This article is part of ‘Guidelines on the protection of the online consumer’. View full guideline

Rules regarding online default settings

Perhaps you use default settings on your website or app. If you do, you determine those settings for consumers in advance. Make sure that consumers are not misled into buying something or giving their consent as a result of your default settings. It is important that consumers are able to have confidence in online environments. That is why there are rules in place regarding the use of default settings, such as rules regarding the design of your online environment.

With the way you have set up the default settings, you might try and nudge consumers towards a particular choice. Consumers might benefit from that choice, but it could also be a less favorable choice. Consumers are highly likely to go along with your choice, since most consumers do not change the settings or choices that have already been made for them.

Is the default setting of the options on your app or website a setting that is less favorable to consumers? If so, note that this is very likely an unfair commercial practice. Unfair commercial practices are prohibited. Consumers must be able to have confidence in online environments, and cannot be misled. So be sure to comply with the rules when designing your online environment. ACM enforces compliance with these rules.

One example of unfavorable default settings is the use of pre-ticked boxes. This means that, in ordering processes, one or several of the extra options have been pre-selected for consumers. As such, consumers must consciously unselect the box to exclude the extra option. As a result, consumers may unwittingly agree to additional options or products (for example, unsolicited follow-up shipments, also known as subscription traps). Another example is smartphones on which the default privacy settings are unfavorable to users, or subscriptions that are automatically renewed after the subscription period has ended. These are examples of default settings that can be harmful to consumers.

If you also process personal data as a result of the default settings, you also need to comply with the General Data Protection Regulation (GDPR), such as with the rules on privacy-by-design and privacy-by-default (in Dutch). The Dutch Data Protection Authority (AP) enforces compliance with the GDPR.

What is required and what is not allowed?

Do you offer additional options or products when consumers place orders? If so, let consumers decide for themselves what to buy. For example, make sure that consumers themselves must consciously choose what products they want to add.
Make sure that consumers can easily change the default settings. For example, make sure that consumers do not need to click multiple times or make sure that selecting one option is just as easy as selecting another option.
Do you automatically renew subscriptions after the subscription periods have ended? You can only do so under certain conditions. Before consumers take out a subscription, you must clearly inform them about the duration of the subscription, and about the fact that you automatically renew them when the initial period has ended. Such automatic renewals mean that fixed-term subscriptions can only be converted into monthly rolling subscriptions. Consumers can thus cancel their subscriptions at any moment with a notice period of one month. Different rules apply to magazines and newspapers. Read more about the rules regarding subscriptions (in Dutch).
Do you use a pre-ticked box for the question of whether consumers would like to receive a newsletter about your products? You can only send newsletters if consumers have previously bought something from you (‘an existing customer’). In addition, you must offer the option of opting out. This means that consumers are able to untick the box if they do not wish to receive a newsletter. In addition, include a clear ‘unsubscribe’ link in every newsletter. Read more about the rules regarding sending commercial messages (in Dutch).
Have you configured your default settings in such a way that personal data is collected? If so, you will also need to comply with the GDPR. In that context, check if your online environment also complies with the principles of privacy-by-design and privacy-by-default (in Dutch).

When consumers place orders, do not, by default, pre-tick boxes for extra options or products that consumers have not consciously chosen themselves.
Do not pre-tick the box for accepting cookies.
Do not pre-tick the box for accepting a newsletter, unless the consumers are paying customers. Read more about the rules regarding sending commercial messages (in Dutch).
Do not use default settings that are at odds with specific rules and regulations such as the GDPR. For example, you cannot, by default, share consumers’ location details. Ask for the consumers’ explicit consent in advance.
Do not, by default, pre-tick the box for accepting the general terms and conditions. Make sure that consumers are able to read your general terms and conditions before signing the agreement. For example, in the ordering process, include a link to a downloadable version of your general terms and conditions. Include important information in the ordering process itself, such as the characteristics and price of the product. Read more about informing about important characteristics and about the rules when using general terms and conditions (in Dutch).
Do not, by default, pre-tick the box for consenting to receiving third-party messages. You can, however, use boxes that consumers can tick themselves (‘opt-in’).
Make sure that consumers do not unnecessarily need to take a multitude of steps just to be able to change the default settings. Keep to a minimum the steps that consumers have to take in order to change the settings.

Tips

Check whether your online environment complies with the principle of fairness-by-design. This means that, when designing an online environment, you make sure that people are able to make choices in a fair manner.
Assess whether your default settings help consumers make decisions that have been made in a fair manner, with the right information, and without any pressure.
You can also protect consumers with your default settings, for example, by always asking for consent each time consumers wish to make an in-app purchase. In that case, you ask consumers, by default, to enter their passwords or to perform another action for identity verification purposes. This prevents unwanted purchases.
You can remind consumers in a timely manner that their subscriptions are about to expire, and that these will be renewed soon. In that context, explain how consumers are able to cancel their subscriptions. In that way, you prevent consumers from being stuck with subscriptions they actually do not want.

