this case, PECR and UK GDPR will apply if you are using personal data of the recipient, including their individual work email address. 

You do not need consent for sending fundraising marketing to a ‘corporate subscriber’. However, all individuals, including individual representatives of ‘corporate subscribers’, that you are sending marketing to have the right to ask you to stop using their individual work or personal email address. This is known as right to object and must be respected otherwise you will be breaking the law. See more in the ICO’s guidance on Business-to-Business Marketing.

Exceptions to consent as a lawful basis 

There are two potential exceptions to using consent as a lawful basis for processing personal data for direct electronic mail fundraising marketing, when the legitimate interest's lawful basis under UK GDPR may be used instead. These exceptions are: 

This guide does not cover products and services soft opt-in. This is because the occasions where it may apply are less likely to involve asking for fundraising donations. More information about products and services soft opt-in is available from the ICO.

Charitable purposes soft opt-in

Charitable purposes soft opt-in is a new legal provision within PECR that entered into legal force on 5 February 2026. It is a lawful exception to the normal requirement of obtaining consent before sending any direct electronic mail fundraising marketing to individuals. It may only be used by organisations recognised as charities in law, when they wish to send out direct electronic mail fundraising marketing, such as by email, text or direct social media message. 

Using soft opt-in legally and responsibly

To be compliant with the law when using ‘charitable purposes soft opt-in’, you must always meet the following legal criteria: 

  1. Be recognised in law as a charity. 
     
  2. Have obtained the person’s contact details, to whom marketing will be sent, only when they were:
    • Expressing an interest in one or more of your charitable purposes, and/or  
    • Offering to or providing support for your charitable purposes 
       
  3. The only purpose of your direct electronic mail fundraising marketing is to further your charitable purposes. 
     
  4. You provide a simple means of the person opting out of future direct electronic mail marketing at the point when their contact details are first collected. 
     
  5. Every time you send direct electronic mail fundraising marketing to a person, where they did not opt out at the time the data was first collected, you provide a simple means of them opting out of future marketing. 

Only send direct electronic mail fundraising marketing where this criteria has been met, in accordance with the ICO’s guidance. Failure to do so could mean you are acting unlawfully. 

Unlawful uses of soft opt-in 

There are different ways in which you could be acting unlawfully, if you do not follow the ICO’s guidance when sending direct electronic mail fundraising marketing. For example: 

  1. Charitable purposes soft opt-in cannot be used to send direct electronic mail marketing to any person whose personal data you collected before 5 February 2026. 
     
  2. Charitable purposes soft opt-in can only be used by charities directly. This means their staff and on-behalf-of volunteers. 
     
  3. Charitable purposes soft opt-in cannot be used if the personal data was originally collected by a third-party.
     
  4. Charitable purposes soft opt-in must not use personal data originally collected by Professional fundraisers, commercial participators, online fundraising platforms, or any other third party organisation that your charity engages with. You must not use this soft opt-in provision with any personal data collected by a third party, whether or not they were acting on your behalf in collecting the data. 
     
  5. Charitable purposes soft opt-in is not allowed if the data you would be using to send the direct electronic mail marketing is from a marketing list that you have bought or acquired by any means.

This list is not necessarily exhaustive. If you are unsure about whether your use of soft opt-in would be lawful, seek professional specialist advice first. 

Failure to meet the legal requirements of charitable purposes soft opt-in could result in the Fundraising Regulator finding you in breach of the code, if we receive a complaint about your relevant marketing practices. It could also lead to the ICO taking enforcement action against you.

Implementing soft opt-in 

Before using charitable purposes soft opt-in, it is important to make sure that it would be the right fundraising marketing approach for your charity, donors and beneficiaries.

At a minimum, we recommend following six steps (which we have called ATRIUM) to help you think this through and implement soft opt-in lawfully and responsibly:

Open all / Collapse all

First carry out a legitimate interests assessment to help you decide whether charitable purposes soft opt-in would be appropriate for your charity.

Plan training for relevant staff and on-behalf-of fundraising volunteers so they know the rules and your processes relating to ‘soft opt-in' before using it. Deliver the training to relevant audiences before first implementing soft opt-in processes and whenever relevant new staff and volunteers join your charity. 

Review your existing direct electronic mail marketing processes, including your supporter data management tools. Make sure you can accurately record a person’s marketing preferences, the lawful basis being used to send them marketing, and those people who have opted out, or have refused or withdrawn their consent. Review and update your data privacy policy to take account of your use of ‘soft opt-in’, and any other policies and procedures that may be affected by it.

Make sure you only ever use ‘soft opt-in’ where all the legal requirements are met in accordance with the ICO’s guidance. Your policies, procedures and data management tools should reflect the legal and regulatory requirements to help you to use the provision lawfully. 

Keep your knowledge up to date about the relevant legislation and the guidance on direct marketing from the ICO. Take specialist professional advice to help you carry out fundraising marketing lawfully and responsibly whenever needed.

Keep processes in place and use them to monitor your use of ‘soft opt-in’, including keeping your supporter data records up to date. Always stop sending direct electronic mail marketing where soft opt-in is being used, whenever the recipient ask you to. 

