Why is a prechecked checkbox illegal under GDPR?

Because GDPR Article 4(11) defines consent as a freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action. The Court of Justice confirmed in Planet49 (Case C-673/17) that a pre-ticked checkbox the user must actively uncheck to refuse is not a clear affirmative action and therefore does not produce valid consent.

Does the Planet49 ruling apply only to cookies?

No. The case originated in a cookie context but the Court interpreted the consent definition shared by the ePrivacy Directive Article 5(3) and the GDPR. The EDPB Guidelines 05/2020 on consent apply the same standard to newsletter signups, marketing emails and any other processing that relies on consent.

Is a prechecked box ever allowed for marketing consent?

No. There is no marketing-consent scenario in the EU where a pre-ticked box produces valid consent. Even where the soft opt-in under ePrivacy Article 13(2) lets you email existing customers about similar products without separate consent, that is a lawful basis change, not a consent collected through a prechecked box.

What about existing subscribers I gathered with prechecked boxes?

That consent is invalid. You should stop relying on it and run a re-consent campaign asking subscribers to actively confirm they want to keep receiving your emails. Contacts who do not confirm should be removed. Keep the proof of the new affirmative action (timestamp, IP, exact wording) as required by Article 7(1) GDPR.

Does this also apply to a settings page where marketing emails are switched on by default?

Yes. A default-on toggle in account settings is functionally identical to a prechecked box. The user took no action so consent is not unambiguous under Article 4(11) GDPR. All marketing preferences must default to off.

Newsletter

Pre-checked Signup Boxes Are Illegal: Here's Why

Steven | TrustYourWebsite · 5 April 2026 · Last updated: May 2026

That checkbox on your checkout page that says "Yes, send me marketing emails" and comes already ticked? It is not valid consent. It has not been since October 2019, when the EU's highest court ruled on the matter. Regulators are still finding pre-checked boxes on websites across Europe. If you are wondering why a prechecked checkbox is illegal under GDPR, the short answer is the EU Court of Justice ruled it does not meet the legal definition of consent.

If you are collecting newsletter signups, marketing opt-ins or any kind of communication consent through pre-checked boxes, you are collecting consent that does not count. That means every email you send based on that "consent" is potentially a GDPR violation.

Here is what happened, why it matters and what you need to change.

The Planet49 ruling explained

In October 2019, the Court of Justice of the European Union (CJEU) decided Case C-673/17, known as the Planet49 case. A German online lottery company called Planet49 ran a promotional game where users had to enter their details to participate. On the entry form, there was a pre-checked checkbox that consented to receiving advertising from partners via email and SMS.

The German courts referred the case to the CJEU, asking whether pre-checked boxes constitute valid consent under EU law.

The court's answer was unambiguous: no.

The CJEU ruled that consent requires an active indication of the user's wishes. A pre-checked box that the user must uncheck to refuse is not an active indication. It is the opposite. It assumes consent unless the person takes action to withdraw it. That is not how consent works under GDPR.

This ruling did not create new law. It confirmed what GDPR Article 4(11) already said. Consent must be a "freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action". A pre-ticked box fails the "unambiguous" and "clear affirmative action" test because silence or inaction is not consent. The same standard runs through ePrivacy Directive Article 5(3) and is reaffirmed at EU level in EDPB Guidelines 05/2020 on consent.

Not valid consent

Checkout form

Yes, send me marketing emails and offers

Prechecked by default. The user took no action. Under Planet49 (C-673/17) and GDPR Art 4(11) this fails the unambiguous-consent test.

Valid consent

Checkout form

Yes, send me marketing emails and offers

Empty by default. The user must tick the box themselves. This is a clear affirmative action under GDPR Art 4(11) and EDPB Guidelines 05/2020.

After Planet49, the line is clear. The user must take a deliberate action to opt in. That means:

An unchecked checkbox that the user ticks themselves
A clear "subscribe" button where someone types their email and clicks to confirm
Double opt-in with a confirmation email (the gold standard)

What does not count: pre-ticked boxes, bundled consent hidden in terms and conditions, "by using this site you agree to..." statements. Any setup where the user has to take action to refuse rather than to accept also fails the test.