Examples

Example: Including an opt-out in a newsletter

A consumer just placed an online order with a particular business. The box for receiving the seller’s newsletter had been pre-ticked. That is only allowed if the newsletter is about products similar to what the consumer ordered. The business is allowed to send commercial emails about such products to its customers. This is one of the few cases in which a pre-ticked box is allowed.

However, it would have been better here too, if this box had not been pre-ticked. The business must give the consumer an opportunity to unsubscribe during the ordering process and in every commercial email. Unsubscribing must be as easy as subscribing.

Example: a pre-ticked box for an extra product

A consumer orders an airline ticket. In the booking process, a box saying ‘Yes, I would like to add travel insurance’ has been pre-ticked by default. That is not allowed.

The consumer must consciously agree to an extra product such as travel insurance. You can use a box that is not pre-ticked.

Relevant regulations

Title 5, section 2B of the Dutch Civil Code, Book 6 (Provisions regarding distance-selling agreements between traders and consumers) (in Dutch), for example, see Section 6:230m of the Dutch Civil Code, paragraph 3, under a: precontractual information requirements for online marketplaces.
Title 3, section 3A of the Dutch Civil Code, Book 6 (Unfair commercial practices) (in Dutch), for example, see Section 6:139e of the Dutch Civil Code, paragraph 2 (in Dutch); essential information when ranking search results, and Section 6:139g of the Dutch Civil Code, paragraph x (in Dutch), informing unclearly or failing to inform at all about the fact that the ad has been paid for, or that a business has paid for a higher position in the ranking, is a misleading practice under all circumstances.
Directive 2005/29/EC (Unfair Commercial Practices Directive)
Directive 2011/83/EU (Consumer Rights Directive)
Directive 93/13/EEC on unfair terms in consumer contracts
Dutch Telecommunications Act, see Section 11.7 (in Dutch) for rules on unsolicited communications. For consent, the Dutch Telecommunications Act refers to Article 4, part 11 of the General Data Protection Regulation (GDPR), see also Article 7(3) of the GDPR about withdrawing consent.
General Data Protection Regulation (GDPR), see Article 25 (Data protection by design and by default)
Regulation (EU) 2022/2065 (Digital Services Act). As of 17 February 2024, the Digital Services Act will set boundaries and rules to the use of ads (personalized or otherwise) and recommender systems by online platforms. For example, see Article 26 on transparency obligations regarding online advertising, and Article 27 on transparency obligations regarding recommender systems.

Explanation of regulations

Enforcement

ACM: Consumer-friendly default settings for purchases in app stores

In 2015, ACM, together with other European regulators, assessed well-known app stores regarding the risk of unwanted purchases made by children. In part because of pressure exerted by ACM, the default settings in the app stores for making purchases were adjusted. Before, consumers were asked to re-enter their passwords 15 or 30 minutes after the last purchase when making a new purchase. Now, consumers are explicitly asked which payment setting they prefer: entering a password for each purchase, once every 15 minutes, or blocking purchases altogether.

Consumer-friendly default settings for purchases in app stores

ACM: Fine imposed on airline for using misleading default settings

In 2015, ACM imposed a fine on an airline. One of the reasons was that the airline offered additional travel insurance in a misleading manner. The default setting was that consumers had to take out travel insurance. In order not to take out travel insurance, consumers had to tick the option ‘do not insure me’.

Moreover, this option was presented in an unusual location. Consumers had to click on a drop-down menu labeled ‘select your country of residence’. Among the countries was the option ‘do not insure me’. Ryanair filed an objection and appeal against the fine. The court ruled in ACM’s favor.

Fine imposed on airline for using misleading default settings (in Dutch)

UK Competition and Markets Authority (CMA): Rules for automatic renewals of subscriptions

Well-known software companies automatically renewed subscriptions for their software. However, the companies did not inform consumers about this. As a result, it was possible that consumers were paying for subscriptions they did not really want or need. The UK consumer authority CMA confronted these companies with its findings. These companies now warn consumers that their subscriptions are about to be automatically renewed, what the costs for renewal are, and when those costs are collected.

In addition, it is now clearer to consumers how they are able to cancel their subscriptions. Additionally, the companies offer consumers the opportunity to get their money back if their subscriptions had been renewed unwantedly.

Rules for automatic renewals of subscriptions

More info: links and footnotes

Europese Commission, Directorate-General for Justice and Consumers, Lupiáñez-Villanueva, F., Boluda, A., Bogliacino, F., et al., Behavioural study on unfair commercial practices in the digital environment : dark patterns and manipulative personalisation : final report, Publications Office of the European Union, 2022.
Lees hier hoe u spam (ongevraagde communicatie) kunt voorkomen
Read about how you can prevent spam (unsolicited communication) (in Dutch)