The much anticipated Data (Use and Access) Act 2025 ('DUAA') received Royal Assent on 19 June 2025.
While not overhauling UK data protection law, DUAA provides potentially helpful updates including extending the 'soft opt-in' exemption under the Privacy and Electronic Communications Regulations 2003 to the charity sector, making it easier for fundraising charities to contact registered supporters about appeals and campaigns by electronic means.
The key information for charities regarding the soft opt-in is:
- The extended exemption only applies to organisation falling within the UK statutory definition of a charity. It does not take effect immediately and will formally come into force over the next 12 months via secondary legislation.
- Charities will be permitted to send marketing communications to supporters via 'electronic mail', such as email, SMS or WhatsApp messages, where these are for the sole purpose of furthering one or more of the charity's charitable purposes.
- The contact information for the supporter must be obtained in the course of the supporter expressing an interest in one or more of the charity's charitable purposes (or providing support to the charity in connection with the same).
- The supporter must still have a simple means of opting-out of receiving such communications at the time when their details were collected and in any subsequent messages.
- The soft opt-in is not intended to apply retrospectively. It should apply only to supporters recruited by the charity following the new rules taking effect, although it may apply to certain existing active supporters, depending on the nature of their relationship with the charity.
- Charities should therefore be careful not to see this as opening the doors to electronic fundraising communications now being freely sent to all existing supporters on their CRM database, since many of them would have been signed up under previous rules.
DUAA is wide-ranging legislation and will impact other aspects of charities' and other organisations' data protection compliance. For instance, it broadens the scope under which personal data may be used for scientific research purposes; introduces new categories of 'recognised' legitimate interests – for example, personal data being processed for responding to emergencies - without requiring a privacy balancing test; clarifies obligations around data subject access requests (e.g. that only reasonable and proportionate searches are required) and, subject to further secondary legislation, is likely to lead to the relaxation of consent requirements in respect of the use of less privacy intrusive website cookies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
