GDPR Art. 7(2) is explicit: 'the request for consent shall be presented in a manner which is clearly distinguishable from the other matters' and pre-ticked boxes do not constitute valid consent. The CJEU (Planet49 case, 2019) confirmed that pre-checked boxes are unlawful under ePrivacy Art. 13(2) for EU residents. Beyond EU law, a server-side handler that defaults marketingOptIn to true when the checkbox isn't submitted silently opts in users who never saw the checkbox — this is a dark pattern that generates high spam complaint rates and undermines any claimed consent basis under CAN-SPAM.
Low because the violation requires EU users to be on the receiving list and a regulator to investigate, but it invalidates all consent claimed for those subscribers if challenged, requiring re-permission campaigns.
Default all marketing checkboxes to unchecked, both in the frontend component and in the server-side handler that receives the form submission.
// CORRECT — explicit unchecked default
<label>
<input
type="checkbox"
name="marketing"
defaultChecked={false} {/* always explicit — never omit */}
/>
Send me product updates and offers (optional)
</label>
// Server-side — never default to true
const marketingOptIn = formData.get('marketing') === 'on' // false if unchecked
// WRONG: formData.get('marketing') ?? true — defaults opted-in when field absent
Audit form state initialization in React Hook Form, Formik, or Zod parsers — any default: true on a marketing consent field is the same violation expressed differently.
ID: email-sms-compliance.consent.no-pre-checked-boxes
Severity: low
What to look for: Enumerate every relevant item. GDPR Article 7(2) requires that consent be "as easy to withdraw as to give" and explicitly states that pre-ticked boxes do not constitute valid consent. Even under CAN-SPAM (which has no pre-checked-box prohibition), pre-checking is a dark pattern that leads to high spam complaints. Search the codebase for marketing consent checkboxes. Look for input type="checkbox" elements near text mentioning "newsletter," "marketing," "updates," "offers," or "promotions." Check whether defaultChecked, checked (in uncontrolled components), or value="true" is set by default. Check form state initialization — does the React state or form library default the marketing consent field to true?
Pass criteria: At least 1 of the following conditions is met. All marketing opt-in checkboxes default to unchecked. No form state initializes a marketing consent field to true. Users must take a positive action (checking a box) to opt into marketing.
Fail criteria: Marketing consent checkbox is pre-checked by default. Form state initializes marketing opt-in to true. Server-side signup handler defaults marketing consent to true when no explicit value is sent.
Skip (N/A) when: Application collects no email or phone number for marketing purposes.
Detail on fail: Example: "Newsletter opt-in checkbox at signup has defaultChecked={true} in src/components/SignupForm.tsx. GDPR prohibits pre-ticked boxes for marketing consent." or "Server-side signup handler: marketingOptIn: data.marketingOptIn ?? true — defaults to opted-in when checkbox not submitted.".
Remediation: Default all marketing checkboxes to unchecked:
// WRONG — pre-checked (GDPR violation)
// <input type="checkbox" name="marketing" defaultChecked={true} />
// CORRECT — unchecked by default, user must opt in
<label>
<input
type="checkbox"
name="marketing"
defaultChecked={false} // explicit — never omit this
/>
Send me product updates and offers (optional)
</label>
// Server-side: default to false, not true
const marketingOptIn = formData.get('marketing') === 'on' // false if unchecked
// NOT: formData.get('marketing') ?? true // this defaults to opted-in