Non-essential cookie categories default to unchecked/off; no pre-ticked boxes

GDPR Art. 4(11) defines consent as a 'freely given, specific, informed and unambiguous indication' — pre-ticked boxes satisfy none of those criteria. The CJEU's Planet49 ruling (C-673/17, 2019) settled this definitively: checkboxes ticked by default do not constitute valid consent under either GDPR Art. 7(2) or ePrivacy Art. 5(3). Any analytics or marketing data collected under a pre-ticked opt-out model is collected without lawful basis, making every downstream use — ad targeting, conversion tracking, behavioral profiling — equally unlawful.

Set every non-essential category to false in the initial state. The necessary flag is the only one that may be true and non-interactive — it is exempt under ePrivacy Art. 5(3)'s 'strictly necessary' carve-out.

// WRONG — opt-out model, GDPR violation
const [consent, setConsent] = useState({
  necessary: true,
  analytics: true,   // pre-ticked: invalid consent
  marketing: true,   // pre-ticked: invalid consent
})

// CORRECT — opt-in model
const [consent, setConsent] = useState({
  necessary: true,   // exempt; no toggle needed
  analytics: false,  // user must actively choose
  marketing: false,  // user must actively choose
})

For managed platforms like Cookiebot, verify that no defaultAccept or impliedConsent flag is set in the initialization config. For OneTrust, impliedConsent must be false.

• ID: non-essential-defaults-off

• Severity: critical

• What to look for: Read the consent banner component. Find the initial state of each non-essential category toggle (analytics, marketing, preferences, personalization). In React/Vue/Svelte, this means the useState / ref / writable initial value. For checkboxes, look for defaultChecked, checked={true}, or value: true in the initial state object. Also check HTML: <input type="checkbox" checked> or <input type="checkbox" defaultChecked> on non-essential category inputs are GDPR violations. The only category that may default to true or be non-interactive is "Strictly Necessary" or "Essential" — all others must default to false. Also check for consent platforms — some managed platforms have configuration options that can pre-tick categories. If Cookiebot, OneTrust, or similar is in use, check their configuration for defaultAccept, impliedConsent, or similar flags.

• Pass criteria: Enumerate all cookie consent toggle states on initial load. All non-essential cookie categories (analytics, marketing, personalization, etc.) default to false / unchecked in the consent banner. The "Strictly Necessary" or "Essential" category may be checked and non-interactive (it is required for the site to function). Users must actively opt-in to each non-essential category — no pre-selection. 100% of non-essential cookie categories must default to off/disabled.

• Fail criteria: Do not pass when any non-essential cookie toggle is pre-checked or enabled by default. Any non-essential category is pre-checked (checked={true} or defaultChecked in the component initial state). The consent banner uses an opt-out model (showing pre-ticked boxes that users must uncheck to decline). Consent state defaults to "all accepted" before the user interacts with the banner.

• Skip (N/A) when: No consent banner exists (in which case banner-first-visit already fails). No non-essential cookies or tracking — only essential first-party cookies.

• Detail on fail: Specify which categories are pre-ticked. Example: "Analytics category initialized with checked: true in ConsentBanner.tsx initial state. Users must actively uncheck to decline." or "All categories pre-ticked. Consent banner presents as opt-out rather than opt-in.".

• Remediation: Set all non-essential category initial values to false:

  // WRONG — pre-ticked non-essential categories (opt-out model)
  const [consent, setConsent] = useState({
    necessary: true,   // OK — this one is fine
    analytics: true,   // VIOLATION: must default to false
    marketing: true,   // VIOLATION: must default to false
  })
  
  // CORRECT — opt-in model as required by GDPR
  const [consent, setConsent] = useState({
    necessary: true,   // always on; not a user choice
    analytics: false,  // user must actively opt in
    marketing: false,  // user must actively opt in
  })
  

  For Cookiebot: ensure data-culture and related flags do not include "acceptAll" as a default. For OneTrust: check the OneTrust.js initialization — impliedConsent must be false.