The legislation governing how charities handle data has changed.
The Data (Use and Access) Act 2025 (DUAA) updated key legislation, including UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).
The act became law in June 2025. But most of the changes it created came into force on 5 February 2026.
So what does this mean for your charity? The highlights below will help you get to grips with it (including some welcome news about how you can contact supporters with your marketing).
1. There’s now a soft marketing opt-in option for charities
What’s changed?
This is the biggest change for charities in the act. Previously, under PECR, charities needed a person’s consent to send them direct marketing (including charity updates and fundraising materials) by email or text.
Commercial companies enjoy a long-standing exception: the ‘soft opt-in’. Mainly designed for a commercial context, it could only be used to send marketing messages about the same or similar goods or services. For example, an email from your supermarket about food offers.
Charities could use it in limited situations. For example, messages to people who bought merchandise or paid for an event – but not for fundraising messages to donors and supporters.
Thanks to the DUAA, this has changed. There’s now a ‘charitable purpose’ soft opt-in which enables charities to send marketing emails and texts to donors and supporters where:
- the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes; and
- the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient –
- expressing an interest in one or more of the charity’s charitable purposes; or
- offering or providing support to further one or more of those purposes;
- so long as the recipient is given a simple means of opting-out of receiving marketing messages at the time their details were first collected, and in every subsequent marketing message.
What this means for charities
This will be welcome news for many charities – as it may allow you to send marketing emails and texts to supporters without having to get opt-in consent. However, there are important points to consider when deciding whether you can rely on the charitable purpose soft opt-in:
- The change isn’t retrospective. It can be used for new supporters in the future, but is unlikely to apply to people on existing mailing lists unless they re-engage with the charity;
- Privacy notices and sign‑up forms will need updating to explain to individuals the basis on which their personal data will be used to send marketing, the types of communications they will receive, and how they can opt out;
- The most appropriate legal basis (under Article 6 of the UK GDPR) for processing personal data using the soft opt-in exemption is legitimate interests. Charities should carry out a legitimate interests assessment to assess your interests and balance them against the impact on individuals’ rights and freedoms;
- Even where the law allows marketing messages, charities should act carefully and avoid sending messages that could cause distress, particularly in sensitive situations. For example, if you’ve got people’s contact details through a crisis intervention service.
- Charities should also review recent Information Commissioners Office’s (ICO) guidance on how the soft opt-in should be used in practice.
2. Legitimate interest rules have been updated
What’s changed?
Before the DUAA, if a charity wanted to rely on ‘legitimate interests’ as its lawful basis under the UK GDPR, it had to do a three-part assessment. This is often called a Legitimate Interests Assessment or LIA.
A LIA covers:
- what [a charity’s] legitimate interest is
- whether using the personal data is necessary for that purpose and
- balancing its interests against the rights of the individuals whose personal data is being processed.
The DUAA introduces a new concept called recognised legitimate interests. For certain listed purposes charities can rely on legitimate interests without doing the usual ‘balancing’ step (step 3).
These listed purposes include preventing or detecting crime and safeguarding vulnerable people.
Charities still need to be clear about:
a) which recognised legitimate interest applies and
b) why the processing is necessary for that purpose.
What this means for charities
- This will benefit charities that wish to rely on legitimate interests in a limited set of circumstances.
- However, if your charity is processing special category data (for example, data relating to race, health, religion, ethnicity, or philosophical beliefs) or criminal convictions data, you’ll still need to rely on one or more of the appropriate special conditions to do so.
- Article 9 of UK GDPR and the Data Protection Act 2018 set out the special conditions organisations can rely on to process special category data. These include an individual’s explicit consent, compliance with employment obligations and protection of the vital interests of an individual.
- Article 10 of UK GDPR and the Data Protection Act 2018 set out special conditions for processing criminal convictions data. For example, processing it to comply with employment obligations, for health or social care purposes, to prevent unlawful acts.
