Home
How We Can Help You
Brand MarketingPerformance Marketing
Case Studies
Blog
LET'S TALK BALLS
Home
How We Can Help You
Brand MarketingPerformance Marketing
Case Studies
Blog
LET'S TALK BALLS

What Does My Charity Need To Do To Stay Compliant With New Privacy Rules?

Fifty2M

July 4, 2025

What Does My Charity Need To Do To Stay Compliant With New Privacy Rules?

UK data privacy rules are changing, and are likely to impact your charity especially if you process sensitive classes of personal data. To maintain compliance, you should review and update your privacy and cookie policies and notices, conduct and document Legitimate Interest Assessments, audit your data collection and usage, and ensure GA4 Consent Mode is working. To minimise negative impacts, you'll need to adapt your advertising strategies on key platforms.

The digital world is constantly evolving, and with it, the rules governing how we use data. For UK charities, staying abreast of these changes isn't just about compliance; it's about protecting your beneficiaries and benefactors, maintaining trust, and ensuring your vital work continues to reach those who need it most.

Recent legislative developments, particularly the Data Use and Access (DUAA) Act and the Digital Markets Act (DMA), are set to significantly impact how charities engage with their audiences online, especially concerning analytics, advertising, and fundraising.

This blog post will break down what these changes mean for your charity, anticipated impacts on tools like GA4, Google Ad Grants, and Facebook Ads, and crucial steps you can take to maintain compliance while minimising disruption to your audience engagement strategies.

Understanding the Key Players: DUAA and DMA

The Data Use and Access (DUAA) Act: This is a significant piece of legislation that amends both the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). It aims to refine and clarify data protection laws, with some notable changes that will directly affect charities:

  • Soft Opt-In for Charities: A major positive for charities is the expansion of the "soft opt-in" exemption under PECR to include charity fundraising. This means you may be able to send email and SMS marketing to individuals from whom you've collected their contact details during a previous engagement (e.g. a donation or event sign-up), even without explicit consent for marketing, provided you offer a clear opt-out in every communication. However, a lawful basis for processing under UK GDPR is still required, with legitimate interest being the most likely route. This will necessitate a robust Legitimate Interest Assessment (LIA);

  • Changes to Cookie Consent: The DUAA Act introduces exemptions for certain 'low-risk' cookies that are not considered strictly necessary. This includes cookies used for statistical/analytics purposes to improve services, system security, fraud detection, and enhancing website functionality. This aims to reduce 'cookie fatigue' and streamline the overall user experience. However, it's crucial to understand which cookies still require consent;

  • Increased PECR Fines: To align with UK GDPR, the maximum fines for PECR infringements have been substantially increased to up to £17.5 million or 4% of annual global turnover, underscoring the importance of compliance;

  • Data Breach Notification Alignment: The timeframe for notifying the ICO of a personal data breach under PECR is now aligned with UK GDPR, requiring notification within 72 hours of becoming aware of the breach.

The Digital Markets Act (DMA): While primarily aimed at large 'gatekeeper' tech companies (like Google and Meta), the DMA will have a ripple effect on how platforms operate and, consequently, how charities can use their advertising tools.

  • Impact on Personalised Advertising: The DMA imposes restrictions on how gatekeepers can combine and use personal data across their different services for advertising purposes. This could lead to limitations on highly personalised or behavioural advertising, which relies heavily on tracking user activity across multiple platforms;

  • "Pay or Consent" Models: The European Commission has already challenged Meta's 'pay or consent' model, which offered users a choice between paying for an ad-free service or consenting to data processing for personalised ads. You may have also seen this being introduced by many news media websites. The EU position indicates a stricter approach to ensuring genuine user consent and could lead to further adjustments in how platforms offer their services;

  • Subscription Contracts and Gift Aid: For charities with membership or subscription models, the DMA's consumer protection elements, particularly new rules around 'subscription contracts' could have significant implications. This includes new rights for consumers to terminate subscriptions and the potential impact on claiming Gift Aid on membership payments where the consumer receives something in return.

Anticipated Impacts on Your Digital Tools

Google Analytics 4 (GA4): GA4, with its privacy-centric design and machine learning capabilities, is better equipped to handle a cookie-less future. However, the DUAA Act's nuances regarding analytics cookies will still require your attention.

  • Reduced Granular Data: While GA4 doesn't log or store IP addresses for EU users, and allows for disabling collection of Google Signals and granular location/device data, the overall shift towards less reliance on third-party cookies and more stringent consent requirements may lead to a reduction in the granularity of data available for audience insights;

  • Emphasis on Consent Mode: GA4's Consent Mode 2 will become even more critical. Properly implementing Consent Mode allows GA4 to adjust its data collection based on user consent choices, using behavioural modelling to fill in gaps when consent is not given;

  • First-Party Data Importance: The move away from third-party cookies strengthens the need for charities to focus on collecting and utilising their own first-party data (data collected directly from your website or interactions with your organisation).

Google Ad Grants: Google Ad Grants provide a vital resource for many charities. While the core grant itself remains, the underlying mechanisms for targeting and tracking may be affected by the DMA.

  • Targeting Limitations: If the DMA further restricts cross-service data usage for advertising by gatekeepers, it could impact the precision of audience targeting options within Google Ads, including those used by Ad Grants accounts;

  • Remarketing Challenges: Remarketing (showing ads to people who have previously visited your website) relies on tracking user behaviour. While GA4 supports audience creation for remarketing, the ability to serve these ads might become more challenging if platforms face stricter limitations on data usage.

