What is pre-checked box compliance status under GDPR?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you're building a signup form and you think: "I'll just pre-check the newsletter box. Anyone who doesn't want it can uncheck it." Under GDPR, that reasoning fails the legal test entirely.

GDPR Article 7 and Recital 32 require that consent be given through a "clear affirmative act." Silence, pre-ticked boxes, and inactivity don't count. The Court of Justice of the EU confirmed this in the Planet49 ruling (2019), making it clear that a pre-checked box can't establish valid consent for marketing communications.

The problem isn't just legal: pre-checked boxes make it impossible to know who actually wanted to subscribe vs. who simply missed the checkbox. GDPR's consent framework is built on deliberate choice. Pre-checked boxes flip that on its head by making opt-in the default rather than the decision.

If you've already collected subscribers through pre-checked boxes, that consent is almost certainly invalid under GDPR. You'd need to run a consent refresh campaign before continuing to email those contacts. Many ESPs now flag or block pre-checked mechanisms outright.

These aren't a gray area. They're a clear violation. If you're unsure whether your signup forms are compliant, we're happy to take a look at reviewmyemails.com/sos.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check my signup form for GDPR compliance

I want to check if my signup forms are GDPR-compliant. My business is type of business, we collect emails from EU/UK/global audiences, and our current form uses describe your checkbox setup. Can you flag any compliance risks?

Edit the yellow boxes, then send to the AI of your choice.