Skip to main content
CompliantHQ

Consent in forms — pre-ticked boxes, bundled yeses and what the GDPR requires

A pre-ticked box for the newsletter. A single checkbox approving both the terms and the marketing. A line above the submit button saying the submission "also constitutes consent to mailings". Three common form patterns — and none of them collects valid consent. The GDPR sets concrete requirements for what a yes in a form may look like, and most of the issues are easy to fix once you see them.

GDPR art. 4.11 · 7GDPR art. 13

What does the law say?

The GDPR defines consent as a freely given, specific, informed and unambiguous indication of wishes, by a statement or a clear affirmative action (article 4.11). Every word does work: freely given means a real choice, specific means yes to one defined thing, and unambiguous affirmative action means the visitor must actively do something themselves.

It is the last part that sinks the pre-ticked box. The EU Court of Justice ruled in Planet49 (C-673/17, 2019) that a box already ticked is not an affirmative action — leaving a tick in place is not doing anything. The consent is invalid, no matter how clear the text next to the box is.

Freely given has its own rule: under article 7.4, utmost account must be taken of whether a contract or service has been made conditional on consent that is not necessary for the service. Bundle "I accept the terms" with "I want the newsletter" into the same checkbox and two different yeses are forced together — anyone who wants to submit the form must say yes to the mailings, and the consent to the newsletter is no longer freely given.

"By submitting you agree…" — implied consent

A related variant is the text by the submit button: "by submitting this form you also agree to marketing mailings". Pressing submit means "deliver my message" — the text next to it cannot reinterpret the same click to also mean yes to something else. That is not an active, specific choice, and therefore not valid consent.

Note the difference from a pure newsletter signup form: there, the signup itself is the consent to the newsletter — it is exactly what the visitor is asking for. The problem only arises when the submission is turned into consent for something beyond the form's own purpose.

Information at the moment of collection

The GDPR also requires that the information about the processing is provided when the data is collected (articles 12 and 13) — not afterwards, and not only on a policy page three clicks away. For a web form this means, in practice, a link to the privacy policy near the form, so the visitor can read it before submitting.

The purpose of the collection should also be apparent already at the form. For many forms the context says it all — a contact form exists so that you get a reply. But when the purpose is not obvious, for example a field for a national identity number with no explanation, a short sentence at the form is needed. And each form's collection must have a corresponding purpose described in the policy — not just the data that happened to exist when the policy was written.

Common issues we see

  • The newsletter box is pre-ticked — the visitor must actively untick it to opt out, which is exactly the pattern the Planet49 ruling rejected.
  • A single checkbox covers both accepting the terms and the newsletter — anyone who wants to proceed is forced to say yes to the mailings.
  • Text by the submit button along the lines of "by submitting you also agree to us contacting you with offers" — the submission is reinterpreted as a consent the visitor never gave.
  • The form collects name and email but has no link to the privacy policy nearby.
  • Data is collected for a purpose that is neither apparent at the form nor described in the policy.

How CompliantHQ tests this

The scanner deterministically checks two things: that no consent boxes in the forms are pre-ticked at page load, and that forms collecting personal data have a link to the privacy policy nearby. Both are flagged immediately if they fall short.

On top of that, our compliance AI reads the forms and the policy together and assesses what a pure code review cannot see: whether one checkbox bundles several different yeses, whether text at the form turns the submission into consent for something else, whether each form's collection has a corresponding explained purpose in the policy, and whether the purpose is apparent already at the form when the context does not make it obvious. The AI assessments are always presented as exactly that — assessments, never established violations — so you can verify against your own form before acting.

All of these checks are included already in the trial.

How to fix it

  • Leave all consent boxes empty by default — the visitor ticks them themselves.
  • One box per yes: accepting the terms on its own, the newsletter on its own, any third-party sharing on its own.
  • Remove wording about the submission "also constituting" consent to something else — replace it with a dedicated, unticked checkbox for that purpose.
  • Put a link to the privacy policy next to every form that collects personal data.
  • Explain the purpose at the form when it is not obvious from the context, and make sure the policy describes the purpose of each form's collection.

What the check covers

  • That consent checkboxes in forms (newsletter, marketing) aren't pre-ticked — pre-ticked consent is invalid.
  • That forms collecting personal data have a link to the privacy policy nearby.
  • The AI reviews that one checkbox doesn't force several different yeses together — for example a single tick for both the terms and the newsletter.
  • The AI reviews form text claiming that submitting also constitutes consent to something else — "by submitting you also agree to mailings" is not valid consent.
  • The AI verifies that every form collecting personal data has a corresponding explained purpose in the policy.
  • The AI judges whether it's clear why the data is collected already at the form — not just deep inside the policy.

Common questions

Is a pre-ticked consent box valid under the GDPR?

No. The EU Court of Justice ruled in Planet49 (C-673/17) that a pre-ticked box is not an affirmative action — consent requires the visitor to actively tick the box themselves.

Can I bundle accepting the terms and the newsletter into one checkbox?

No. The terms are needed for the service, the newsletter is not — bundle them and the visitor is forced to say yes to the mailings just to proceed, which means the consent to the newsletter is not freely given (article 7.4).

Is the text "by submitting this form you agree to marketing" enough?

No. Pressing submit means delivering the message — it is not an active, specific yes to something else. If you want consent to marketing, you need a dedicated, unticked box for exactly that.

Does every form need to link to the privacy policy?

The information about the processing must be easily accessible when the data is collected (articles 12 and 13). The simplest way to meet that for a web form is a policy link near the form — which is also what our scanner looks for.

Want to see what we find on your site?

Run a free scan — all four modules included for 30 days, no card required.

Start free scanSee pricing

More deep dives