Find more help to use charitable purposes soft opt-in responsibly see the examples accompanying this guide. 

Live telephone call marketing 

See more in the code, including at: 1.1.1, 1.1.2, 2.1.6, 5.2.2, 14.2.1 and section 8 

Live telephone fundraising marketing is when a real person makes a call to a particular person in real time, for fundraising marketing purposes. Even if a call is made for another purpose but intentionally or unintentionally includes fundraising marketing content at any point (or any other kind of content that comes within the definition of marketing, such as advertising, selling, promoting, or campaigning) it becomes a marketing call. In such cases, you must treat these as marketing calls and follow PECR and UK GDPR.

If you do not know the name of the person you are contacting and whether or not you are calling an individual or an organisation, such as when using a general contact telephone number, PECR still applies. 

If you intend to carry out live telephone fundraising marketing calls (sometimes called telemarketing) you must comply with PECR, UK GDPR and the Data Protection Act 2018. See more in the ICO’s short video guide to data protection and telephone marketing and their fuller guidance on direct marketing using live calls. When making such calls you must use ‘caller telephone number display’ and tell the recipient who is calling. You must tell them your contact address and a freephone telephone number if they ask.

In most cases, you cannot make live marketing calls to anyone who has told you they do not want to receive such calls from you. 

Do not call anyone whose number is registered on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS). These services allow individuals and businesses to opt-out of unsolicited live marketing calls. The Fundraising Preference Service (FPS) also allows individuals to opt-out of email, text, live phone calls and addressed mail fundraising marketing. You must not call anyone for marketing purposes who has asked you to stop via the FPS. 

Even if someone’s number is not listed by one of these services, if they have previously told you not to call them you must not do so. Failure to do so would be unlawful because it would be a failure to uphold a person’s right to object under UKGDPR.

You must keep a ‘do not call’ list or equivalent. This is to make sure you know who has exercised their right to object to live direct marketing by telephone so you can avoid calling them.

Marketing by automated telephone call

See more in the code, including at: 1.1.1, 1.1.2, 2.1.6, 5.2.2 and section 8 

An automated call, sometimes called ‘robocalls’ is when an automated dialling system is used to call someone and then plays a recorded message. The law on automated calls also applies if Artificial Intelligence is used to make calls.

Under PECR, you can only carry out marketing in this way if the intended recipient has consented to specifically receive automated calls. Even if someone has consented to receive telephone marketing, unless they have additionally specifically consented to receive automated calls, they must not be called in this way.

All automated calls must include your name and a contact address or freephone number must be provided. You must also allow your contact number to be displayed to the recipient.

If someone withdraws their consent to receive automated calls by asking you to stop, you must not call them. Find out more from the ICO about withdrawing consent.

Find out more from the ICO about automated calls. 

Marketing by post 

See more in the code, including at: 1.1.1, 1.1.2, 2.1.6, 5.2.2 and section 8

Direct postal marketing 

You can only send direct marketing by post if the named individual recipient (the person it is addressed to) has given you consent or if you have assessed that you have a legitimate interest in doing so and the recipient has not previously objected.

You must be able to show that your use of a person’s data is proportionate, has a minimal privacy impact and that the individual would not be surprised or likely to object to receiving the marketing. If you are using personal data in this way, your privacy notice should reflect this. 

If someone asks you to stop sending them direct fundraising marketing by post you must do so as soon as possible. Failure to do so would be unlawful because it would be a failure to uphold a person’s right to object under UKGDPR. Marketing recipients may tell you directly to stop sending direct marketing by post. They may alternatively or additionally use the Fundraising Preference Service or the Mail Preference Service to opt-out of personally addressed marketing.

Indirect postal marketing 

Where marketing is not directed to a particular person, it is not direct marketing. Recipients may use the Royal Mail opt-out service to stop receiving such items.

Donor prospect research 

See more in the code, including at: 1.1.1, 1.1.2, 2.1.6, 5.2.2, section 8  and 14.2.1

Obtaining new information about people from other sources, such as on publicly available websites or public social media pages may help some charities to direct their fundraising marketing to new supporters and donors. This is sometimes called ‘donor prospect research’ or ‘profiling’. If you have obtained personal data about a person for purposes such as these but not from that person themselves, even if you believe the data to be in the public domain, you must let the person know how you will process it within one month of obtaining the data. This could be by sending them your relevant privacy notice, for example. You must do this unless one of the legal exceptions apply. Failure to so means the person is unable to exercise their data rights such as the Right to Object or the Right to Be Informed, because they are unlikely to know otherwise how you are processing their data. See more about this in ICO’s guidance on collecting personal data for profiling

Charitable purposes soft opt-in examples

Below are hypothetical examples of using charitable purposes soft opt-in to help you think through whether charitable purposes soft opt-in would be right for your charity. They are for illustration purposes only and do not constitute legal advice. You should obtain professional specialist advice if you are unsure how charitable purposes soft opt-in applies to you or if your situation is complex.

