top of page
Search

DPM Weekly Insights December 17 2025 - Special Edition: Mandatory User Accounts on E-commerce Websites

This week’s newsletter edition is dedicated to one special topic: when e-commerce websites can lawfully require users to create an account.


The European Data Protection Board (EDPB) has opened a public consultation on draft Recommendations 2/2025, clarifying when e-commerce sites can lawfully require customers to create an account under the GDPR.


Why this document matters

The European Data Protection Board focuses on a very practical design choice that has become routine: forcing people to create an account before they can buy.


The message is that “common practice” is not a legal basis. If an account is not genuinely necessary for the stated purpose, making it mandatory can fail the GDPR lawfulness test.


What the EDPB is really testing

Across the recommendations, one idea repeats: necessity is strict.


If the core objective can be achieved with less intrusive processing, then requiring an account is difficult to justify.


The document highlights that many merchants already prove this point themselves by offering guest checkout.


Contract necessity (Article 6(1)(b)) - usually not for one-time purchases

The recommendations draw a clear line between what is convenient for the business and what is necessary to perform the contract.


For a standard, one-time sale of goods or services, the EDPB view is that the “necessity” test is unlikely to be met, because the data needed to complete the purchase can typically be collected without creating and maintaining an account.


Guest purchasing is presented as a workable alternative.

Where contract necessity may work - subscriptions and real restricted membership


The EDPB is not saying that mandatory accounts are always unlawful. It identifies limited cases where an account can be tied to the essence of the service.


Subscriptions are the easiest example: if the service requires ongoing identification, access, management and communication over time, an account can be part of what the contract is actually about.


“Exclusive offers” are treated more carefully. If anyone can get the “exclusive” offer just by signing up, then the account is not really necessary.


By contrast, if access is genuinely restricted to a defined community based on proven characteristics, such as invitation, referral, co-op membership, or verified professional status, then an account may be necessary because membership itself becomes the core of the relationship.


No surprises at checkout

A recurring theme is user expectations and fairness. If a person has already been shopping and only at the end is told “create an account to continue,” that is presented as a weak position for relying on contract necessity.


The closer the account requirement appears to a last-minute obstacle, the harder it is to argue that the user knowingly entered anything beyond a simple purchase contract.


Personalised recommendations are not a free add-on contract

The recommendations address a pattern where a merchant suggests that account creation is needed because the user is “also” entering a contract for personalised shopping recommendations.


The EDPB signals scepticism, especially when the requirement appears late in the purchase flow. The controller would need to prove that such a separate contract is genuinely agreed to, valid under contract and consumer law, and forms part of the main subject matter rather than being a bolt-on justification for more data collection.


After-sales services and data subject rights - not a reason to force accounts

Returns, exchanges, complaints, warranties, and the exercise of GDPR rights are all discussed as things that can generally be provided without mandatory accounts.


The recommendations also connect this to GDPR Article 11: controllers should not maintain identification, or collect extra identifiers, solely to handle rights requests if identification is not otherwise needed.

Legal obligation (Article 6(1)(c)) - usefulness is not necessity


The EDPB emphasises that legal obligations must be clear, precise, and foreseeable, and that the processing must still be proportionate.


Tax and accounting requirements may justify keeping certain documents such as invoices, but the recommendations note that this does not usually require keeping the broader set of personal data that would come with an ongoing online account. In short: recordkeeping duties rarely translate into “therefore we must require accounts.”


Legitimate interests (Article 6(1)(f)) - a high bar in practice

The recommendations restate the three-part test: a legitimate interest, strict necessity, and a balancing test against individuals’ rights and expectations.


They underline that “strictly necessary” is demanding, and that in many scenarios the same concerns that defeat contract necessity will also weaken legitimate interests, especially where less intrusive alternatives exist and where the impact on individuals is higher because identification becomes the default.


The central practical conclusion - guest mode as the privacy protective default


After walking through multiple use cases, the EDPB conclusion is that mandatory account creation can be justified only for a very limited set of purposes.


Where it cannot, the recommended approach is to let users choose: create an account or continue browsing and purchasing as a guest.


Guest mode is presented as, in principle, the most privacy protective option, aligned with data protection by design and by default under Article 25 GDPR.



 
 
 

Comments

Contact Us.png

Ready to Secure Your Data?

Reach Out to Data Protection Matters Today for Expert Guidance on Protecting Your Data and Ensuring Compliance.

bottom of page