No pre-checked checkboxes or default opt-in for marketing

GDPR Art. 7(2) is explicit: 'the request for consent shall be presented in a manner which is clearly distinguishable from the other matters' and pre-ticked boxes do not constitute valid consent. The CJEU (Planet49 case, 2019) confirmed that pre-checked boxes are unlawful under ePrivacy Art. 13(2) for EU residents. Beyond EU law, a server-side handler that defaults marketingOptIn to true when the checkbox isn't submitted silently opts in users who never saw the checkbox — this is a dark pattern that generates high spam complaint rates and undermines any claimed consent basis under CAN-SPAM.

Default all marketing checkboxes to unchecked, both in the frontend component and in the server-side handler that receives the form submission.

// CORRECT — explicit unchecked default
<label>
  <input
    type="checkbox"
    name="marketing"
    defaultChecked={false}  {/* always explicit — never omit */}
  />
  Send me product updates and offers (optional)
</label>

// Server-side — never default to true
const marketingOptIn = formData.get('marketing') === 'on'  // false if unchecked
// WRONG: formData.get('marketing') ?? true  — defaults opted-in when field absent

Audit form state initialization in React Hook Form, Formik, or Zod parsers — any default: true on a marketing consent field is the same violation expressed differently.

• ID: no-pre-checked-boxes

• Severity: low

• What to look for: Enumerate every relevant item. GDPR Article 7(2) requires that consent be "as easy to withdraw as to give" and explicitly states that pre-ticked boxes do not constitute valid consent. Even under CAN-SPAM (which has no pre-checked-box prohibition), pre-checking is a dark pattern that leads to high spam complaints. Search the codebase for marketing consent checkboxes. Look for input type="checkbox" elements near text mentioning "newsletter," "marketing," "updates," "offers," or "promotions." Check whether defaultChecked, checked (in uncontrolled components), or value="true" is set by default. Check form state initialization — does the React state or form library default the marketing consent field to true?

• Pass criteria: At least 1 of the following conditions is met. All marketing opt-in checkboxes default to unchecked. No form state initializes a marketing consent field to true. Users must take a positive action (checking a box) to opt into marketing.

• Fail criteria: Marketing consent checkbox is pre-checked by default. Form state initializes marketing opt-in to true. Server-side signup handler defaults marketing consent to true when no explicit value is sent.

• Skip (N/A) when: Application collects no email or phone number for marketing purposes.

• Detail on fail: Example: "Newsletter opt-in checkbox at signup has defaultChecked={true} in src/components/SignupForm.tsx. GDPR prohibits pre-ticked boxes for marketing consent." or "Server-side signup handler: marketingOptIn: data.marketingOptIn ?? true — defaults to opted-in when checkbox not submitted.".

• Remediation: Default all marketing checkboxes to unchecked:

  // WRONG — pre-checked (GDPR violation)
  // <input type="checkbox" name="marketing" defaultChecked={true} />
  
  // CORRECT — unchecked by default, user must opt in
  <label>
    <input
      type="checkbox"
      name="marketing"
      defaultChecked={false}  // explicit — never omit this
    />
    Send me product updates and offers (optional)
  </label>
  
  // Server-side: default to false, not true
  const marketingOptIn = formData.get('marketing') === 'on'  // false if unchecked
  // NOT: formData.get('marketing') ?? true  // this defaults to opted-in