Soft opt-in guidance for fundraising ~ Sailfin

There’s new guidance for fundraising around the use of ‘soft opt-in’ marketing. The ICO has updated its detailed guidance on electronic mail marketing, including a new “charitable purposes soft opt-in” introduced through the Data (Use and Access) Act 2025 (see the ICO’s updated guidance).

For charities, it’s tempting to see this as a green light to email or text more people, more often. It isn’t.

Used well, soft opt-in can help you build a more consistent, better supporter experience. Used carelessly, it can drive complaints, opt-outs, and reputational damage.

The guidance from the ICO and the Fundraising Regulator sets out the changes with soft opt-ins, and a practical way to decide whether soft opt-in is appropriate in any given situation.

The changes, and why it matters

In April 2026, the ICO updated its guidance on direct marketing using electronic mail. One headline change is a new soft opt-in for charitable purposes in PECR regulation 22(3A), which allows charities to send direct marketing by electronic mail without consent if certain requirements are met (as explained in the ICO’s guidance).

The Fundraising Regulator has also refreshed its data privacy guide for fundraisers and has signalled that it will publish a fundraising marketing guide covering responsible use of charitable soft opt-in in practice (as reported by the Fundraising Regulator).

The opportunity is real. Charities relying on “hard” opt-ins can have fragmented, confusing, and overly-transactional supporter journeys. But the risk is just as real: if people feel “I never agreed to this”, your fundraising might be lawful on paper and still feel wrong in practice.

Soft opt-in fundraising guidance in brief

The guidance is clear that soft opt-in is not a workaround for consent (whether fundraising or other areas). It’s a limited exception that can apply in specific circumstances, where:

You have an existing relationship with someone.
Your message is relevant to that relationship.
You were clear at the point you collected the contact details that you would use them for marketing, and you offered an easy opt-out.
You include an easy opt-out in every message.

The new charitable purposes soft opt-in is an additional route for charities, but it still relies on the same underlying idea: marketing should be expected, proportionate, and easy to stop.

What stays the same (the non-negotiables)

Whatever the new rules allow, the basics don’t change.

1) Respect and trust still matter

Fundraising success depends on public trust. A “can we?” mindset is not enough. You also need a “should we?” lens.

The Fundraising Regulator is explicit that while soft opt-in may strengthen relationships and support fundraising, organisations should avoid using it in ways that damage public trust and confidence (see the Fundraising Regulator’s update).

2) PECR and data protection still work together

The ICO’s guidance is about PECR rules for electronic mail marketing, and it also flags the relationship between PECR and data protection rules (see the ICO’s guidance).

In practical terms, it means you need to think about:

PECR: whether you can send marketing by email or SMS, and on what basis.
Data protection: what lawful basis you rely on for processing, what you tell people, and how you manage their rights and expectations.

3) People must be able to opt out easily

This is the simplest “trust test” there is. Every message needs a clear, working opt-out, and you need to action opt-outs quickly and reliably.

A practical decision tree: can we rely on soft opt-in here?

When you’re deciding whether soft opt-in is appropriate, start with these questions.

1) What is the relationship?

Be specific. “They’re in our database” is not a relationship.

Examples of clearer relationship descriptions:

They donated to an appeal last month.
They signed up to a newsletter at an event.
They registered for a fundraising challenge.
They volunteered and gave their email for shift updates.

The closer and more recent the relationship, the more likely marketing will be expected. The more distant or unclear it is, the more you should lean towards explicit consent.

2) How did you collect the contact details, and what did you tell them?

Your data collection wording matters more than ever.

If someone gave their email to get a receipt, and nothing else was said, then marketing will feel like a surprise. If someone signed up on a form that clearly explained what they would receive and how to opt out, the message is much more likely to be expected.

3) What exactly are you sending?

It helps to define message types, for example:

Service messages: receipts, event logistics, supporter care, admin.
Fundraising marketing: appeals, regular giving asks, upgrade journeys.
Other marketing: events, volunteering, campaigns, merchandise.

Soft opt-in should not become a blanket permission for everything. The more “sales-like” or unexpected the message, the higher the bar.

4) Who is the sender, and are partners involved?

Be careful with suppliers and partners. Even if you outsource email sends, you still need clarity on:

Who is the sender (what name and domain the email comes from).
Who decides content and audience.
Who holds suppression lists and how they are applied.
Who receives complaints and how they are handled.

