Is it GDPR compliant to have all 4 checkboxes pre-ticked?

The European Data Protection Board (EDPB)^* has adopted guidelines for GDPR compliance, clarifying what constitutes valid consent on websites.

^*EDPB is the highest supervisory authority on the GDPR in the EU and their guidelines form the basis of enforcement by national data protection authorities in each EU member state.

The EDPB guidelines clarify that the use of pre-ticked opt-in boxes is not GDPR compliant, as this does not live up to the requirement that “an unambiguous indication of user consent” must be made with a clear and affirmative action by the user. Here, the EDPB guidelines complement the legal precedent made by the Court of Justice of the European Union (CJEU) in the case of Planet 49 in October 2019.

Ticking category checkboxes 

According to GDPR, the Planet49 ruling, EDPB and others it is invalid to have pre-ticked checkboxes. The default Cookiebot banner setup will therefore leave the boxes unticked. However, as it is up to each user to design their own cookie banner, it is possible to pre-tick some or all cookie categories:

1. Log in to your account Cookiebot manager
2. Go to the menu point ‘Settings’ and the tab ‘Dialog’
3. Choose a banner type from the ‘Type’ drop-down. If you choose ‘Multilevel’ or ‘Inline multilevel’, you can choose the default mode of the 3 categories/checkboxes (necessary cookies are by default pre-checked as they are necessary for your website to function)
4. Save your settings (tick mark in the blue bar on the left-hand side)

Source: EDPB guidelines: cookies, consent and compliance