GDPR Art. 7 requires that consent be freely given, specific, and unambiguous — a pre-checked box for analytics or a default-on email marketing enrollment fails all three criteria. Under CCPA §1798.120, users must be able to opt out of data sale at any time. Enabling non-essential processing before consent is collected exposes the platform to enforcement under GDPR Art. 83 (fines up to 4% of global turnover) and CCPA §1798.150 (statutory damages). The eprivacy Directive Art. 5(3) independently requires opt-in for tracking cookies, making this a multi-jurisdiction risk.
Critical because default-enabled non-essential processing violates GDPR Art. 7 and eprivacy Art. 5(3) simultaneously, with enforcement exposure in every EU jurisdiction.
Gate every non-essential processing type behind an unchecked checkbox at signup and expose the same toggles in account settings. Persist consent decisions with timestamp and policy version — see ab-000724 for the audit log schema. Signup form example:
<label>
<input type="checkbox" name="analyticsOptIn" />
Help us improve by sending anonymous usage analytics
</label>
<label>
<input type="checkbox" name="recommendationsOptIn" />
Personalized content recommendations
</label>
Reject any server-side processing for unconsented types before the API call returns — checking consent in middleware rather than in business logic prevents bypasses.
ID: community-privacy-controls.visibility.consent-explicit
Severity: critical
What to look for: Enumerate every relevant item. Examine user signup flow and settings UI for consent mechanisms. Check whether non-essential processing (analytics, ad targeting, recommendation algorithms, email marketing) requires explicit opt-in before data is collected. Look for unchecked checkboxes, consent records in the database, and whether defaults are opt-out (bad) vs opt-in (good).
Pass criteria: At least 1 of the following conditions is met. All non-essential processing requires affirmative opt-in action by the user before any data collection. Defaults are opt-out (unchecked). Consent choices are persisted in the database with timestamp and can be changed in settings. Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: Non-essential processing enabled by default without explicit user consent. Consent is pre-checked or implied. No mechanism to change consent preferences in settings.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: Never — explicit consent is a baseline privacy requirement.
Cross-reference: For deployment and infrastructure concerns, the Deployment Readiness audit covers production configuration.
Detail on fail: Name the processing types without explicit consent. Example: "Analytics tracking enabled by default with no opt-in checkbox. Users never see consent request unless they visit settings." or "Email marketing enrollment pre-checked during signup."
Remediation: Add explicit opt-in for each non-essential processing type in signup and settings:
<!-- Signup form -->
<label>
<input type="checkbox" name="analyticsOptIn" />
Help us improve by sending anonymous usage analytics
</label>
<label>
<input type="checkbox" name="recommendationsOptIn" />
Personalized content recommendations
</label>
Store consent with timestamp:
async function saveConsentPreferences(userId: string, preferences: {
analyticsOptIn: boolean;
recommendationsOptIn: boolean;
}) {
await db.userConsent.create({
data: {
userId,
processingType: 'analytics',
consentGiven: preferences.analyticsOptIn,
consentedAt: new Date(),
policyVersion: '1.0',
}
});
// ... repeat for each type
}