If anything here is fuzzy, pause and tighten it up before sending.

The trust-first checklist (copy/paste)

Use this before any campaign you plan to send under soft opt-in.

A) Evidence and wording

[ ] We can evidence how and when the person gave us their contact details.
[ ] Our sign-up or donation forms clearly explain what messages people will receive.
[ ] The wording includes a clear opt-out at the point of collection (where applicable).
[ ] We’ve documented which journeys we believe qualify for soft opt-in, and why.

B) Suppression and preference management

[ ] Opt-outs are recorded centrally (not in individual tools).
[ ] Suppression lists are applied to every send (including “test” sends).
[ ] Complaint handling is clear and monitored.
[ ] We have a process to honour “do not contact” requests across all channels.

C) Content and frequency safeguards

[ ] The content is relevant to the person’s relationship with us.
[ ] The frequency is proportionate (we’ve set sensible caps).
[ ] The first message in any journey sets expectations (“why you’re receiving this”).
[ ] Every message includes a clear, working opt-out.

D) Governance and risk

[ ] We’ve completed an internal risk check for trust and supporter impact.
[ ] Data protection lead/DPO has reviewed the approach where needed.
[ ] Senior sign-off is in place for higher-risk journeys (eg new audiences, new channels, significant frequency change).
[ ] We can monitor outcomes (opt-outs, complaints, spam reports, engagement) and stop quickly if needed.

Common pitfalls (and how to avoid them)

Pitfall 1: Treating soft opt-in as “permission to market”

Soft opt-in is conditional. If you can’t clearly explain why the person would expect the message, reconsider.

Avoid by:

Writing down the “expectation statement” for each journey, for example: “Because you donated to X, we’ll send you Y updates and offers to support again. You can opt out at any time.”

Pitfall 2: Over-relying on legacy data

Older lists often have weak evidence: missing sign-up wording, unclear sources, incomplete preference history.

Avoid by:

Segmenting by source quality and recency.
Re-permissioning where appropriate.
Using soft opt-in, if at all, only for the strongest segments.

Pitfall 3: Making opt-out hard to find

If someone has to hunt for it, you’re increasing complaints and harming trust.

Avoid by:

Putting unsubscribe in a consistent place.
Using plain labels (“Unsubscribe”, “Stop these emails”).
Ensuring opt-out works on mobile.

Pitfall 4: Letting frequency creep up

Even people who like your charity can feel overwhelmed.

Avoid by:

Setting frequency caps by audience and journey.
Treating “pause” as a success metric (eg reducing fatigue).

What to do now (a sensible 30-day plan)

Audit your contact capture pointsCheck donation forms, event sign-ups, volunteer forms, and offline data capture. Make sure the wording is clear and consistent.
Map supporter journeysDefine what someone should receive after each key action (donate, event registration, enquiry, etc.). Be explicit about what is service messaging vs marketing.
Define your “soft opt-in eligible” segmentsBe cautious. Start with a narrow, high-confidence group where expectation is strongest.
Run a small, transparent testStart with one journey, keep messaging modest, and monitor opt-outs and complaints closely. If metrics move the wrong way, stop and adjust.
Document your approachKeep a short internal note that explains what you’re doing, why, and how you’ll protect trust. This makes it easier for trustees and leadership to provide oversight.

If you need a practical starting point for the wider income picture as you plan journeys and stewardship, this overview of income generation strategy for charities can help.

If in doubt

The ICO’s updated guidance is the authoritative source on the electronic mail marketing rules and how the new charitable soft opt-in works in practice (see the ICO’s guidance).

The Fundraising Regulator’s refreshed resources are designed to help fundraisers comply with the Code and the law, and they’re clear that their guidance should sit alongside the ICO’s, not replace it (see the Fundraising Regulator post).

If you’re in doubt, treat “expected, respectful, and easy to stop” as the minimum standard, even if your legal interpretation suggests you can do more.

If you want a quick, practical sanity-check of your sign-up wording and comms journeys against the updated ICO guidance, Sailfin can help you review what you currently do and build a trust-first approach you can implement without slowing down fundraising. Start with our fundraising and income generation support and, if trustees or senior leaders need clearer oversight, our governance and assurance support. You can also get in touch here.