Pre-Ticked Checkboxes: Why They Fail UK Consent Rules

A pre-ticked checkbox looks like a small implementation detail. Under UK GDPR Article 7 and PECR Regulation 6 it is a complete failure of the consent standard. The ICO treats pre-ticked boxes as no consent at all and their presence on cookie banners, signup forms and checkout flows is one of the most consistent findings in published ICO enforcement decisions. This guide covers why they fail, where they hide and the simple fixes.

For a scan that actually inspects the default state of every checkbox on your site, run a free check at /uk/en/scan.

What UK consent law requires

UK GDPR Article 7(1) requires the controller to be able to demonstrate that the data subject has consented to processing of his or her personal data. UK GDPR Recital 32 (retained as part of UK GDPR through the EU Exit Regulations) clarifies that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement. Silence, pre-ticked boxes or inactivity do not constitute consent.

The phrasing rules out three common patterns: pre-ticked checkboxes (no affirmative act), inferred consent from continued site use ("by browsing this site you agree" banners) and silence-as-consent flows.

PECR Regulation 6 applies the same standard to cookies and similar technologies. The ICO's cookies guidance explicitly cites pre-ticked boxes as non-compliant for cookie consent.

Planet49: the binding precedent

The CJEU's ruling in Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände, Case C-673/17 (1 October 2019) settled the pre-ticked checkbox question for the EU and, through retained EU law, for the UK. The court held that consent given via a pre-ticked checkbox does not satisfy the consent requirements under either the GDPR or the ePrivacy Directive.

Three points from the ruling matter for UK practice.

The default state is decisive. A box that loads in the ticked state is not an active expression of consent regardless of what the user does next. Even if the user reads the wording and proceeds to submit the form without unticking, the consent is not affirmative.

Both GDPR and ePrivacy are engaged. Where a checkbox covers cookies, both PECR Regulation 6 (cookie placement) and UK GDPR Article 7 (lawful basis for the processing the cookie enables) apply. A failure on either is enough to invalidate the consent.

The ruling applies to all consent contexts, not only cookies. Although Planet49 arose from a cookie-consent flow, the consent standard it articulates is the same standard used for any consent under UK GDPR. The ICO has applied it to marketing email consent, profiling consent and consent for non-essential analytics.

The UK Supreme Court has not had cause to revisit this question and the ICO's published guidance and enforcement decisions continue to apply Planet49 reasoning. Until and unless a UK court rules otherwise on the consent standard, Planet49 is the operating standard for UK practice.

Where pre-ticked patterns hide

The pre-ticked pattern is rarely the result of a deliberate decision. More often it appears in implementations that drift from compliant defaults over time. The table below covers the patterns the ICO most frequently flags.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Where it appears</th> <th className="border border-slate-300 px-3 py-2 font-semibold">What it looks like</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Why it fails</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Cookie banner preferences panel</td> <td className="border border-slate-300 px-3 py-2">Analytics or advertising toggles default to On when the user opens preferences.</td> <td className="border border-slate-300 px-3 py-2">PECR Reg 6 + Planet49. Default-on consent is not affirmative.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Newsletter signup form</td> <td className="border border-slate-300 px-3 py-2">Marketing checkbox already ticked when the form loads.</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 7(1) + PECR Reg 22.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Account creation flow</td> <td className="border border-slate-300 px-3 py-2">"Send me marketing" box ticked by default during signup.</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 7(1).</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Checkout flow</td> <td className="border border-slate-300 px-3 py-2">Pre-ticked "Add me to your VIP customer list" alongside the order.</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 7(1) + Art 7(2) bundled-consent rules.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Lead-magnet download form</td> <td className="border border-slate-300 px-3 py-2">"Yes, send me related content" pre-ticked alongside the email field.</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 7(1) + PECR Reg 22.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Webinar or event registration</td> <td className="border border-slate-300 px-3 py-2">"Subscribe to our newsletter" pre-ticked on the registration form.</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 7(1) + bundled with the event registration.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Cookie banner "Accept all" without a Reject button</td> <td className="border border-slate-300 px-3 py-2">Continuing to use the site treated as acceptance.</td> <td className="border border-slate-300 px-3 py-2">PECR Reg 6. The ICO has explicitly named this in November 2023 enforcement.</td> </tr> </tbody> </table> </div>

What "active affirmation" actually looks like

The fixes are mechanical. The default state is unticked. The user reads the wording and actively ticks the box. The submission only proceeds if the box has been actively engaged where the consent is required.

For cookie banners, the equivalent is that all non-essential category toggles default to Off. The user actively enables the categories they want and clicks Save preferences. Reject all on the first banner layer is equally prominent to Accept all and is one click.

The CJEU and the ICO both treat the user's silence as a refusal, not as an unstated agreement. A page that loads with everything default-on and waits for the user to opt out fails. A page that loads with everything default-off and asks the user to opt in passes.

What the ICO actually does about pre-ticked boxes

The ICO's enforcement record on pre-ticked patterns spans both cookies and marketing.

The November 2023 letter campaign to 53 of the UK's top 100 websites cited pre-ticked or asymmetric cookie banners as a primary failing. By January 2024, 38 of those sites had become compliant under ICO supervision, with several others publicly named for non-engagement.

The January 2025 expansion to the top 1,000 UK websites used the same methodology and brought SME-tier organisations into scope.

PECR Reg 22 monetary penalty notices against companies running unsolicited marketing campaigns have routinely cited the consent capture mechanism. Where the underlying signup form used a pre-ticked checkbox, the ICO has treated the consent as no consent at all. This pattern accounts for most of the £10,000-£200,000 SME PECR fines published over the past three years.

For how the ICO investigation actually unfolds after a complaint, see the ICO investigation process guide.

How to audit your own forms

The check is mechanical and takes minutes per form.

Open each signup form, cookie banner and checkout in an incognito browser. Note which checkboxes are checked when the page loads. Any non-essential consent box that is checked by default fails the test.

Open the cookie banner's preferences panel. Note which category toggles are On by default. Any non-strictly-necessary category toggle that is On fails PECR Reg 6.

Inspect the form HTML. A box with checked or checked="checked" in the markup and that does not represent a strictly necessary cookie or a pre-existing affirmative choice, fails.

Look at the CMP or form-builder configuration. Many platforms (Mailchimp, HubSpot, Cookiebot, OneTrust) have a "default state" setting that is sometimes left at On unintentionally during initial setup.

For a broader signup-compliance picture see newsletter signup forms: UK GDPR and PECR requirements.

Bundled consent: the related failure

A box that is unticked but covers too many things is a separate failing under UK GDPR Article 7(2). Examples: "I agree to the terms and to receive marketing emails" as a single checkbox or "Submit" treated as agreement to both the order and to marketing.

Article 7(2) requires consent to be presented in a manner clearly distinguishable from other matters. The fix is to capture marketing consent as a separate decision from the underlying contract or service.

What to fix this week

Inspect the cookie banner preferences default state and switch all non-essential toggles to Off. Inspect every signup form and remove pre-ticked defaults. Replace any "by submitting you agree to marketing" wording with a separate unticked checkbox. Inspect the checkout and account-creation flows. Update the consent-capture log to record the consent wording shown at the time of submission so the evidence holds up if a complaint arrives later.

For the broader UK GDPR position, see GDPR compliance for UK businesses and PECR cookie rules in the UK.

---

This is technical analysis, not legal advice. If a regulator has contacted your business about consent capture, take advice from a UK data-protection specialist before responding.