Pre-checked Signup Boxes Are Illegal: Here's Why

That checkbox on your checkout page that says "Yes, send me marketing emails" and comes already ticked? It's not valid consent. It hasn't been since October 2019, when the EU's highest court ruled on the matter. And regulators are still finding pre-checked boxes on websites across Europe.

If you're collecting newsletter signups, marketing opt-ins or any kind of communication consent through pre-checked boxes, you're collecting consent that doesn't count. That means every email you send based on that "consent" is potentially a GDPR violation.

Here's what happened, why it matters and what you need to change.

The Planet49 ruling explained

In October 2019, the Court of Justice of the European Union (CJEU) decided Case C-673/17, known as the Planet49 case. A German online lottery company called Planet49 ran a promotional game where users had to enter their details to participate. On the entry form, there was a pre-checked checkbox that consented to receiving advertising from partners via email and SMS.

The German courts referred the case to the CJEU, asking whether pre-checked boxes constitute valid consent under EU law.

The court's answer was unambiguous: no.

The CJEU ruled that consent requires an active indication of the user's wishes. A pre-checked box that the user must uncheck to refuse is not an active indication. It's the opposite. It assumes consent unless the person takes action to withdraw it, and that's not how consent works under GDPR.

This ruling didn't create new law. It confirmed what GDPR Article 4(11) already said. Consent must be "freely given, specific, informed and unambiguous indication of the data subject's wishes." A pre-ticked box fails the "unambiguous" test because silence or inaction is not consent.

What counts as active consent

After Planet49, the line is clear. The user must take a deliberate action to opt in. That means:

• An unchecked checkbox that the user ticks themselves
• A clear "subscribe" button where someone types their email and clicks to confirm
• Double opt-in with a confirmation email (the gold standard)

What doesn't count: pre-ticked boxes, bundled consent hidden in terms and conditions, "by using this site you agree to..." statements, or any setup where the user has to take action to refuse rather than to accept.

Where pre-checked boxes still appear

You'd think this would be fixed everywhere by now. It's been over six years since the Planet49 ruling. But pre-checked boxes are still surprisingly common. Here's where they hide:

Checkout pages. The most frequent offender. A checkbox like "Send me offers and updates" comes pre-ticked during checkout. The customer is focused on their purchase and doesn't notice.

Account creation forms. A pre-checked box opts users into marketing while they're focused on setting up their account.

Contact forms. A "Send me your newsletter" checkbox pre-ticked on a contact form. The person wanted to ask a question, not sign up for emails.

Booking and reservation forms. Restaurant booking systems, appointment schedulers and hotel reservation pages often include pre-checked marketing consent.

Cookie consent tied to marketing. Some cookie banners bundle marketing email consent with cookie preferences. If the marketing checkbox is pre-ticked inside the banner, that consent is invalid.

Pre-checked vs. opt-in by default in settings

There's a related problem that catches businesses off guard. Account settings pages where marketing preferences are turned on by default.

Say a customer creates an account. Their account settings page shows email notification preferences with toggles for "Promotional emails," "Partner offers" and "Product updates" all switched on. The customer never visited this settings page. They never chose to receive any of these.

This is functionally the same as a pre-checked box. The default is set to "on" and the user has to take action to turn it off. The same consent principles apply. The user didn't actively choose to receive marketing, so you don't have valid consent.

The fix: set all marketing-related preferences to "off" by default. Let users opt in when they're ready.

Real enforcement examples

Data protection authorities across Europe have acted on pre-checked consent violations.

The French CNIL fined several companies for collecting email marketing consent through pre-ticked checkboxes. In some cases, the fine was combined with orders to delete all contacts acquired through invalid consent. That means losing your entire mailing list if it was built on pre-checked boxes.

The Italian Garante has repeatedly fined businesses for sending marketing emails based on consent that wasn't freely and actively given. Fines for small and medium businesses ranged from 10,000 to 40,000 euros.

The Spanish AEPD issued fines for companies that added people to marketing lists based on pre-checked consent during account registration. The amounts varied, but the corrective orders always required the same thing: stop using the list and rebuild it with proper consent.

The Dutch AP warned companies that pre-ticked boxes in checkout processes don't meet consent requirements. Businesses that didn't fix the issue after the warning faced follow-up enforcement.

The pattern is consistent. Regulators don't treat pre-checked boxes as a grey area. The Planet49 ruling settled this. If your boxes are pre-checked, you're in violation.

How to audit your forms

Go through every form on your website that collects any kind of marketing consent. Here's what to check:

1. Open each form in a fresh browser session. Don't log in first. See the form the way a new visitor would see it.

2. Look at every checkbox. Is any checkbox pre-ticked? If yes, fix it. Every marketing consent checkbox must start unchecked.