Open all / Collapse all

An individual makes a one-off donation using their credit card to an animal welfare charity using its website. The charity has already carried out a legitimate interests assessment and decided it would be low risk to use charitable purposes soft opt-in to send fundraising marketing to its website donors. The donor provides their personal email address as part of donation processing. At the same time as collecting the donor’s email address, the charity offers the donor a simple means of opting out of future direct marketing by ticking a box. The individual does not opt out. A few months later, the charity emails the donor again using the email address it previously collected, asking if they would like to make another donation. The fundraising marketing email also includes a simple way to opt out of future direct marketing. The donor makes another donation and again does not use the simple means of opting out of future marketing. The charity later sends a further fundraising marketing email, again including a simple opt-out option. The charity used the email address collected at the time of the first donation, gave a clear opt-out at the time and subsequently. The charity has taken the right approach. 

A museum charity has 25 long-standing volunteers. It has not previously asked them for consent to receive fundraising marketing relating to the charity. After charitable purposes soft opt-in came into force, the charity carried out a legitimate interests assessment. It decided the risk of sending fundraising marketing to their volunteers would be low. At the next annual update of volunteer contact details, the charity gives all volunteers a simple means of opting out of direct marketing. Ten volunteers choose to opt out. The charity updates its records and makes sure these volunteers do not receive any fundraising marketing. It still contacts them for volunteer administration purposes only. The remaining volunteers receive fundraising marketing because they did not opt-out. The charity is clear, gives a simple opt-out each time it sends out the marketing, and respects their volunteers’ choices. The charity has taken the right approach. 

A charity provides debt management advice. It considers sending fundraising marketing to people who use its services. The charity carries out a legitimate interests assessment. It weighs its interest in sending direct fundraising marketing with the rights of its service users. The assessment shows that many beneficiaries may be in vulnerable circumstances because of financial hardship and mental health problems. Sending fundraising marketing to them could cause anxiety and add to this vulnerability. The charity decides that the individuals’ rights outweigh its own interests. It does not use charitable purposes soft opt-in to send fundraising marketing to its service users. It also decides not to seek consent as an alternative lawful basis for sending fundraising marketing. The charity puts people’s wellbeing first and takes a cautious approach to direct marketing. The charity has made the right decision. 

A hospice works with a lottery operator to run a weekly charity lottery. People sign up through the operator’s website and provide their personal data including name and email address to the operator, which manages the lottery. This information is necessary to take part. The charity wants to send fundraising marketing emails to lottery players using charitable purposes soft opt-in. Trustees believe players may be interested in supporting the charity by giving direct regular donations as well as playing the lottery. They review the law and ICO guidance. They find that because the personal data was collected by the lottery operator, not the charity, they cannot use the charitable purposes soft opt-in provision. The trustees decide not to use soft opt-in for lottery players because it would be unlawful. The charity has taken the right approach.

A sports charity sends out a regular email newsletter aimed at children and young people to encourage them to take part in physical activity. A parent or carer must sign up to the newsletter for anyone aged under 16. The charity does not collect age data but knows some newsletter subscribers may be under 18. Anyone aged under 18 is considered a child in law. Trustees consider using charitable purposes soft opt-in to send fundraising marketing, including requests for regular giving, and carry out a legitimate interests assessment. They identify a medium to high risk because some recipients may be considered in law to be children. They also consider rule 5.2.4 of the Code of Fundraising Practice, which states charities should avoid asking people under 18 for regular donations. The charity decides not to use soft opt-in for the newsletter subscribers because it cannot be certain given their age range that the charity’s rights outweigh the subscriber’s own information rights. The charity has taken the right approach. 

A regular donor receives fundraising marketing emails from an armed forces charity. The charity uses charitable purposes soft opt-in because it meets all the legal requirements. Each email includes a simple way to opt out of direct marketing. The donor has not opted out. Later, the donor decides to support a different cause instead and no longer wants to receive fundraising marketing from the armed forces charity. They make a request through the Fundraising Preference Service (FPS) for the charity to stop sending them fundraising marketing by email. The charity receives the FPS request and updates its records accordingly. It stops sending fundraising marketing emails to the now former doner. The charity understands that an FPS request must be followed to meet data protection law and respect the recipients right to object to receiving marketing emails. The charity has taken the right approach. 

A large social welfare charity has multiple charitable purposes, including training, money advice, social connection. It offers a free online course on digital skills for older people experiencing digital exclusion. Trustees consider using charitable purposes soft opt-in to send fundraising marketing to people who attend the course. They are unsure if this applies, as some people may only be interested in the course not the wider charitable purposes. They review the ICO’s direct marketing guidance. They see that showing interest in one charitable purpose can be enough. The course is clearly linked to the charity’s work. While some people may join because it is helpful and free, others are likely to support the charity’s aims as well. The trustees decide that soft opt-in may apply. They carry out a legitimate interests assessment to consider risks and fairness before taking action and find this is likely to be low risk. Before they start using charitable purposes soft opt-in they also get professional specialist legal advice just to make sure. The charity has taken the right approach.