UK Charity Soft Opt-In Compliance Toolkit
DUAA-Compliant Consent for £29/mo
Executive Summary
In a nutshell
A guided web tool that helps UK registered charities adopt the new “charitable purpose soft opt-in” without getting fined. Re-collect lawful consent from existing supporters, maintain split marketing lists (consent vs. soft opt-in vs. legacy), generate a compliant privacy notice, embed sign-up forms with the right wording, and audit-trail every send. Built specifically for the regime that came into force on 5 February 2026 under the Data (Use and Access) Act 2025. Target: the long tail of ~171,000 UK registered charities whose CRMs (Donorfy, Beacon, Salesforce NPSP, Blackbaud) have left the new regime as a “configure it yourself” exercise. Pricing: free audit + £29/mo core. Hard regulatory deadline + zero charity-specific SaaS in this exact lane + DMA estimates the regime is worth £290m/yr in extra donations = real money on the table.
The Story
Meet the user
Aisha is the part-time fundraising manager at a Bristol-based youth charity. £180k income, twelve thousand contacts on her Mailchimp list, no DPO and no budget for OneTrust (which a colleague at a bigger charity told her quoted them £17,000 a year, up from under a grand). Her CEO forwards her a Bates Wells briefing on a Monday morning: the new soft opt-in is live as of 5 February, but you can’t use it for anyone you collected before then. Aisha stares at her Mailchimp list. Twelve thousand contacts. She has no idea which ones gave consent, when, or for what. She spends Tuesday and Wednesday night Googling “charity soft opt-in” and reads ten different solicitors’ explainers, all saying roughly the same thing in slightly different words. None of them actually tell her what to do.
Then a fellow fundraising manager in a CIOF Slack channel drops a link: paste your CSV, get a pre-flight audit, click “send re-consent campaign”, get a colour-coded list and a downloadable evidence pack. Aisha tries it on Thursday at 8pm. By 9.15pm she has a 3-tier breakdown of her list (consent OK / soft opt-in eligible / re-collect needed), a templated re-consent email with the right legal wording, a fresh privacy notice for her website, and a PDF audit log she could hand to the ICO tomorrow. She pays £29. She emails her trustees a one-line update that ends with “we’re sorted”. They reply with three thumbs-up emoji, which is unprecedented.
Scores
How does this idea stack up?
8.0/10
~171,000 UK registered charities, every one of them in scope; DMA estimates the regime unlocks £290m/yr in extra donations — real revenue at stake for buyers
Acute, time-sensitive, regulator-enforced; 10+ legal firms have published explainers because charities are scrambling; Penny Appeal precedent (ICO enforcement notice 2024) is fresh in DPOs’ minds
Vanilla SaaS — Next.js + Supabase + Stripe + email API. No regulated data processing; the tool helps charities, doesn’t hold sensitive data centrally
New rules went live 5 Feb 2026; Fundraising Regulator guidance landing now; ICO consultation closed Q4 2025; the window is open right now
Initial scramble is 12-18 months; ongoing audit/preference-management need is permanent but lower-acute. Risk: incumbent CRMs ship the feature in 2027 and absorb the category
Low barrier — small build, no special infra, no licences. Solo dev can ship MVP in 3-4 weeks
Strongest
Timing + Pain
A hard regulatory line in the sand combined with active fear of ICO fines is as close to forced demand as you ever get.
Watch out
Durability
This is a “land hard, expand to adjacent compliance” play. If you don’t ship a privacy ops platform on top of the soft opt-in toolkit by month 12, the window closes.
Pain Point
The problem
“Charities must ensure their systems can track the provenance of supporter data to distinguish between contacts collected before and after 5 February 2026… the ICO expects charities to keep separate lists for supporters who receive electronic marketing based on consent and supporters who receive electronic marketing under the charitable-purpose soft opt-in.”
— Womble Bond Dickinson briefing, Feb 2026
Provenance is unknown. Most small charities have years of contacts in Mailchimp, an Excel sheet, an old Donorfy/Beacon/Salesforce instance, and a Google Form. Almost none of them have a clean field marked “consent date / consent text / lawful basis” against every record. Re-collection is mandatory if you want to use the new regime for legacy contacts — the ICO has been explicit, and failure is a PECR breach.
Two parallel lists must be maintained forever. Consent-based supporters and soft opt-in supporters cannot be merged for marketing — every send needs the right legal basis applied. Privacy notices have to change too: the point-of-collection notice now has to set up the soft opt-in correctly, including a clear opt-out at collection and in every send. The ICO is actively enforcing PECR against charities; Penny Appeal received an enforcement notice in March 2024 for sending 460,000 unsolicited texts. DPOs at every charity remember this.
Cost of incumbent enterprise tools has spiked. OneTrust reportedly raised some non-profit annual fees from <£1k to £17k+. The mid-market is structurally underserved. CRMs have punted the spec — Beacon, Donorfy (now part of Access Group), Salesforce NPSP and Blackbaud all track preferences but none ship a packaged “soft opt-in compliance” workflow out of the box. They leave it to the customer to figure out. The DMA estimates the new regime unlocks £290m/yr in additional charity donations — but only for charities that adopt it correctly. That’s the value at risk and the buyer’s reason to act.
Want reports like this every Thursday?
One validated UK business opportunity per week. Free.