CJEU Rules Pre-Ticked Boxes and Passive Consent Invalid Under GDPR
Orange România was penalized for collecting copies of customer ID documents without obtaining valid consent — relying on pre-ticked checkboxes and requiring customers to manually write a refusal rather than actively opt in. The CJEU confirmed that GDPR consent must be a freely given, specific, informed, and unambiguous indication of agreement, meaning passive or coerced consent mechanisms are unlawful. Critically, the court placed the burden of proving valid consent squarely on the data controller, not the data subject. This case matters because many organizations still use dark patterns or bundled consent clauses that superficially appear compliant but do not meet GDPR's active consent standard. Failing to design lawful consent flows exposes organizations to regulatory fines, reputational damage, and potential data processing invalidation.
Tactical Insight
Immediate actions
- Audit all existing consent collection mechanisms to remove pre-ticked checkboxes, bundled consent clauses, and passive opt-out designs.
- Implement active opt-in controls (e.g., unchecked checkboxes, explicit confirmation buttons) for any processing that relies on consent as its legal basis.
- Retain timestamped, auditable records of every consent interaction to satisfy the controller's burden of proof.
Long-term improvements
- Establish a Consent Management Platform (CMP) that captures, stores, and allows withdrawal of consent in a granular and auditable manner.
- Train customer-facing staff and UX/product teams on GDPR consent requirements, including the prohibition on making services conditional on non-essential consent.
- Conduct periodic Data Protection Impact Assessments (DPIAs) for processes involving sensitive personal data such as identity documents.
Governance & compliance measures
- Appoint or empower a Data Protection Officer (DPO) to review all new data collection workflows before deployment.
- Map every processing activity to a valid legal basis under GDPR Article 6 and document this in a Records of Processing Activities (RoPA) register.
- Establish a regular compliance review cycle aligned with regulatory guidance from national supervisory authorities.