Facebook Ads: Facebook (Meta) is directly impacted by the DMA, and this will inevitably influence how charities use their advertising platform.

  • Reduced Audience Targeting Options: As seen with the EU Commission's action against Meta's 'pay or consent' model, there's a clear move towards limiting how user data is combined for personalised ads. This could lead to the removal or reduction of certain granular audience targeting options based on sensitive interests or cross-platform behaviour. If you're a health charity, for instance, it's likely you've already been told that your website has been categorised under 'health and wellness' and that you've lost some tracking functionality and even the ability to run ad campaigns with lower funnel objectives (such as leads, purchases, website registrations, and donations);

  • Increased Focus on First-Party Data & Engagement: Charities will need to rely more heavily on their own first-party data (e.g. email lists, website visitor data through the Meta Pixel with proper consent) to create custom audiences and lookalike audiences. Engaging content that encourages direct interaction will be crucial to build these valuable data pools.

Steps for Your Charity to Take in Response to Changing Privacy Laws

There are several steps you need to take to make sure your charity remains compliant with emerging privacy laws, but that also allow you benefit from some of the relaxations being introduced whilst minimising the negative impacts that are also going to arise.

  1. Review and Update Your Privacy Policy and Notices:

    DUAA Act (Soft Opt-In): Clearly articulate your lawful basis for processing personal data for marketing, especially if you intend to rely on legitimate interest for the soft opt-in. Your privacy policy should explain how you conduct LIAs;

    Cookie Consent: Ensure your cookie banner and policy are updated to reflect the DUAA Act's new exemptions for certain cookies. Be transparent about what cookies are used for and provide clear options for users to manage their preferences;

    Data Rights: Reiterate individuals' rights under UK GDPR (and the DUAA Act's complaint handling obligations) and provide clear mechanisms for exercising them.

  2. Conduct Legitimate Interest Assessments (LIAs):

    If you plan to utilise the soft opt-in for charitable fundraising under PECR, a thorough and documented LIA is essential. This demonstrates that your processing is necessary for your charitable goals and that your interests outweigh the individual's rights and freedoms.

  3. Audit Your Data Collection and Usage:

    First-Party Data: Prioritise collecting and leveraging first-party data directly from your supporters through sign-ups, donations, and direct interactions;

    Data Minimisation: Only collect the data you truly need for your charitable purposes. Review existing data to ensure it's still relevant and necessary. The same applies to data shared via Google and Facebook tracking code - avoid using website URL slugs, form names and form fields, and custom event names that could convey implied personal information (for instance, if you're a health charity that provides trauma counselling and you use a website to sign up potential users of your free, confidential service, avoid using a page like yourcharity.com/sign-up-for-trauma-counselling with a form named Trauma Counselling Sign Up Form, and a form field like "Which of these types of trauma have you experienced") because the machine learning capabilities of platforms like Facebook are so sophisticated that they can infer personal information from the content and context of your website;

    Consent Management: Implement or refine a robust consent management platform (CMP) to effectively manage user consent for cookies and other tracking technologies in line with DUAA and broader data protection principles.

  4. Optimise GA4 Implementation:

    Implement Consent Mode: Ensure GA4 Consent Mode is correctly configured and working to respect user consent choices (deadline 21st July 2025)

    Focus on First-Party Data Collection: Leverage GA4's ability to track user behaviour across your own properties.

    Explore Predictive Audiences: GA4's machine learning can help create predictive audiences based on user behaviour, which may become more important as direct targeting options evolve.

  5. Adapt Your Advertising Strategies:

    Google Ad Grants: While some targeting may become less precise, focus on strong keyword strategies, compelling ad copy, and optimising for conversions. Explore broader targeting options and use your website content to qualify leads.

    Facebook Ads:

    • Build Strong First-Party Audiences: Upload your consented email lists to create custom audiences for targeting and lookalike audiences for expansion;

    • Engage with Content: Develop engaging content strategies that encourage interaction and build organic reach, which can then be leveraged for retargeting (with appropriate consent). This will required greater focus on upper-funnel activity, like awareness raising and traffic generation, as well as greater use of on-Facebook lead forms;

    • Diversify Targeting: Explore other targeting options less reliant on deeply personal data, such as interest-based targeting (where still available and relevant), geographical targeting, and demographic targeting.

  6. Review Subscription Models (DMA):

    If your charity has membership or subscription offerings, carefully review them against the DMA's new rules on subscription contracts (including monthly lotteries if there's a minimum commitment of, say, 12 months). This may involve changes to how you present terms, cancellation options, and potentially the impact on Gift Aid claims. Seek legal advice if unsure.

  7. Stay Informed and Seek Expert Advice:

    The digital and regulatory landscapes are constantly shifting. Regularly check updates from the ICO, the Fundraising Regulator, and reputable legal and digital agencies specialising in charity law and data protection. Don't hesitate to seek professional advice when needed.

The new data privacy landscape presents challenges, but also opportunities for UK charities to build even stronger, trust-based relationships with their supporters. By proactively adapting your data practices and digital strategies, your charity can continue to thrive and make a difference in the lives of those you serve. If you'd like help reviewing your current set up, talk to us about how we can examine your cookie consent policies and processes, your privacy notices, GA4 and Meta Pixel deployment, and provide advice on strategies you can consider employing to make the most of the relaxations in the regulatory changes described above whilst mitigating the tighter restrictions. Open a chat to get in touch.

<All Posts