Pre-checked Checkbox Illegal Under GDPR (Netherlands)

That checkbox on your checkout page that says "Yes, send me marketing emails" and comes already ticked? It is not valid consent. The EU's highest court settled this in October 2019, and Dutch businesses are still getting caught with it.

A pre-checked checkbox is illegal under GDPR (the AVG in the Netherlands). If you are collecting newsletter signups, marketing opt-ins or any kind of communication consent through pre-checked boxes, you are collecting consent that does not count. That means every email you send based on that consent is potentially a violation of the AVG. Run a free scan to check every form on your site for this exact problem before the AP finds it for you.

Here is what happened, why it matters for Dutch businesses and what you need to fix.

The Planet49 ruling and what it means for the Netherlands

In October 2019, the Court of Justice of the European Union (CJEU) decided Case C-673/17, known as the Planet49 case. A German online lottery company called Planet49 ran a promotional game where users entered their details to participate. On the entry form, a pre-checked checkbox consented to receiving advertising from partners via email and SMS.

The German courts referred the case to the CJEU, asking whether pre-checked boxes constitute valid consent under EU law.

The court's answer was unambiguous: no.

The CJEU ruled that consent requires an active indication of the user's wishes. A pre-checked box that the user must uncheck to refuse is not an active indication. It assumes consent unless the person acts to withdraw it. That is not how consent works.

This ruling did not create new law. It confirmed what AVG Article 4(11) already said. Consent must be a "freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action." A pre-ticked box fails the "unambiguous" and "clear affirmative action" tests because silence or inaction is not consent.

Planet49 is binding on all EU member states. The Netherlands is bound by it through the AVG, which is the Dutch implementing regulation of the GDPR. The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, applies this standard to every Dutch website that collects consent.

The AP and Dutch enforcement

For Dutch businesses, the Autoriteit Persoonsgegevens is the primary enforcement body. The AP enforces AVG consent requirements and has flagged pre-ticked consent mechanisms in its supervisory communications to Dutch online retailers.

The AP's guidance on consent sets out what valid consent looks like under the AVG. The AP position is consistent with Planet49: consent must be an active, freely given, unambiguous act. Pre-checked boxes do not meet that standard.

The AP can investigate on its own initiative and in response to complaints from individuals or competitors. When the AP finds a pre-checked consent box, the typical enforcement path for a smaller business starts with a corrective order and a compliance deadline. Ignoring that order escalates to a fine under AVG Article 83, which allows fines up to 20 million euros or 4 percent of annual global turnover.

What counts as valid consent in the Netherlands

After Planet49, the line is clear for every Dutch website. The user must take a deliberate action to opt in. That means:

• An unchecked checkbox the user ticks themselves
• A clear "subscribe" button where someone types their email and clicks to confirm
• Double opt-in with a confirmation email (best practice for proof of consent)

What does not count: pre-ticked boxes, bundled consent hidden in terms and conditions, "by using this site you agree to..." statements and any setup where the user must act to refuse rather than to accept.

Under AVG Article 7(1), you must also be able to demonstrate that the person consented. This means you need a record of the exact wording shown at the time of consent, the timestamp and IP address of the opt-in, and the form version in use. If the AP asks for proof and you cannot produce it, that is treated the same as no consent at all. Your email service provider or CRM should be configured to capture this automatically.

Where pre-checked boxes still appear on Dutch websites

You would think this would be fixed everywhere by now. It has been over six years since the Planet49 ruling. Pre-checked boxes are still appearing on Dutch websites. Here is where to look:

Pre-checked boxes vs. default-on toggles in account settings

There is a related problem that catches Dutch businesses off guard. Account settings pages where marketing preferences are switched on by default.

A customer creates an account. Their settings page shows "Promotional emails", "Partner offers" and "Product updates" all switched on. The customer never visited the settings page. They never made an active choice.

This is functionally the same as a pre-checked box. The default is "on" and the user must act to turn it off. The AVG does not allow this. The user made no unambiguous indication of agreement, so there is no valid consent.

The fix is straightforward: set all marketing-related preferences to "off" by default. Let users opt in when they are ready.

How to audit your forms

Go through every form on your website that collects any kind of marketing consent. Work through this in a fresh browser session, not while logged in.

1. Open each form fresh. See it the way a new visitor sees it, not the way you see it as the owner.

2. Look at every checkbox. Is any marketing consent checkbox pre-ticked? If yes, that must be fixed. Every marketing consent checkbox must start unchecked.

3. Walk through the full checkout flow. Add something to the cart and complete the process. Look for newsletter or marketing opt-ins that are pre-selected during checkout.

4. Create a test account. Are any communication preferences selected by default on registration or in the settings that follow?

5. Check contact and booking forms. Fill them out as a customer would. Look for consent checkboxes that appear mid-form.

6. Check account settings immediately after registration. Before changing anything, look at notification settings. Are marketing preferences already on?

7. Check your email service provider. Some platforms have settings that automatically add contacts from forms. Make sure contacts only land on your marketing list when they have actively opted in.

You can also run a free scan to catch common consent issues on your website, including form analysis and cookie consent checks.