- There may also still be work to do to make sure the relevant data is being processed lawfully, even if a recognised legitimate interest applies.
3. There’s a more risk-based approach to international data transfers
What’s changed?
Does your charity send personal data outside the UK – to a supplier or a partner charity abroad, for example?
Then you may need to carry out a transfer risk assessment to assess the data protection risks of the transfer.
The DUAA builds on the UK’s existing approach by saying organisations should act “reasonably and proportionately” when assessing whether the protection people receive overseas is not “materially lower” than the protection under UK GDPR. This involves taking into account safeguards like standard contractual clauses and any relevant local laws and practices.
What this means for charities
This part of the law reiterates the UK’s risk-based approach to transfer risk assessments, already set out in the ICO guidance on international data transfers.
Remember, if your charity is subject to both EU and UK GDPR, you’ll still need to carry out the more detailed EU-standard transfer risk assessment for personal data subject to the EU GDPR.
4. The scope of Data Subject Access Requests (DSARs) are changing
What’s changed?
A Data Subject Access Request (DSAR) is a formal request allowing people to access their personal data held by an organisation.
The DUAA makes it clear that when an organisation receives a DSAR, it’s only required to conduct a “reasonable and proportionate search” for the personal data. ICO guidance specifies that, when considering what a “reasonable and proportionate search” is, organisations should consider:
- the circumstances of the request;
- the volume of information it may need to search in order to respond;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
What this means for charities
This may be useful if your charity receives a request involving a lot of data, especially if the requester refuses to clarify the specific information they need.
5. There’s a new right to complain
What’s changed?
The DUAA introduces a formal right for individuals to complain directly to an organisation about how it uses their personal data. Organisations must make it easier for people to complain – for example, by providing a complaint form that can be completed electronically. You must also acknowledge complaints within 30 days, and respond without undue delay. The ICO may refuse to act on a complaint if the individual has not complained to the organisation first.
What this means for charities
If your charity doesn’t already have a clear complaints route for data protection, now’s the time to set one up. Always make sure your team knows what to do when a complaint comes in.
6. Rules around cookies have changed
What’s changed?
Before the DUAA, organisations generally needed consent before placing cookies on a user’s device (except for strictly essential cookies required to enable the website to function correctly).
The DUAA widens the types of cookies that do not need consent, including cookies used to:
- improve a website using basic statistics;
- enable the appearance or function of a website to reflect user preferences (such as layout or language);
- protect security and prevent fraud; and
- identify someone’s location in an emergency.
However, for some of these cookies, individuals must still be told what they’re used for and be given a clear way to opt out from them being placed on their device.
What this means for charities
This may be helpful if your charity uses cookies purely for functionality rather than (for example) advertising. However, for advertising cookies, analytics cookies etc not much will change as consent is still required.
Remember, fines for breaching PECR are being brought into line with fines under the UK GDPR. They’ll increase significantly from the current maximum of £500,000 up to £17.5 million or 4% of global annual turnover, whichever is greater.
7. Automated decision-making is now less strict
What’s changed?
The DUAA has made rules on automated decision-making less strict.
Previously, solely automated decision-making that had significant effects on individuals was prohibited, except in specific circumstances.
The DUAA limits this general prohibition to cases where special category data is involved. It allows automated decision-making in certain limited circumstances (for example, where an individual has given consent or where it’s needed to perform a contract).
However, even where special category data is not involved, certain safeguards should still be in place. For example, telling individuals about automated decision-making that affects them and allowing them to challenge it.
What this means for charities
- Charities are increasingly using AI – in recruitment processes, for example. The DUAA provides a more permissive framework for automated decision-making used in AI. However, charities should still be mindful when making significant decisions about individuals using automated means and should carry out appropriate safeguarding.
- Charities should be particularly cautious when using any special category data (like health data or ethnicity data) to make an important decision about people.
Image credit: Canva
