DData Protection

Data Protection Law Permissibility of Mandatory User Accounts in E-Commerce

Datenschutzrechtliche Zulässigkeit verpflichtender Nutzerkonten im E-Commerce EDPB
Bild: Xayal/Adobestock
0
Shares
0
0
0
0
0
0

The EDPB Recommendations 2/2025 and Guest Checkout as a Data Protection Reference Standard.

On 3 December 2025, the European Data Protection Board (EDPB) published its “Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites”. The recommendations are currently still in the phase of public consultation, which runs until 12 February 2026.

Even though this is (still) not a formally adopted final document, the Recommendations already carry considerable significance. They specify, in a systematic manner, the requirements of Articles 5, 6 and 25 GDPR for a processing operation that is widespread in practice but has so far often been justified only in a blanket manner: the mandatory creation of user accounts in e-commerce.

In current practice, numerous online retailers and platform operators require the creation of a user account already as a prerequisite for the initial conclusion of a contract. Mandatory registration is regularly justified by considerations of process simplification, customer retention, fraud prevention or more efficient handling of future transactions. Not infrequently, it is also presented as industry standard or technically unavoidable.

From a data protection perspective, this practice is often based on Article 6(1)(b) or (f) GDPR without a specific assessment in the individual case as to whether the permanent establishment of a personalised user account is actually necessary for the concrete performance of the contract, or whether equally suitable, less intrusive alternatives – such as a guest checkout – would be available. It is precisely this far-reaching self-evidence of mandatory account creation that forms the starting point for the legal reassessment now undertaken by the EDPB.

I. Subject matter and doctrinal starting point

The subject of the Recommendations is not voluntary user registration, but exclusively the mandatory creation of an account as a prerequisite for access to offers or the conclusion of contracts in e-commerce.

The EDPB makes clear that the obligation to create an account constitutes an independent processing operation which requires an independent legal basis under Article 6(1) GDPR. Mere expediency, economic efficiency or technical convenience are not sufficient for this purpose.

Doctrinally, the Board relies on two guiding principles:

  1. the principle of necessity as a central corrective for all legal bases under Article 6(1) GDPR,
  2. the obligation of data protection by default under Article 25(2) GDPR.

1. Performance of a contract pursuant to Article 6(1)(b) GDPR

The EDPB interprets Article 6(1)(b) GDPR restrictively, in line with the existing case law of the CJEU. What is decisive is not whether the processing is “useful” or “convenient”, but whether it is objectively necessary to perform the contract.

For a one-off purchase contract, the EDPB expressly denies such necessity. The data required to perform the contract (identity, delivery and payment data) can also be collected and processed without a permanent user account, for example in the context of a guest checkout.

Accordingly, an obligation to create an account can be based on Article 6(1)(b) GDPR only in narrowly defined constellations, in particular in the case of:

  • continuing obligations (e.g. subscriptions) that require repeated, authenticated interactions,
  • closed user groups where membership itself constitutes the main subject matter of the contract.

2. Legal obligation pursuant to Article 6(1)(c) GDPR

The EDPB also rejects reliance on statutory retention, evidentiary or documentation obligations as sufficient. Such obligations regularly justify only the selective storage of certain documents, but not the permanent maintenance of a personalised user profile.

The Board emphasises that Article 6(1)(c) GDPR is likewise subject to the principle of necessity and that more extensive data processing cannot be justified solely by administrative interests.

3. Legitimate interest pursuant to Article 6(1)(f) GDPR

Of particular practical relevance is the discussion of Article 6(1)(f) GDPR. The EDPB acknowledges that interests such as fraud prevention, order management or customer retention may in principle be legitimate.

Nevertheless, mandatory account creation, in the view of the Board, regularly fails due to:

  • the lack of necessity (existence of equally suitable, less intrusive means),
  • and the balancing of interests, in particular in the case of one-off contractual relationships.

The EDPB clarifies that security and fraud arguments do not, as a matter of principle, justify intensive and permanent identification. Rather, a specific, purpose-related assessment is required, which frequently weighs in favour of the data subject.

III. Guest checkout as a data protection reference standard

Of particular importance is the EDPB’s positive assessment of the guest mode. This is expressly highlighted as compatible with Article 25 GDPR and as an expression of Data Protection by Design and by Default.

The EDPB uses the term “guest mode” or guest checkout not in a purely technical sense, but in a functional-legal one. What is meant is not merely a “light account” model, but the handling of contract conclusion without the establishment of a permanent personalised user account.

Characteristic features of a data-protection-relevant guest checkout include in particular:

  • no permanent authentication credential (in particular no password),
  • no persistent user ID that continues beyond the specific ordering process,
  • no personalised user interface (“customer account”),
  • no automatic continuation of data processing beyond contract performance.

The EDPB expressly distinguishes guest checkout from mere temporary access solutions (e.g. one-time links or tokens), which enable authentication but do not constitute an account in the sense of a “personal online space”. From a legal perspective, this therefore constitutes a processing mode that is technically minimal and limited to the data immediately required for the respective contract.