The Dutch soft opt-in and why it does not change this

The Netherlands (along with the UK and some other countries) allows a soft opt-in under the Telecommunicatiewet for existing customers. Under Article 11.7 of the Telecommunicatiewet, you can email existing customers about similar products or services without collecting fresh consent, provided you offer an easy opt-out in every email.

This is sometimes misread as permission to use pre-checked boxes. It is not. The soft opt-in is a different lawful basis for sending emails without consent. It is not consent at all. The pre-checked checkbox rule under AVG Article 4(11) applies whenever you are collecting consent through a form. Even where soft opt-in technically applies to your existing customers, pre-checked boxes on your forms still do not generate valid consent for anyone who signs up through those forms.

Why businesses keep doing it

Some businesses know pre-checked boxes are problematic and do it anyway. The reasoning is usually the same: "Our newsletter signup rate drops when we uncheck the box."

That is probably true. Pre-checked boxes generate more signups because most people do not notice them. That is exactly the problem and exactly why they do not count as consent.

Here is why it is not worth the risk:

Those subscribers do not want your emails. They did not choose to sign up. Open rates will be low, unsubscribe rates will be high and spam complaint rates will damage your email deliverability with every major provider.

Your entire list could be invalidated. If the AP investigates and finds your consent mechanism is invalid, they can order you to stop using that list. Years of collected contacts, lost.

Fines are real. Dutch SMEs have received enforcement action for invalid consent. The combination of a fine and forced list deletion costs far more than a lower newsletter conversion rate.

Proper opt-in builds a better list. People who actively choose to subscribe are the ones who read your emails and buy your products. A list of 500 engaged subscribers is worth more than a list of 5,000 people who did not know they signed up.

The same consent principles that apply to your cookie banner apply to your marketing forms. Active, informed, freely given consent. No shortcuts. If you run a webshop, pre-checked boxes are just one item on a longer checklist. See our Dutch webshop compliance guide for the full picture.

What to do right now

Uncheck your boxes. All of them. Every marketing consent checkbox on your website should start in the unchecked state. This is not optional under the AVG.

If you have been collecting consent through pre-checked boxes, run a re-consent campaign. Send your existing list an email asking them to actively confirm they want to keep receiving your emails. You will lose some subscribers. You will keep the ones who matter and you will be on solid legal ground with the AP.

For a deeper look at how to handle newsletter consent properly, read our guide on double opt-in and Dutch email law. If you are also wondering whether your cookie banner follows the same consent rules, it should. The Planet49 case applies to cookies and marketing consent alike.

Scan your website for free to check your forms, cookie consent and other compliance issues in under a minute.

FAQ

Are pre-checked checkboxes illegal under GDPR in the Netherlands?

Yes. The CJEU ruled in Planet49 (C-673/17) that pre-checked boxes do not constitute valid consent under EU law. The AVG, the Dutch implementation of the GDPR, applies the same standard. The Autoriteit Persoonsgegevens enforces this in the Netherlands. A pre-ticked box that the user must uncheck to refuse is not valid consent for newsletter signups, marketing emails, cookies or any other processing that requires consent.

What happens if I have been using pre-checked boxes in the Netherlands?

Consent collected through pre-checked checkboxes is invalid. You do not have a lawful basis for sending marketing emails to those contacts. Fix your forms so all consent checkboxes start unchecked. For your existing list, send a re-consent email asking subscribers to actively confirm they want to keep hearing from you. Contacts who do not confirm should be removed. Under AVG Article 7(1) you must be able to demonstrate valid consent, and pre-checked box consent cannot meet that standard.

Does this apply to B2B marketing emails in the Netherlands?

The consent requirements apply to any personal data processing under the AVG. If you are collecting email addresses from individuals through a form with a pre-checked marketing checkbox, that consent is invalid. The Netherlands allows B2B cold email under legitimate interest in certain narrow circumstances, but that is a separate legal basis and does not change the rule about pre-checked boxes. If you are relying on consent, it must be active and affirmative.

Can I use a pre-checked box for transactional emails?

Transactional emails such as order confirmations, shipping updates and password resets do not require marketing consent because they are necessary to fulfill a contract. You do not need a checkbox for these at all. You cannot bundle marketing content into a transactional email and claim the whole email is transactional. If your order confirmation includes a promotional section, that section needs proper consent.

How does the Dutch soft opt-in interact with pre-checked boxes?

The soft opt-in under Telecommunicatiewet Article 11.7 lets you email existing customers about similar products without collecting fresh consent. This is a lawful basis that applies to the act of sending emails. It does not change the rule about pre-checked consent checkboxes. If you have a form on your site that purports to collect consent and it has a pre-ticked box, that consent is still invalid regardless of whether soft opt-in would have applied to those contacts through a different legal route.

Sources

• Regulation (EU) 2016/679 — GDPR (eur-lex.europa.eu)
• CJEU C-673/17 — Planet49 judgment (curia.europa.eu)
• Directive 2002/58/EC — ePrivacy Directive (eur-lex.europa.eu)
• Telecommunicatiewet (wetten.overheid.nl)
• Uitvoeringswet AVG (wetten.overheid.nl)
• Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
• EDPB — Guidelines and recommendations (edpb.europa.eu)