Skip to content

Data protection law changes for charities: complaints and marketing under the DUAA

Insight

Data privacy

The Data (Use and Access) Act 2025 (DUAA) makes a number of changes to the UK's data protection framework, which has been largely unchanged since the GDPR and Data Protection Act 2018 came into force. While many of those changes apply to all organisations that handle personal data, the DUAA introduces two key changes of practical significance for charities:

  1. a new statutory regime for data protection complaints; and
  2. a new charitable purpose soft opt-in for certain electronic marketing communications.

For many charities, these changes will not require a complete overhaul of existing systems. However, they do mean that charities should review how they handle data protection complaints, how they collect supporter contact details, and how they explain electronic marketing to donors, volunteers and others who engage with their work.

New data protection complaints rules for charities

Reflecting a broader trend of increased scrutiny and rising volumes of data protection complaints, the DUAA gives individuals a statutory right to complain directly to an organisation about how it has handled their personal data.

From 19 June 2026, all data controllers, including charities of all sizes, must have a process for receiving and responding to these complaints. The aim is to make sure individuals have a clear and accessible way to raise concerns before escalating matters to the Information Commissioner's Office (ICO).

In practice, many charities will already be used to dealing with data protection concerns and complaints. For example, a supporter, beneficiary or former employee may complain about how a subject access request has been handled or how their personal data has been used. The ICO has long expected organisations to engage with and respond to data complaints as a matter of good practice and encouraged data subjects to engage in this way before escalating matters to the regulator.

The DUAA does not fundamentally change those expectations. What it does is put the requirement on a formal statutory footing and standardise how complaints must be received and handled.

What are the new data protection complaints requirements?

The ICO has published updated guidance on how organisations should deal with data protection complaints. While the precise approach will vary depending on the size, structure and available resources of the charity, in broad terms, charities must do the following:

  1. Provide a clear route for complaints

Charities must give individuals a way to make a data protection complaint. This could be through an electronic form on their website, but equally acceptable alternatives include a dedicated email address, an online complaints portal or telephone contact details.

A charity may encourage individuals to use a particular channel, but it should not reject a complaint simply because it was made in a different way.

  1. Acknowledge complaints within 30 days

Every data protection complaint must be acknowledged within 30 days of receipt. The law does not prescribe the exact wording or format of the acknowledgement, but it should make clear that the complaint has been received and will be considered.

  1. Investigate and respond without undue delay

Charities must take appropriate and proportionate steps to investigate and respond to each complaint. What is appropriate, and the time taken to respond, will depend on the circumstances of the complaint, including the complexity of the complaint and any potential risk of harm to the individual.

A charity should be able to explain and justify the approach taken in each case. This makes good record-keeping important, particularly if the complaint is later referred to the ICO.

  1. Keep complainants updated

Charities should keep complainants informed about progress – in practice, this means communicating expected timescales and explaining the reasons for any delay.

  1. Provide a clear outcome

Once the complaint has been considered, the charity must clearly explain the outcome. This should include what the charity has done to address the concern and any action it has taken as a result. In straightforward cases, it may be possible to acknowledge and resolve the complaint within the same 30-day period.

What should charities do now about data protection complaints?

If not already in place, charities should consider the following practical steps:

  • Put a written complaints procedure in place. If organisations do not already have one, a clear written complaints procedure helps individuals understand how to complain and reduces the likelihood of escalation to the ICO.
  • Integrate data protection complaints into existing complaints processes. The ICO has confirmed that organisations do not need a standalone process for data protection complaints, provided their existing process enables them to meet their data protection obligations. Therefore, a charity may integrate data protection complaints into its existing processes.
  • Update privacy notices. Privacy notices should explain how individuals can raise a data protection complaint and provide relevant contact details. A brief summary of the procedure may be helpful, though not mandatory.
  • Train staff and trustees. Those who may receive complaints should understand what a data protection complaint looks like and how to route it internally.
  • Keep clear records. Given that individuals are increasingly expected to exhaust their options with an organisation before approaching the ICO, good record-keeping will be essential in demonstrating that complaints have been handled appropriately and in line with the statutory requirements. This will help ensure organisations are well placed to explain the matter to the ICO as needed.

New charity marketing soft opt-in: when can charities use it?

The second key change is the new charitable purpose soft opt-in, which has been available since 5 February 2026.

The Privacy and Electronic Communications Regulations 2003 (PECR) have been amended to bring charities closer to the position that commercial organisations have long operated under. In certain circumstances, charities can now send electronic marketing communications without first obtaining consent.

For more detail on the background to this change, see our earlier article, The marketing “soft opt-in” for charities: an exciting opportunity?

This is a significant opportunity for charities, particularly those that want to keep supporters informed about their work, fundraising campaigns or volunteering opportunities. However, the soft opt-in is not a general exemption from consent. It only applies where specific conditions are met.

