Summary
The question of whether to pre-check email marketing opt-in boxes at Shopify checkouts, considering GDPR, CASL, and deliverability, elicits a largely negative consensus. While Shopify allows pre-selection, experts and marketers overwhelmingly advise against it. The core issue is consent. GDPR, CASL, and other data privacy regulations mandate explicit, active consent. Pre-checked boxes assume consent, which is non-compliant and can lead to legal ramifications. Furthermore, assuming consent can increase spam complaints, lower engagement, and damage sender reputation, negatively impacting deliverability. Though some sources suggest that recent interaction might yield good metrics regardless, the prevailing recommendation is to prioritize legal compliance, ethical data collection, and respecting user choice by implementing unchecked opt-in boxes and clear, unambiguous language.
Key findings
- GDPR/CASL Violations: Pre-checked boxes violate GDPR and CASL requirements for explicit consent.
- Negative Deliverability Impact: Assuming consent can increase spam complaints, lower engagement rates, and damage sender reputation, negatively affecting deliverability.
- Ethical Concerns: Pre-checked boxes infringe on user privacy and erode brand trust.
- Explicit vs. Implied Consent: Regulations require explicit consent; pre-checked boxes provide only implied consent, which is insufficient.
- Shopify Setting Contradiction: While Shopify allows pre-selection, best practices and legal regulations advise against it.
Key considerations
- Ensure Legal Compliance: Comply with GDPR, CASL, and other applicable data protection laws by using unchecked opt-in boxes.
- Obtain Explicit Consent: Implement clear and transparent opt-in mechanisms to obtain explicit consent from subscribers.
- Use Double Opt-In: Consider using double opt-in to further verify subscriber consent and maintain a clean list.
- Monitor Deliverability: Continuously monitor engagement metrics and sender reputation to identify and address potential deliverability issues.
- Prioritize User Trust: Build user trust by prioritizing ethical data collection practices and respecting user preferences.
What email marketers say
11 marketer opinions
The question revolves around whether Shopify checkout opt-in boxes for email marketing should be pre-checked, considering GDPR, CASL, and email deliverability implications. The answers present a mixed perspective. Some argue that pre-checked boxes can increase sign-ups, leading to potentially good metrics due to recent customer interaction. However, the consensus leans towards avoiding pre-checked boxes for legal (GDPR, CASL) and deliverability reasons. GDPR and CASL require explicit consent, which pre-checked boxes do not provide. This lack of explicit consent can lead to increased spam complaints, lower engagement rates, and ultimately, damage sender reputation and brand trust. While a Shopify representative suggested that it is ok as long as an easy unsubscribe link is included, the strong majority of marketers disagree.
Key opinions
- GDPR/CASL Non-Compliance: Pre-checked boxes typically violate GDPR and CASL as they don't represent explicit consent.
- Deliverability Impact: Pre-checked boxes can negatively impact deliverability due to increased spam complaints and lower engagement.
- Brand Trust: Assuming consent through pre-checked boxes can damage brand trust.
- Short-Term Gain vs. Long-Term Pain: While pre-checked boxes may boost initial sign-ups, long-term consequences include damaged sender reputation and legal problems.
- Potential Metrics Improvement: Some sources indicate that recently-contacted customers might have good metrics regardless of explicit opt-in.
Key considerations
- Legal Compliance: Ensure compliance with GDPR, CASL, and other applicable data protection laws by using unchecked opt-in boxes.
- Explicit Consent: Implement clear and transparent opt-in language to obtain explicit consent from subscribers.
- Double Opt-In: Consider using double opt-in to confirm subscriber consent and maintain a clean email list.
- Monitor Engagement: Continuously monitor engagement metrics to identify and address any potential deliverability issues.
- Balance Growth with Ethics: Prioritize ethical data collection practices over short-term growth strategies.
Marketer view
Email marketer from Marketing Forum says the same issues related to GDPR also exist in CASL (Canadian Anti-Spam Legislation) - you must obtain express consent, so prechecked boxes should not be used when trying to comply with these laws.
17 Nov 2021 - Marketing Forum
Marketer view
Email marketer from Deliverability Blog notes that the same issues related to purchased email lists can impact deliverability for those using pre-checked boxes - assuming consent where it has not been given will increase bounces, spam reports and negatively impact sender reputation.