The positive assessment of guest checkout by the EDPB is not based on mere considerations of expediency, but on a systematic application of core GDPR principles.

a) Data minimisation (Article 5(1)(c) GDPR)

The EDPB clarifies that mandatory account creation regularly leads to the collection and retention of more data for longer than is required for contract performance. This concerns in particular:

  • login data (email address, password, possibly MFA),
  • profile data,
  • permanently stored order histories,
  • technically generated usage profiles.

Guest checkout avoids this “structural overprocessing” because processing remains limited to the specific purpose of contract execution. Repeated guest purchases do not, in the EDPB’s view, automatically lead to excessive data processing, provided that purpose limitation and deletion concepts are observed.

b) Storage limitation (Article 5(1)(e) GDPR)

A central argument of the EDPB is the risk of so-called “orphaned accounts”. User accounts frequently remain in existence even when:

  • they have been used only once,
  • no further customer relationship exists,
  • no active use takes place anymore.

From the EDPB’s perspective, this permanent retention of personal data is regularly no longer necessary and at the same time increases the risk of unauthorised access and data breaches.

Guest checkout, by contrast, allows for a strict separation between operationally necessary data processing (order, delivery, payment) and legally required archiving (e.g. invoice data).

In particular, tax and commercial law retention obligations do not, in the EDPB’s view, justify ongoing storage in the customer management system, but only purpose-bound archiving.

c) Integrity and confidentiality (Article 5(1)(f), Article 32 GDPR)

The EDPB emphasises that user accounts do not inherently provide higher security. On the contrary:

  • password reuse,
  • account takeover,
  • phishing risks,
  • single sign-on dependencies

mean that user accounts themselves constitute an increased attack surface.

Guest checkout structurally reduces these risks because:

  • no permanent access credentials exist,
  • no account takeovers are possible,
  • sensitive data are not retained long-term in active systems.

The EDPB expressly points out that alternative identification mechanisms (e.g. one-time links) also do not create additional security risks, provided that appropriate technical and organisational measures are implemented.

d) Transparency and expectations of the data subjects (Article 5(1)(a) GDPR)

Another central argument of the EDPB concerns the legitimate expectations of users. In the context of a classic online purchase, consumers regularly expect the conclusion of a single contract, but not entry into a permanent, personalised customer relationship.

Guest checkout corresponds much more closely to this expectation horizon than mandatory account creation – in particular where such creation is required only at a late stage of the checkout process.

The EDPB sees this as an aspect of fairness of processing, since guest checkout keeps the consequences of data processing foreseeable and limited for the data subject.

IV. Practical significance

Formally, the EDPB Recommendations 2/2025 constitute a non-binding interpretative document without direct legal effect. They neither establish new obligations nor extend the normative content of the GDPR. Their legal significance lies rather in the concretising interpretation of existing Union law, in particular Articles 5, 6 and 25 GDPR.

Nevertheless, it would be misguided to attribute merely declaratory character to the Recommendations. Under Article 70(1)(e) GDPR, it is precisely the task of the EDPB to ensure the consistent application of the GDPR. Within this framework, interpretative documents of the EDPB have considerable de facto steering effect for the supervisory practice of national data protection authorities.

Past experience has already shown that EDPB guidelines and recommendations – even in consultation draft form – are regularly used by supervisory authorities as a decisive reference framework.

The fact that the Recommendations are currently still subject to consultation only partially relativises their practical relevance. While substantive adjustments are possible within the consultation process, fundamental doctrinal corrections are, as experience shows, not to be expected. Rather, it can be assumed that the consultation draft already reflects the anticipated supervisory assessment standard. This applies in particular because the line of argument of the Recommendations:

  • closely builds on existing EDPB guidelines,
  • takes up Union court case law (in particular on the strict interpretation of the concept of necessity),
  • and is systematically derived from the GDPR itself.

From a substantive law perspective, the Recommendations do not lead to a tightening of the GDPR. However, they significantly shift the burden of justification for certain processing operations.

Whereas mandatory user registration has so far often been treated as “industry standard” or “implicitly necessary”, the EDPB now makes it unmistakably clear that:

  • account creation constitutes an independent interference,
  • this interference requires an independent justification,
  • and blanket references to business interests, efficiency or security are insufficient.

As a consequence, mandatory user registration itself becomes an interference requiring justification, while account-free access constitutes the data protection starting point.

For providers of digital business models – in particular in the PayTech and platform environment – it is therefore advisable already now to critically review:

  • whether and where a registration obligation exists in practice,
  • which purposes are actually pursued by it,
  • and whether these purposes could not be achieved just as effectively by less intrusive means.

V. Conclusion

The EDPB Recommendations 2/2025 – already in the consultation draft – mark a clear shift in emphasis in the data protection law assessment of mandatory user accounts.

In summary, it can be stated:

The obligation to register as a user requires a robust and narrowly construed justification; convenience, business interests or abstract security arguments are not sufficient.

For practice, this means that a requirement to create an account in the future will not only constitute a UX or product issue, but above all a (data protection law) legal risk.

0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like