When can charities rely on the charitable purpose soft opt-in?

A charity may send direct marketing emails, texts or other electronic messages without prior consent only where all the following conditions are met.

  1. The communication must further the charity's purposes

The sole purpose of the communication must be to further one or more of the charity’s charitable purposes.

  1. The contact details must have been collected through interest or support

The individual's contact details must have been collected when they expressed an interest in the charity's charitable purposes, or when they offered or provided support to further those purposes – such as by donating, volunteering or requesting information.

This second requirement is a key threshold condition, and not every interaction with a charity will meet this test. There must be a clear and reasonable basis for concluding that the individual is engaging with the charity’s mission, rather than simply interacting on a transactional or incidental basis. For example, requesting information about the charity’s work or participating in fundraising activities is likely to indicate sufficient interest or support, whereas providing contact details for a purely administrative purpose is unlikely to do so.

While donors and volunteers will typically be regarded as providing support, charities should take care in more marginal situations. Not all purchases or payments indicate support for charitable purposes; in some cases, the individual may simply be acting as an ordinary consumer. The key question is whether, in context, the interaction can reasonably be understood as contributing to or supporting the charity’s mission, rather than a purely transactional exchange.

Charities should also exercise caution where individuals are receiving support or services. It should not be assumed that such individuals have expressed any interest in the charity’s broader purposes solely by receiving support, particularly where they may be in a vulnerable situation.

  1. The individual must have clear opportunity to opt out

The individual must have been given a clear and simple opportunity to opt out at the point their details were collected. The charity must also include an easy opt-out in every subsequent message.

What should charities do before relying on the soft opt-in?

Charities intending to rely on the charitable purpose soft opt‑in should take the following steps.

  • Update privacy notices. Charities must update their privacy notices to explain how personal data will be used for electronic marketing. This is a mandatory requirement for relying on the soft opt‑in.
  • Review data collection points. Charities should review all points at which they collect contact details, including donation forms, event sign-ups, volunteering forms and online enquiry forms. At each point, they should check whether individuals are given a clear opportunity to opt out of electronic marketing.
  • Check which contacts are in scope. The soft opt-in does not apply retrospectively. Charities may only rely on it for contact details collected after the change came into force, and only where the relevant conditions were met at the point of collection. Where a charity already has valid consent to send electronic marketing, it may continue to rely on that consent.
  • Train staff and update internal guidance. Fundraising, communications, supporter engagement and service delivery teams should understand when the soft opt-in may be used and when consent is still needed. Internal guidance should include examples of lower-risk and higher-risk scenarios, particularly where contact details are collected through services, events, purchases or other mixed-purpose interactions.

Using the soft opt-in: further guidance

While this change presents an exciting opportunity, uptake across the sector is likely to be gradual, particularly as charities take time to assess the risks and update their processes.

The ICO has updated its PECR guidance to help charities make use of the new soft opt-in. The Fundraising Regulator is also due to issue new guidance on fundraising marketing, which will include information about how the charitable purposes soft opt-in can work in practice.

Other DUAA developments charities should note

The DUAA introduces a number of further changes relevant to charities beyond those covered above. For example, it broadens the scope of restrictions on live direct marketing calls. A 'call' now includes any attempt to establish a connection, whether or not the call is answered or successfully connected. This means PECR may apply even where a marketing call fails to reach the intended recipient.

As a result, organisations may face enforcement action where live direct marketing calls are attempted in circumstances that would have breached PECR if the call had connected. This may be relevant, for example, where a number is registered with the Telephone Preference Service or otherwise subject to a restriction.

The DUAA has also increased potential penalties under PECR, aligning them with UK GDPR. Fines can now be up to the greater of £17.5m or 4% of an organisation’s total worldwide annual turnover.

These changes may have practical implications for how charities operate, and charities should review the DUAA and their existing practices to ensure ongoing compliance.

How we can help

We advise charities on all aspects of data protection, privacy and direct marketing compliance, including complaints handling, privacy notices, fundraising communications and supporter engagement.

If your charity is considering how the DUAA affects its current practices, we can help you assess the changes, update your processes and put proportionate, practical guidance in place.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, June 2026

Want to know more?

Contact us

About the authors

Sam Talbot Rice lawyer photo

Sam Talbot Rice

Senior Associate

Sam provides practical and focused advice on business-critical areas across the fields of data protection, intellectual property and commercial contracts.

Sam provides practical and focused advice on business-critical areas across the fields of data protection, intellectual property and commercial contracts.

Email Sam +44 (0)20 3375 7222
Arisa Terada

Arisa Terada

Associate

Arisa advises clients on a broad range of commercial, intellectual property and data protection matters.

Arisa advises clients on a broad range of commercial, intellectual property and data protection matters.

Email Arisa +44 (0)20 3375 7526

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top