19 Jan 2023 - Deliverability Blog
What the experts say
5 expert opinions
Experts uniformly advise against pre-checking opt-in boxes for email marketing, particularly in the context of Shopify checkouts, GDPR, and deliverability. A central theme is that pre-checked boxes assume permission, which is not equivalent to obtaining explicit consent. This assumption can lead to legal issues, negative impacts on deliverability (spam complaints, bounces), and damaged brand reputation. The consensus emphasizes the need for active, unambiguous consent from subscribers. The decision to use pre-checked boxes ultimately depends on a company's risk tolerance, but experts advise against it.
Key opinions
- Consent vs. Permission: Permission is not consent. Assuming consent leads to problems.
- GDPR and Active Consent: GDPR and similar regulations require explicit, active consent. Pre-checked boxes represent passive consent, which is non-compliant.
- Risk Assessment: Companies must weigh the risks (legal, deliverability, reputational) against the potential benefits of pre-checked boxes.
- User Choice: Respecting user choice through clear, unambiguous opt-in methods is crucial.
- Assuming is Problematic: The act of assuming consent through pre-checked boxes causes deliverability issues as well as opens the company to legal ramifications.
Key considerations
- Obtain Active Consent: Implement mechanisms that actively obtain consent from subscribers (e.g., unchecked boxes, double opt-in).
- Weigh Risk Tolerance: Evaluate the company's risk tolerance regarding legal and deliverability issues.
- Maintain Compliance: Stay informed about and comply with relevant data protection regulations (GDPR, CASL, etc.).
- Prioritize Reputation: Recognize that a positive brand reputation relies on respecting user privacy and consent.
- Unambiguous Opt-in Methods: Ensure that opt-in methods are clear, understandable, and leave no room for ambiguity regarding user intent.
Expert view
Expert from Email Geeks highlights that the decision regarding pre-checked boxes is an internal company decision based on their risk assessment. Some companies prioritize acquiring more addresses and are prepared to handle any resulting delivery or legal issues.
6 Aug 2022 - Email Geeks
Expert view
Expert from Spam Resource covers permission and consent where the post states that permission is NOT consent. Permission can be assumed or inferred but is not enough to meet current requirements. Consent is when someone actively says YES I want to receive messages. This is needed to remain compliant.
25 Feb 2023 - Spam Resource
What the documentation says
4 technical articles
The provided documentation from Shopify, GDPR.EU, the ICO, and the Canadian Government uniformly indicates that pre-checked opt-in boxes for email marketing at Shopify checkouts are problematic from a legal compliance standpoint. Shopify allows merchants to set the marketing option as preselected, however, GDPR, ICO and CASL documentation states consent must be freely given, specific, informed, and unambiguous, requiring a positive opt-in, and pre-checked boxes are explicitly non-compliant. These regulations require express consent that cannot be assumed.
Key findings
- Shopify Setting: Shopify allows merchants to set the email marketing option as preselected, but it is not enabled by default.
- GDPR Non-Compliance: GDPR requires consent to be freely given, specific, informed, and unambiguous, making pre-ticked boxes non-compliant.
- ICO Enforcement: The ICO enforces GDPR, specifying that consent requires a positive opt-in, not a pre-ticked box.
- CASL Requirements: CASL requires express consent, and pre-checked boxes are considered implied consent, which is insufficient.
- Implied vs Expressed Consent: Implied consent is not enough when it comes to CASL regulations - express consent is needed. Meaning you need the customer to actively say YES.
Key considerations
- Legal Compliance: Ensure compliance with GDPR, CASL, and other data protection laws by avoiding pre-checked boxes.
- Positive Opt-In: Implement mechanisms for positive opt-in, where users actively indicate their consent.
- Clear Communication: Provide clear and transparent information about what users are subscribing to.
- Respect User Choice: Prioritize user choice and control over their data by giving them the power to select their marketing preferences.
- Don't Assume Consent: Never assume consent through pre-selected options; instead, actively seek and record explicit consent.
Technical article
Documentation from the ICO (UK's data protection authority) specifies that consent requires a positive opt-in. A pre-ticked box is not indicative of a freely given specific and informed indication of the data subject's wishes. The ICO enforces GDPR.
25 Feb 2025 - ICO
Technical article
Documentation from GDPR.EU clearly states that consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are explicitly mentioned as not meeting the requirement for unambiguous consent, making them non-compliant with GDPR.
12 Jul 2021 - GDPR.EU
Are cold outreach 'best practices' actually illegal spam tactics?
Do email marketing opt-outs ever expire?
How are Gmail and Yahoo enforcing unsubscribe requests, and what factors do they consider for compliance?
How can I prevent fake email addresses from being added at checkout and causing hard bounces?
How can I reduce spam rates and improve consent for welcome footer flows in email marketing?