3. Check your checkout flow. Add something to the cart and go through the entire checkout process. Look for newsletter or marketing opt-ins that are pre-selected.

4. Check account registration. Create a new test account. Are any communication preferences selected by default?

5. Check your booking or contact forms. Fill them out as a customer would. Look for hidden consent checkboxes.

6. Check account settings defaults. Create an account and immediately go to notification settings. Are marketing preferences set to "on" before the user touches them?

7. Check your email service provider. Some ESPs have settings that automatically add contacts from your website forms. Make sure contacts are only added when they've actively opted in.

You can also run a free scan to catch common consent issues on your website, including form analysis and cookie consent checks.

Why businesses still do it

Some businesses know pre-checked boxes are problematic but keep using them anyway. The reasoning usually goes like this: "Our conversion rate for newsletter signups drops 80% when we uncheck the box."

That's probably true. Pre-checked boxes generate more signups because most people don't bother to uncheck them. That's exactly the problem, and exactly why they don't count as consent.

Here's why it's not worth the risk:

Those subscribers don't want your emails. They didn't choose to sign up. Open rates will be low, unsubscribe rates will be high and spam complaint rates will hurt your email deliverability. You'll spend money sending emails to people who ignore them.

Your entire list could be invalidated. If a data protection authority investigates and finds your consent mechanism is invalid, they can order you to stop using the list entirely. Years of collected contacts, gone.

Fines are real. They're not just for big companies. Small businesses across Europe have been fined for exactly this issue. A 10,000 euro fine hurts a lot more than a lower newsletter conversion rate.

Proper opt-in builds a better list. People who actively choose to subscribe are the ones who actually read your emails, click your links and buy your products. A list of 500 engaged subscribers beats a list of 5,000 people who didn't know they signed up.

The same consent principles that apply to cookie banners apply here. Active, informed, freely given consent. No shortcuts. If you run a webshop, pre-checked boxes during checkout are just one of many requirements. See our Dutch webshop compliance checklist for the full picture.

What to do right now

Uncheck your boxes. All of them. Every marketing consent checkbox on your website should start in the unchecked state. This isn't optional.

If you've been collecting consent through pre-checked boxes, consider running a re-consent campaign. Send your existing list an email asking them to actively confirm they want to keep receiving your emails. You'll lose subscribers, but you'll keep the ones who matter and you'll be on solid legal ground.

For a deeper look at how to handle newsletter consent properly, read our guide on newsletter signup and GDPR compliance. If you're also wondering whether your cookie banner follows the same consent rules, it should. The Planet49 case applies to cookies and marketing consent alike.

Scan your website for free to check your forms, cookie consent and other compliance issues.

FAQ

Are pre-checked checkboxes illegal under GDPR?

Yes. The CJEU ruled in the Planet49 case (C-673/17, October 2019) that pre-checked boxes do not constitute valid consent under EU law. Consent must be an active, affirmative action by the user. A box that starts checked and requires the user to uncheck it to refuse is not valid consent. This applies to newsletter signups, marketing emails, cookies and any other processing that requires consent.

What happens if I've been using pre-checked boxes?

Any consent collected through pre-checked checkboxes is invalid. That means you don't have a legal basis for sending marketing emails to those contacts. You should fix your forms immediately so all consent checkboxes start unchecked. For your existing list, consider sending a re-consent email asking subscribers to actively confirm they want to keep hearing from you. Contacts who don't confirm should be removed.

Does this apply to B2B emails too?

The consent requirements apply to any personal data processing under GDPR. If you're collecting email addresses from individuals (even in a business context) through a form with a pre-checked marketing checkbox, that consent is invalid. B2B email has some different rules around legitimate interest in certain countries, but pre-checked boxes still don't count as valid consent anywhere in the EU.

Can I use a pre-checked box for transactional emails?

Transactional emails (order confirmations, shipping updates, password resets) don't require marketing consent because they're necessary to fulfill a contract. You don't need a checkbox at all for these. But you can't bundle marketing content into transactional emails and claim it's all transactional. If your order confirmation includes a promotional section at the bottom, that promotional part needs proper consent.

How is this different from soft opt-in?

Some countries (like the UK and Netherlands) allow a "soft opt-in" where you can email existing customers about similar products without explicit consent. But soft opt-in has strict requirements: the customer must have bought something from you, you can only email about similar products and you must offer an easy opt-out in every email. Pre-checked boxes are a separate issue entirely. They're about how you collect consent, not whether you need it. Even where soft opt-in applies, pre-checked boxes on your forms still don't generate valid consent.