You're signing up for a new product. It looks clean. It feels trustworthy. The UI is lovely. You won't notice a thing.
Go ahead. Create your account. We'll show you what you actually agreed to afterwards.
By creating an account, you consent to receive communications from NexaFlow and its affiliate network. You also agree to the sharing of your contact information with third-party marketing partners for the purposes of targeted advertising and promotional outreach across email, SMS, telephone, and postal mail channels. You can update your preferences at any time.
By clicking "Get Started" you acknowledge that you have read and agree to our updated Privacy Policy (rev. March 2026), Data Processing Agreement, Cookie Policy, Acceptable Use Policy, and AI Training Data Consent Addendum.
Every tactic on this page is used by real products, right now. None of them required you to do anything unusual.
You just clicked through a normal signup flow.
The marketing checkbox was pre-ticked and bundled with "selected partners." Under GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticking a box is none of those things.
The fine print contained white text on a white background that consented to third-party data sharing across email, SMS, phone, and postal mail. Literally invisible unless you highlight it. Go back and try it.
What the law says: GDPR Article 7 and ICO guidance are explicit: pre-ticked boxes do not constitute valid consent. The European Court of Justice confirmed this in Planet49 (2019).
Pre-ticked checkboxes are not a grey area. They are illegal.
"Please do not uncheck this box if you would prefer not to be excluded from our non-optional mailing list."
This sentence contains three negatives and is designed to be impossible to parse under time pressure. Nobody reads it properly. That's the point.
Meanwhile, your phone number was collected under the guise of "account security" with no mention of its actual use: SMS marketing.
What the law says: GDPR requires consent language to be "clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language." Deliberately confusing language is a direct violation.
Three marketing toggles defaulted to ON. The one toggle that would actually protect you ("Disable marketing emails") defaulted to OFF.
This exploits a well-documented cognitive bias: people leave defaults as they are. When every other toggle is ON and one is OFF, the visual pattern trains you to scroll past without questioning it.
The toggle for "Partner recommendations" is just advertising from third parties wearing a friendlier name.
What the law says: The ICO's direct marketing guidance states that default opt-ins are not valid consent. Defaulting toggles to "on" for marketing purposes is the same violation as pre-ticked checkboxes, just wearing a nicer coat.
The "legitimate interest" box told you marketing would happen regardless of your preferences. This is a misrepresentation.
Legitimate interest requires a balancing test and you always have the right to object. They buried that right across three cross-referenced policy documents. Most users will never find it. That's the design working as intended.
Meanwhile, clicking "Get Started" silently consented you to AI training data usage with no separate opt-in. Your usage data, content, and interaction patterns handed to unnamed "technology partners" via a button that said nothing about any of it.
What the law says: Legitimate interest is not a blanket permission to market. The ICO has been clear that it cannot be used to override explicit consent refusals.
And burying important consent in a "continue" button violates the principle that consent must be a clear affirmative action.
Every checkbox unchecked by default. Every toggle set to the user's interest, not yours. Every label written in plain language. Every consent collected separately, for a specific purpose, with a genuine choice.
You can still ask people to subscribe. You can still promote your product. You can still send useful emails. But you have to actually ask. And you have to be honest about what you're asking for.
The businesses that do this properly don't get fewer subscribers. They get better subscribers. People who actually want to hear from them. People who open their emails, click their links, and buy their products. People who stay.
Manufactured consent produces manufactured engagement. Real consent produces real relationships.
Nine marketing permissions from a 45-second signup. Not one of them was informed, specific, or freely given.
This is the consent factory. And it's running on millions of websites right now.
Want CRO that doesn't manufacture consent?We help businesses redesign their consent flows, signup journeys, and data collection practices. Not to maximise opt-in rates artificially. To build genuine, informed relationships with users who actually chose to hear from you.
We audit your forms, preference centres, and marketing permissions to identify where you're manufacturing consent instead of earning it. Then we fix it. Your list gets smaller. Your engagement gets better. Your legal risk disappears.
The pre-checked boxes have a shelf life. The ICO is already issuing warnings. GDPR enforcement is accelerating. And users are getting wise to the tricks. The businesses winning right now are the ones whose subscribers actually wanted to subscribe.
Let's build that for you.