Where pre-checked boxes still appear

You would think this would be fixed everywhere by now. It has been over six years since the Planet49 ruling. Pre-checked boxes are still surprisingly common. Here is where they hide:

Checkout pages. The most frequent offender. A checkbox like "Send me offers and updates" comes pre-ticked during checkout. The customer is focused on their purchase and does not notice.

Account creation forms. A pre-checked box opts users into marketing while they are focused on setting up their account.

Contact forms. A "Send me your newsletter" checkbox pre-ticked on a contact form. The person wanted to ask a question rather than sign up for emails.

Booking and reservation forms. Restaurant booking systems, appointment schedulers and hotel reservation pages often include pre-checked marketing consent.

Cookie consent tied to marketing. Some cookie banners bundle marketing email consent with cookie preferences. If the marketing checkbox is pre-ticked inside the banner, that consent is invalid.

Pre-checked vs. opt-in by default in settings

There is a related problem that catches businesses off guard. Account settings pages where marketing preferences are turned on by default.

Say a customer creates an account. Their account settings page shows email notification preferences with toggles for "Promotional emails", "Partner offers" and "Product updates" all switched on. The customer never visited this settings page. They never chose to receive any of these.

This is functionally the same as a pre-checked box. The default is set to "on" and the user has to take action to turn it off. The same consent principles apply. The user did not actively choose to receive marketing, so you do not have valid consent.

The fix: set all marketing-related preferences to "off" by default. Let users opt in when they are ready.

Real enforcement examples

Data protection authorities across Europe have acted on pre-checked consent violations.

Regulator	Country	Stance on prechecked boxes	Recent enforcement reference	Link
CJEU	EU-wide	Pre-ticked boxes do not produce valid consent under Art 4(11) GDPR or Art 5(3) ePrivacy Directive	Planet49 Case C-673/17 (October 2019), binding on all member states	curia.europa.eu
EDPB	EU-wide	Pre-ticked boxes and default-on toggles do not meet the unambiguous-consent standard	Guidelines 05/2020 on consent under Regulation 2016/679	edpb.europa.eu
CNIL	France	Pre-ticked checkboxes for marketing fail Art 4(11) GDPR and Art 82 Loi Informatique et Libertes	Sanctions for invalid marketing consent including orders to delete contacts	cnil.fr
Garante	Italy	Pre-ticked or bundled marketing consent does not satisfy Art 7 GDPR	Multiple decisions on direct marketing fines for SMBs	gpdp.it
AEPD	Spain	Pre-ticked boxes are not valid consent. Lists built that way must be rebuilt	Sanction archive ("resoluciones") published by the authority	aepd.es
AP	Netherlands	Default-on or pre-ticked consent does not meet GDPR	Normuitleg on consent and withdrawal applied to marketing forms	autoriteitpersoonsgegevens.nl

The pattern is consistent. Regulators do not treat pre-checked boxes as a grey area. The Planet49 ruling settled this. If your boxes are pre-checked, you are in violation.

How to audit your forms

Go through every form on your website that collects any kind of marketing consent. Here is what to check:

Open each form in a fresh browser session. Do not log in first. See the form the way a new visitor would see it.
Look at every checkbox. Is any checkbox pre-ticked? If yes, fix it. Every marketing consent checkbox must start unchecked.
Check your checkout flow. Add something to the cart and go through the entire checkout process. Look for newsletter or marketing opt-ins that are pre-selected.
Check account registration. Create a new test account. Are any communication preferences selected by default?
Check your booking or contact forms. Fill them out as a customer would. Look for hidden consent checkboxes.
Check account settings defaults. Create an account and immediately go to notification settings. Are marketing preferences set to "on" before the user touches them?
Check your email service provider. Some ESPs have settings that automatically add contacts from your website forms. Make sure contacts are only added when they have actively opted in.

You can also run a free scan to catch common consent issues on your website, including form analysis and cookie consent checks.

Why businesses still do it

Some businesses know pre-checked boxes are problematic but keep using them anyway. The reasoning usually goes like this: "Our conversion rate for newsletter signups drops 80% when we uncheck the box."

