The guidance picture is now complete. Here’s what charities should do next.
When the ICO published its final guidance on the charitable purposes soft opt-in in April (2026), I wrote about what it meant in practice: fix your data capture, treat first engagement as the start of a relationship and get your compliance documentation in order before you do anything else.
This week (23 June 2026), the Fundraising Regulator published its own guidance on soft opt-in and fundraising marketing. While the ICO tells charities what the law requires, the Fundraising Regulator tells them how using it sits alongside the Code of Fundraising Practice. Together, they represent the complete picture and charities now have everything they need to make a considered, compliant decision about whether to proceed.
So, what does the Fundraising Regulator’s guidance add?
It’s a compliance layer, not a replacement
The Regulator is clear: its guidance doesn’t override the ICO. What it adds is a Code lens, questions about whether your use of soft opt-in is not just lawful but also responsible and transparent. Both regulators can take action independently. The maximum fine for a PECR breach under the Data (Use and Access) Act 2025 now stands at £17.5m or 4% of global annual turnover. A Code breach means a complaint upheld against you and published.
The Regulator’s examples are where the guidance earns its keep. The example of a debt management charity concluding its service users’ rights outweigh its own interest in sending fundraising emails is important. Soft opt-in is likely to apply to people who are expressing interest in or offering support to a charitable purpose, not to people seeking support themselves. Charities with mixed audiences need to be precise about which data sits in which category.
Third-party restriction is where charities may trip up
Both regulators are emphatic here and it’s the area I think is most likely to catch charities out. Soft opt-in is only likely to apply where the charity collected the data directly from the individual. If a third party collected it, soft opt-in will generally not apply.
Charities with trading subsidiaries should also consider which entity collected the data. The charitable soft opt-in is unlikely to apply simply because a subsidiary is charity-owned and the specific facts of how data was collected will determine which provision, if any, is available.
This has a direct bearing on how charities should think about their data. The opportunity is significant: Wood for Trees analysis estimates soft opt-in could unlock up to £290m in additional annual income for the sector. But that opportunity is only accessible through a charity’s own first-party data. Not through aggregated lists, not through platforms, not through bought data.
That means the charities that will benefit most are the ones that have already invested in building direct, permissioned relationships with their supporters. At PDV, we help charities do exactly that – building and enriching their own supporter data through everyone – a consumer data platform, which provides a 360-degree view of UK households underpinned by first-party, permissioned data.
Personas aren’t just an acquisition tool
Soft opt-in makes the quality of your understanding of your donor base more commercially important than it’s ever been. Under a consent model, you either had permission or you didn’t. Under soft opt-in, you have permission to continue a conversation, but only if that conversation is relevant and clearly connected to your charitable purpose. An undifferentiated email to everyone on your legitimate interest (LI) list is the surest way to drive up opt-outs and erode the audience you’ve worked to build.
This is where donor personas move from nice-to-have to operational necessity. Understanding whether your supporter base includes traditional givers who respond to impact-led stewardship, engaged firsts motivated by participation and purpose or win-win givers drawn to lotteries and raffles directly shapes what you send and how you frame it.
Is soft opt-in right for your charity?
The DMA lobbied hard for this change and rightly so. Charities have been at a structural disadvantage for years, unable to continue conversations with people who’d already shown genuine interest in their cause.
But the Fundraising Regulator echoes what the ICO was also clear about: this isn’t a reason to abandon consent. If your consent-based programme is working well, the case for change isn’t obvious. If your data capture is patchy, your LIA documentation doesn’t exist and your teams haven’t been briefed on the conditions, you aren’t ready.
What the guidance tells me is the charities that will make the most of this opportunity are the ones that approach it as a data quality question first and a volume question second. Soft opt-in expands the pool of people you can legitimately contact. The value of that pool depends entirely on how well you understand it and how relevant your communications are.
The regulatory framework is now in place. The question is whether your data foundation is.
