[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3l7wYKpbAGxx9vtCCWZGXJTAUE5W7pQ8oq_gAnzBGME":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":23,"created_at":24,"published_at":25,"article":26,"tags":30,"podcasts":49},"72c4fe71-f533-4f1f-855b-c8650a6e60a8","cjeu-rules-pre-ticked-boxes-and-passive-consent-invalid-under-gdpr","cdea0cd9-5dc3-4d1a-8d92-1eee0f5fbd63","CJEU Rules Pre-Ticked Boxes and Passive Consent Invalid Under GDPR","Orange România was penalized for collecting copies of customer ID documents without obtaining valid consent — relying on pre-ticked checkboxes and requiring customers to manually write a refusal rather than actively opt in. The CJEU confirmed that GDPR consent must be a freely given, specific, informed, and unambiguous indication of agreement, meaning passive or coerced consent mechanisms are unlawful. Critically, the court placed the burden of proving valid consent squarely on the data controller, not the data subject. This case matters because many organizations still use dark patterns or bundled consent clauses that superficially appear compliant but do not meet GDPR's active consent standard. Failing to design lawful consent flows exposes organizations to regulatory fines, reputational damage, and potential data processing invalidation.","**Immediate actions:**\n- Audit all existing consent collection mechanisms to remove pre-ticked checkboxes, bundled consent clauses, and passive opt-out designs.\n- Implement active opt-in controls (e.g., unchecked checkboxes, explicit confirmation buttons) for any processing that relies on consent as its legal basis.\n- Retain timestamped, auditable records of every consent interaction to satisfy the controller's burden of proof.\n\n**Long-term improvements:**\n- Establish a Consent Management Platform (CMP) that captures, stores, and allows withdrawal of consent in a granular and auditable manner.\n- Train customer-facing staff and UX\u002Fproduct teams on GDPR consent requirements, including the prohibition on making services conditional on non-essential consent.\n- Conduct periodic Data Protection Impact Assessments (DPIAs) for processes involving sensitive personal data such as identity documents.\n\n**Governance & compliance measures:**\n- Appoint or empower a Data Protection Officer (DPO) to review all new data collection workflows before deployment.\n- Map every processing activity to a valid legal basis under GDPR Article 6 and document this in a Records of Processing Activities (RoPA) register.\n- Establish a regular compliance review cycle aligned with regulatory guidance from national supervisory authorities.",[12,13,14,15,16,17,18,19,20,21,22],"GDPR Article 4(11) — Definition of Consent","GDPR Article 6(1)(a) — Lawfulness of Processing (Consent)","GDPR Article 7 — Conditions for Consent","GDPR Article 5(1)(a) — Principle of Transparency","GDPR Article 24 — Responsibility of the Controller","GDPR Article 35 — Data Protection Impact Assessment","EDPB Guidelines 05\u002F2020 on Consent under GDPR","NIST Privacy Framework PR.DS-P1 — Data at Rest Protection","NIST SP 800-53 PT-2 — Authority to Process Personally Identifiable Information","CIS Control 3 — Data Protection","ISO\u002FIEC 27701:2019 — Privacy Information Management (Clauses 7.2.3, 7.3.3)","published","2026-07-09T14:22:27.826312+00:00","2026-07-09T14:22:27.687+00:00",{"id":7,"url":27,"slug":28,"title":29},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CJEU_-_C-61\u002F19_-_Orange_Romania&diff=52146&oldid=43516","cjeu-c-61-19-orange-romania-e1419a","CJEU - C-61\u002F19 - Orange Romania",[31,37,43],{"id":32,"name":33,"slug":34,"description":35,"color":36},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":38,"name":39,"slug":40,"description":41,"color":42},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":44,"name":45,"slug":46,"description":47,"color":48},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6",[]]