What is pre-checked box compliance status under GDPR?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you're building a signup form and you think: "I'll just pre-check the newsletter box. Anyone who doesn't want it can uncheck it." Under GDPR, that reasoning fails the legal test entirely.
GDPR Article 7 and Recital 32 require that consent be given through a "clear affirmative act." Silence, pre-ticked boxes, and inactivity don't count. The Court of Justice of the EU confirmed this in the Planet49 ruling (2019), making it clear that a pre-checked box can't establish valid consent for marketing communications.
The problem isn't just legal: pre-checked boxes make it impossible to know who actually wanted to subscribe vs. who simply missed the checkbox. GDPR's consent framework is built on deliberate choice. Pre-checked boxes flip that on its head by making opt-in the default rather than the decision.
If you've already collected subscribers through pre-checked boxes, that consent is almost certainly invalid under GDPR. You'd need to run a consent refresh campaign before continuing to email those contacts. Many ESPs now flag or block pre-checked mechanisms outright.
These aren't a gray area. They're a clear violation. If you're unsure whether your signup forms are compliant, we're happy to take a look at reviewmyemails.com/sos.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.