Environmental Sustainability for Small Charities - abstract artwork
guideComplianceFundraisingGovernance

Fundraising Compliance in 2026: A Guide to Regulation, Data Protection and Lawful Campaigns

Written by

Published

5 min readPublished 01/07/2026Updated 01/07/2026

Fundraising compliance sits across three regimes: the Code of Fundraising Practice, data protection law, and the specific rules for events, lotteries and collections. A practical map of what applies and where charities get caught out.

Book a free strategy call with Pilar to improve charity marketing performance.

Fundraising compliance feels complicated because it is not one thing. It is three separate regimes that all apply at once: the Code of Fundraising Practice, data protection law, and the specific legal rules that govern particular activities like raffles and public collections. Most compliance failures happen not because a charity ignored the rules but because it forgot that one of these three applied. This guide maps all three, so you know which questions to ask before you run a campaign, not after a complaint.

The three regimes at a glance

Before the detail, hold the shape of it in your head. Every fundraising activity potentially touches all three of these.

  1. The Code of Fundraising Practice: the sector standards for how you ask, maintained by the Fundraising Regulator.
  2. Data protection law: UK GDPR and PECR, which govern how you use supporter data and how you contact people.
  3. Activity-specific law: the licensing and permission rules for lotteries, collections, events, and trading.

A charity that only thinks about one of these is exposed on the other two. A perfectly Code-compliant email campaign can still break the law if it ignores PECR. A properly licensed raffle can still generate a Code complaint if the fundraising around it is misleading. Compliance means checking all three, every time.

Regime one: the Code of Fundraising Practice

The Code is the standard against which fundraising complaints are judged. It was substantially rewritten and the current version took effect in late 2024, which matters because any policy or training written before then may be out of date. The Code is not a list of technicalities. It is a set of principles about treating the public honestly and respectfully, and the areas it most often catches charities on are consistent.

  • Honesty and accuracy: any claim about how a donation will be used must be truthful and defensible.
  • Protecting vulnerable people: fundraisers must recognise when someone may not be able to make a free, informed decision to give, and act accordingly.
  • Working with third parties: professional fundraisers and commercial participators need written agreements and must make the required statements to the public.
  • Complaints: the public must be able to complain easily, and you must handle it properly before it escalates.

The Code is not a technicality to be managed. It is a written version of how a thoughtful supporter would expect to be treated, and it is enforceable.

Regime two: data protection

Every campaign that uses personal data, which is almost all of them, sits under data protection law. Two frameworks interact here: UK GDPR, which governs how you handle personal data generally, and PECR, which specifically governs electronic marketing by email, text and phone.

The points that most often trip charities up:

  • Electronic marketing to individuals generally needs consent, and a lapsed or vague consent from years ago does not meet the standard.
  • You must have a clear lawful basis for each use of data, whether that is consent, legitimate interests, or a legal obligation.
  • Opt-outs and suppression requests must be actioned promptly, and a request you ignore is a complaint waiting to happen.
  • You must be transparent, through a clear privacy notice, about what data you hold and why.

Data protection and the Code overlap deliberately. The Code expects you to respect supporters wishes about contact, and the law requires it. Getting the data side right is therefore not a separate project, it is part of fundraising properly.

Regime three: activity-specific law

The third regime is the one charities forget most, because it only applies to certain activities, and it is easy to run an event without realising a licence was needed. The rule of thumb is to break any campaign or event into its parts and check each one.

  1. Raffles and lotteries: depending on how they are run and their scale, these may need to be registered with the local authority or licensed by the Gambling Commission. A truly incidental raffle at an event has lighter rules than a standalone lottery.
  2. Public collections: collecting money or goods in public places usually needs permission from the local authority, and collecting on private land needs the landowner consent.
  3. Events with alcohol, entertainment or food: these can trigger licensing and food safety requirements quite separate from fundraising rules.
  4. Trading: selling goods or services beyond certain limits can have tax and structural implications, sometimes requiring a trading subsidiary.

None of these are onerous once you know they apply. The danger is not knowing, running the activity, and discovering the gap when something goes wrong or someone complains.

Building a routine that keeps you compliant

The way to stay compliant is not to memorise every rule. It is to build a simple habit of checking the three regimes at the point you plan any fundraising activity. A short pre-launch review, owned by a named person, turns compliance from a source of anxiety into a five-minute routine.

A practical pre-launch checklist:

  1. Does what we are claiming about this campaign stand up under the Code honesty standards?
  2. Do we have a lawful basis and valid consent for how we will contact people?
  3. Are we handling opt-outs and suppression requests properly?
  4. Does any part of this activity, a raffle, a collection, an event element, need a licence or permission?
  5. Is there a clear way for the public to complain, and someone to handle it?

Why this protects more than it constrains

It is tempting to see all of this as red tape that gets in the way of raising money. It is closer to the opposite. The charities that treat compliance as part of good fundraising, rather than an obstacle to it, are the ones that keep supporter trust, avoid the reputational damage of a published complaint, and are not scrambling to fix a problem mid-campaign. In 2026, with regulators and the public both paying close attention, a compliance routine is not a cost. It is one of the cheapest forms of insurance a fundraising charity can hold.

Related reading: The Fundraising Regulator Explained: What It Does and What It Expects From You, Trustee Induction For Digital Risk And Data Protection and GDPR for Charities: A Practical Guide to Handling Donor and Beneficiary Data.

Frequently asked questions

What is the Code of Fundraising Practice?

The Code of Fundraising Practice is the set of standards, maintained by the Fundraising Regulator, that all charitable fundraising in England, Wales and Northern Ireland is expected to meet. It covers honesty, consent, protecting vulnerable people, working with third parties and handling complaints. It was substantially rewritten and the current version took effect in late 2024, so older internal guidance should be checked against it.

What are the legal requirements for a charity fundraising event?

It depends on the event. Raffles and lotteries may need a licence or registration depending on their scale, alcohol and entertainment can require licensing, food safety rules apply if you serve food, and public collections need permissions. On top of that, the Code of Fundraising Practice and data protection law always apply. The safest approach is to list the elements of the event and check the rules for each.

Do small charities have to follow fundraising regulation?

Yes. The Code of Fundraising Practice applies to all fundraising regardless of charity size, and data protection and licensing law apply to everyone. Small charities are not exempt; they simply have fewer resources to keep on top of it, which makes a simple, repeatable compliance routine even more valuable for them than for large charities.

Sources

External references used in this article. Links open on the original publisher’s site.

  1. Fundraising Regulator: Code of Fundraising Practice
    Fundraising Regulator · Accessed 30 Jun 2026
  2. ICO: Direct marketing and PECR
    Information Commissioner’s Office · Accessed 30 Jun 2026
  3. Gambling Commission: Fundraising and promotional lotteries
    Gambling Commission · Accessed 30 Jun 2026

You might also like:

TikTok for Charities: When and When Not - abstract artwork
guide
Leadership,  Operations,  Governance

A practical strategy method for small charity teams: set focus, choose trade-offs, and keep execution moving without long workshops or heavyweight frameworks.

TikTok for Charities: When and When Not - abstract artwork
guide
Fundraising,  Operations

Guide for UK charities comparing will-writing campaign providers by supporter journey quality, legal compliance, cost model transparency, and operational fit.