That is probably true. Pre-checked boxes generate more signups because most people do not bother to uncheck them. That is exactly the problem. It is exactly why they do not count as consent.

Here is why it is not worth the risk:

Those subscribers do not want your emails. They did not choose to sign up. Open rates will be low, unsubscribe rates will be high. Spam complaint rates will hurt your email deliverability. You will spend money sending emails to people who ignore them.

Your entire list could be invalidated. If a data protection authority investigates and finds your consent mechanism is invalid, they can order you to stop using the list entirely. Years of collected contacts, gone.

Fines are real. They are not just for big companies. Small businesses across Europe have been fined for exactly this issue. The fine plus the loss of the list hurts a lot more than a lower newsletter conversion rate.

Proper opt-in builds a better list. People who actively choose to subscribe are the ones who actually read your emails, click your links and buy your products. A list of 500 engaged subscribers beats a list of 5,000 people who did not know they signed up.

The same consent principles that apply to cookie banners apply here. Active, informed, freely given consent. No shortcuts. If you run a webshop, pre-checked boxes during checkout are just one of many requirements. See our Dutch webshop compliance checklist for the full picture.

What to do right now

Uncheck your boxes. All of them. Every marketing consent checkbox on your website should start in the unchecked state. This is not optional.

If you have been collecting consent through pre-checked boxes, consider running a re-consent campaign. Send your existing list an email asking them to actively confirm they want to keep receiving your emails. You will lose subscribers. You will keep the ones who matter and you will be on solid legal ground.

For a deeper look at how to handle newsletter consent properly, read our guide on newsletter signup and GDPR compliance. If you are also wondering whether your cookie banner follows the same consent rules, it should. The Planet49 case applies to cookies as much as to marketing consent.

Scan your website for free to check your forms, cookie consent and other compliance issues.

FAQ

Yes. The CJEU ruled in the Planet49 case (C-673/17) that pre-checked boxes do not constitute valid consent under EU law. Consent must be an active, affirmative action by the user. A box that starts checked and requires the user to uncheck it to refuse is not valid consent. This applies to newsletter signups, marketing emails, cookies and any other processing that requires consent.

What happens if I have been using pre-checked boxes?

Any consent collected through pre-checked checkboxes is invalid. That means you do not have a legal basis for sending marketing emails to those contacts. You should fix your forms immediately so all consent checkboxes start unchecked. For your existing list, consider sending a re-consent email asking subscribers to actively confirm they want to keep hearing from you. Contacts who do not confirm should be removed.

Does this apply to B2B emails too?

The consent requirements apply to any personal data processing under GDPR. If you are collecting email addresses from individuals (even in a business context) through a form with a pre-checked marketing checkbox, that consent is invalid. B2B email has some different rules around legitimate interest in certain countries. Pre-checked boxes still do not count as valid consent anywhere in the EU.

Can I use a pre-checked box for transactional emails?

Transactional emails (order confirmations, shipping updates, password resets) do not require marketing consent because they are necessary to fulfill a contract. You do not need a checkbox at all for these. You cannot bundle marketing content into transactional emails and claim it is all transactional. If your order confirmation includes a promotional section at the bottom, that promotional part needs proper consent.

How is this different from soft opt-in?

Some countries (like the UK and Netherlands) allow a "soft opt-in" where you can email existing customers about similar products without explicit consent. Soft opt-in has strict requirements: the customer must have bought something from you, you can only email about similar products, you must offer an opt-out in every email. Pre-checked boxes are a separate issue entirely. They are about how you collect consent rather than whether you need it. Even where soft opt-in applies, pre-checked boxes on your forms still do not generate valid consent.

Share this article

Check your website now

Scan your website for email issues and 30+ other checks.

Start free check

Website Guides

Newsletter Signup Forms: GDPR Requirements

Your newsletter signup form needs more than a checkbox. Here are the GDPR rules for email consent, what to store and how to avoid common mistakes.

GDPR compliance checklist for Irish businesses (2026)

GDPR compliance checklist for Irish businesses. DPC enforcement, DPA 2018, ePrivacy Regs 2011, CRO disclosure, cookie consent and processor agreements.