Vertaling in voorbereiding
Dit artikel is voorlopig alleen in het Engels beschikbaar. De Nederlandse versie volgt in een latere golf.
Klaviyo, Mailchimp, and the pre-ticked box problem at checkout
GDPR Article 4(11) requires unambiguous, affirmative consent. A pre-ticked email opt-in at checkout fails that test. Here is how the default flow looks in two common stacks, recent enforcement, and the two configurations that work.
A pre-ticked marketing checkbox at checkout is not valid consent under GDPR. Article 4(11) defines consent as a "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement." Recital 32 adds that silence, pre-ticked boxes, or inactivity do not constitute consent.
The Court of Justice held the same in Planet49 GmbH (Case C-673/17, 1 October 2019), in the specific context of cookies. The reasoning generalises. A box that is already ticked when the page loads cannot evidence a clear affirmative action.
How does this happen in real merchant stacks?
Klaviyo on Shopify
Klaviyo's Shopify integration offers a checkout email opt-in. The default in the standard install is unchecked (correct). But if a merchant or theme developer flips the default to checked, the integration accepts it. Klaviyo will record the subscription and start emailing. The compliance defect is in the merchant's configuration, not in Klaviyo's product, but the liability sits with the controller (the merchant).
Mailchimp on WooCommerce
Mailchimp's WooCommerce plugin presents a checkout opt-in with a configurable default. Some merchants pre-tick it on the theory that it improves list growth. It does. It also creates a list of subscribers who never gave consent, which is unusable under GDPR Article 6 and high-risk under Article 7's demonstrability requirement (the controller must be able to demonstrate that the data subject consented).
Recent enforcement on pre-ticked boxes
HandhavingSpain, AEPD, 2023, PS-00257-2022: 60,000 euros against a clothing retailer for a pre-ticked marketing checkbox at registration.
HandhavingGermany, Hamburg DPA, 2022: cease-and-desist against a major online travel agency for a pre-ticked SMS marketing checkbox. No fine but a binding order.
HandhavingItaly, Garante, 2024, Ordinanza n. 153: action against an online supplements retailer for combining a single checkbox covering newsletter, profiling, and third-party sharing. The Garante held that bundled consent is not specific within the meaning of Article 6(1)(a).
What does a defensible flow look like?
Two configurations work. One is no checkbox at all (no opt-in flow at the checkout, marketing relationship started later via a separate, explicit sign-up). The other is an unticked checkbox with neutral copy ("I would like to receive marketing emails about new products and offers") that the user must affirmatively check.
Two patterns remain risky. Bundled consent (one checkbox covering more than one purpose) and pre-ticked boxes. Both should be removed from any EU-facing checkout.
Zo testen wij ditComplianceGuardHQ does not assume your checkout has a pre-ticked box. We render the checkout page and read the initial DOM state of every checkbox tied to a marketing or analytics action. If a box is checked by default before any user interaction, we report it with the element selector and the surrounding label text. Run a free scan to find out.
What to audit this week
Open your checkout in a private window. Inspect every checkbox on the order confirmation step. If the checked attribute is set in the initial HTML, the box is pre-ticked. Remove the default-checked state, and consider whether the copy bundles multiple purposes into one consent. Both fixes are theme-level. Neither requires changing your ESP.
Veelgestelde vragen
Is a pre-ticked checkbox valid consent under GDPR?
No. Article 4(11) and Recital 32 of GDPR require an unambiguous affirmative action. A box already ticked when the page loads does not show affirmative action. The Court of Justice confirmed this in Planet49 GmbH (Case C-673/17, 1 October 2019).
Does Klaviyo's Shopify integration pre-tick the opt-in box?
No, the default is unchecked. The integration becomes non-compliant only when a merchant or theme developer toggles the default to checked. The liability sits with the merchant as controller.
Does Mailchimp's WooCommerce plugin pre-tick the opt-in box?
The default depends on the merchant's configuration. Mailchimp's WooCommerce plugin presents the toggle as a configurable option, and some merchants pre-tick it to improve list growth. That configuration is not compliant with GDPR Article 4(11).
Can one checkbox cover multiple marketing purposes?
No. Article 7 of GDPR requires consent to be specific to a clearly defined purpose. The Italian Garante's 2024 ordinance n. 153 confirms that a single checkbox covering newsletter, profiling, and third-party sharing is not valid consent because it is not specific.
What is the fine for a pre-ticked checkbox under GDPR?
Recent decisions sit in the 30,000 to 200,000 euro range for SME merchants. Spain's AEPD has been most active on this, with PS-00257-2022 imposing 60,000 euros on a clothing retailer for a pre-ticked registration checkbox.
Voer de controle uit op uw webshop
ComplianceGuardHQ draait geautomatiseerde controles over 8 EU-kaders tegen uw live webshop in ongeveer 60 seconden. Gratis basisscan, geen installatie.
Start gratis scanComplianceGuardHQ voert een geautomatiseerde technische scan uit. De bevindingen verwijzen naar de tekst van de richtlijnen en naar handhavingsprecedent. Zij vormen geen juridisch advies. Voor een bindende uitleg in uw rechtsgebied raadpleegt u een gekwalificeerd advocaat of functionaris voor gegevensbescherming.