GDPR Art. 4(11) defines consent as a 'freely given, specific, informed and unambiguous indication' — pre-ticked boxes satisfy none of those criteria. The CJEU's Planet49 ruling (C-673/17, 2019) settled this definitively: checkboxes ticked by default do not constitute valid consent under either GDPR Art. 7(2) or ePrivacy Art. 5(3). Any analytics or marketing data collected under a pre-ticked opt-out model is collected without lawful basis, making every downstream use — ad targeting, conversion tracking, behavioral profiling — equally unlawful.
Critical because pre-ticked non-essential categories constitute invalid consent under GDPR Art. 7(2) and the Planet49 CJEU ruling, rendering all data collected under them without lawful basis.
Set every non-essential category to false in the initial state. The necessary flag is the only one that may be true and non-interactive — it is exempt under ePrivacy Art. 5(3)'s 'strictly necessary' carve-out.
// WRONG — opt-out model, GDPR violation
const [consent, setConsent] = useState({
necessary: true,
analytics: true, // pre-ticked: invalid consent
marketing: true, // pre-ticked: invalid consent
})
// CORRECT — opt-in model
const [consent, setConsent] = useState({
necessary: true, // exempt; no toggle needed
analytics: false, // user must actively choose
marketing: false, // user must actively choose
})
For managed platforms like Cookiebot, verify that no defaultAccept or impliedConsent flag is set in the initialization config. For OneTrust, impliedConsent must be false.
ID: cookie-consent-compliance.banner-ux.non-essential-defaults-off
Severity: critical
What to look for: Read the consent banner component. Find the initial state of each non-essential category toggle (analytics, marketing, preferences, personalization). In React/Vue/Svelte, this means the useState / ref / writable initial value. For checkboxes, look for defaultChecked, checked={true}, or value: true in the initial state object. Also check HTML: <input type="checkbox" checked> or <input type="checkbox" defaultChecked> on non-essential category inputs are GDPR violations. The only category that may default to true or be non-interactive is "Strictly Necessary" or "Essential" — all others must default to false. Also check for consent platforms — some managed platforms have configuration options that can pre-tick categories. If Cookiebot, OneTrust, or similar is in use, check their configuration for defaultAccept, impliedConsent, or similar flags.
Pass criteria: Enumerate all cookie consent toggle states on initial load. All non-essential cookie categories (analytics, marketing, personalization, etc.) default to false / unchecked in the consent banner. The "Strictly Necessary" or "Essential" category may be checked and non-interactive (it is required for the site to function). Users must actively opt-in to each non-essential category — no pre-selection. 100% of non-essential cookie categories must default to off/disabled.
Fail criteria: Do not pass when any non-essential cookie toggle is pre-checked or enabled by default. Any non-essential category is pre-checked (checked={true} or defaultChecked in the component initial state). The consent banner uses an opt-out model (showing pre-ticked boxes that users must uncheck to decline). Consent state defaults to "all accepted" before the user interacts with the banner.
Skip (N/A) when: No consent banner exists (in which case banner-first-visit already fails). No non-essential cookies or tracking — only essential first-party cookies.
Detail on fail: Specify which categories are pre-ticked. Example: "Analytics category initialized with checked: true in ConsentBanner.tsx initial state. Users must actively uncheck to decline." or "All categories pre-ticked. Consent banner presents as opt-out rather than opt-in.".
Remediation: Set all non-essential category initial values to false:
// WRONG — pre-ticked non-essential categories (opt-out model)
const [consent, setConsent] = useState({
necessary: true, // OK — this one is fine
analytics: true, // VIOLATION: must default to false
marketing: true, // VIOLATION: must default to false
})
// CORRECT — opt-in model as required by GDPR
const [consent, setConsent] = useState({
necessary: true, // always on; not a user choice
analytics: false, // user must actively opt in
marketing: false, // user must actively opt in
})
For Cookiebot: ensure data-culture and related flags do not include "acceptAll" as a default. For OneTrust: check the OneTrust.js initialization — impliedConsent must be false.