Requiring users to create an account in order to complete an online purchase is a widespread practice in e-commerce. Businesses commonly justify this requirement by reference to operational efficiency, customer convenience, or the development of long-term commercial strategies.
With its Recommendations 2/2025, the European Data Protection Board (EDPB) addresses this practice directly and clarifies the conditions under which mandatory account creation may be lawful under the GDPR.
User Accounts as “Legal Necessity”?
The EDPB’s starting point is clear. Mandatory account creation is not prohibited as such. However, it is lawful only where it is strictly necessary for a specific, clearly identified purpose and supported by a valid legal basis under Article 6 GDPR. In most standard e-commerce scenarios, that necessity threshold is not met.
A central clarification in the Recommendations is that “having an account” is not a purpose in itself. Controllers must identify the concrete purposes behind the processing associated with an account and demonstrate why mandatory registration is objectively required to achieve them. Commercial interest or internal efficiency, on their own, do not amount to legal necessity.
It’s true that user accounts can serve legitimate business goals. They can facilitate repeat purchases, enable personalisation, and support customer relationship management. The GDPR does not prohibit these objectives. What the EDPB makes clear is that such advantages do not justify imposing account creation where the same service can be provided through less intrusive means.
Where Mandatory Account Creation May Be Necessary
According to the Recommendations, mandatory accounts may be justified only in limited and well-defined situations. A clear example is subscription-based services. Where users need ongoing, authenticated access to content or functionality over time, account creation may be necessary for the performance of the contract under Article 6 para. 1 lit. b GDPR.
A similar logic may apply to closed or restricted communities, where access to exclusive offers or services is limited to a defined group with specific characteristics and where membership itself forms the core of the contractual relationship.
Outside the limited cases assessed in the Recommendations, the EDPB makes clear: For ordinary e-commerce transactions, including one-off or occasional purchases, mandatory account creation will generally fail the necessity test. A sale can be completed by collecting the information required for payment, delivery, and invoicing without creating a persistent user profile.
The Recommendations explicitly reject several justifications commonly advanced by e-commerce operators. Order tracking, returns, warranty management, and after-sales services can be handled through order numbers, email-based links, or secure, time-limited access without requiring a permanent account.
Fraud prevention is also addressed in clear terms. While fraud prevention may constitute a legitimate interest, the EDPB concludes that requiring account creation is unlikely to be necessary for this purpose.
Risks Associated with Mandatory Accounts
Beyond legal qualification, the EDPB highlights the additional risks associated with mandatory accounts. Persistent accounts encourage logged-in environments where users are continuously identifiable and where more personal data is collected and retained than is necessary for a single transaction. This facilitates tracking and profiling, increases exposure to authentication and security risks and complicates compliance with storage limitation obligations, particularly in relation to inactive or abandoned accounts.
The EDPB’s Conclusions
From these findings, the EDPB draws a clear conclusion: mandatory account creation requires careful justification and documentation. Where an account is not strictly necessary for the performance of the contract, users should be offered a genuine alternative, including the ability to complete a purchase as a guest. Where less intrusive means are available, they should be preferred.
In practice, for standard e-commerce transactions, adopting guest checkout as the default and offering accounts as an optional feature will often represent the most robust and sustainable approach under the GDPR.
Accounts may still be offered on a voluntary basis to support additional services such as order history, faster checkout, or loyalty programmes, provided that the relevant processing is based on an appropriate legal basis and that users who choose not to register are not disadvantaged.
The Recommendations are currently subject to public consultation. Stakeholders may submit comments during the consultation period, after which the EDPB may amend the text before adopting the final version. While the draft already indicates the EDPB’s direction, the final Recommendations may be refined or clarified following this process.