The European Data Protection Board (“EDPB”) has published for public consultation Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites (“Recommendations”), which clarify when e-commerce websites may lawfully require users to create online accounts in accordance with the GDPR.
The Recommendations apply to e-commerce websites and online marketplaces, but do not cover social media, search engines, online software application services, audiovisual media services, online news websites, and non-professional peer-to-peer platforms.
An online user account is defined as a personal online space accessible through an authentication mechanism using an identifier and password (excluding temporary access based on one-time tokens). The Recommendations focus on data protection aspects under the GDPR, without affecting situations where EU or national law mandate the creation of accounts for specific regulated goods or services.
Mandatory account creation heightens risks to users’ rights by enabling systematic identification, excessive data collection, long-term data retention, and tracking or profiling, often without a valid legal basis. It also offers limited protection against bot abuse and may increase fraud risks, leading the EDPB to stress the need for genuine alternatives such as CAPTCHA tests, passkeys, guest checkout, and less intrusive security measures.
- Legal bases for imposing the creation of online user accounts under Article 6 GDPR
The EDPB analyses the three legal bases most often invoked by controllers when requiring the creation of an account: performance of a contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR), and legitimate interest (Article 6(1)(f) GDPR).
- Performance of a contract under Article 6(1)(b) GDPR
Article 6(1)(b) GDPR can be relied on only where the processing is strictly necessary to perform a contract and cannot be replaced by a less intrusive alternative. For example, in the case of a one-time sale or conditional purchasing for users with a specific status or characteristic, less intrusive alternatives exist, such as allowing a one-time purchase through guest checkout or verifying the user’s status for conditional purchasing via a secure online form.
The EDPB also does not accept controllers’ arguments that account creation is necessary for receiving personalized shopping recommendations or for after-sales services and the exercise of rights. In the case of shopping recommendations, it is difficult for the controller to demonstrate that the user is aware of and has agreed to any contract beyond the purchase itself, especially when the account is created only after the goods have been added to a shopping cart. As for after-sales services and the exercise of rights, these can be provided without an online account, for example, via secure forms, email, or customer support, so mandatory account creation is not necessary for these purposes.
However, the EDPB accepts that an online account may be permissible for subscriptions for the regular supply of goods or services or access to exclusive offers, subject to certain conditions. For subscriptions, a compulsory account may be justified under Article 6(1)(b) GDPR only if it is strictly necessary for the user to access the subscribed service and the controller can demonstrate that the user agreed to a long-term contractual relationship. For exclusive offers, an account may be necessary when access is limited to a selected community of members with specific characteristics and involves a long-term commercial relationship, making registration the main subject of the contract.
- Compliance with a legal obligation under Article 6(1)(c) GDPR
Controllers may rely on Article 6(1)(c) GDPR only where a clear, foreseeable and specific legal obligation strictly requires certain processing, and only if no less intrusive means are available. Since tax, accounting, and GDPR compliance obligations can generally be fulfilled without creating online user accounts, mandatory account creation cannot usually be justified on this legal basis.
- Legitimate interest under Article 6(1)(f) GDPR
Article 6(1)(f) GDPR allows processing based on legitimate interests only if three cumulative conditions are met: 1) the existence of a legitimate interest, 2) the strict necessity of the processing, and 3) a balancing test showing that data subjects’ rights and freedoms do not override that interest.
Some purposes that the controllers might invoke such as order tracking and the management of post-purchase changes can be achieved through less intrusive means, such as email updates, tracking links, one-time access links, or customer support, without requiring account creation or long-term data processing. Similarly, building customer loyalty, facilitating future orders, or preventing fraud may constitute legitimate interests, but mandatory account creation is not strictly necessary, often exceeds users’ reasonable expectations, and in most cases requires explicit consent under the GDPR and the ePrivacy Directive.
- Setting up an alternative to mandatory online user accounts
Mandatory account creation is lawful only in limited cases, such as subscriptions or access to exclusive offers, while in most situations it violates Article 6(1) GDPR due to lack of necessity. Controllers should therefore offer users a genuine choice between guest checkout and voluntary account creation, ensuring that each processing purpose relies on an appropriate legal basis. With regard to the purpose of the processing, EDPB notes that creating an account, whether on a mandatory or voluntary basis, does not constitute a specific purpose under Article 5(1)(b) GDPR. Providing a guest mode alongside optional accounts supports compliance with data protection by default, and by design, by enhancing transparency, data minimization, and user control, while limiting data collection and retention to what is strictly necessary.
The Recommendations are still subject to public consultation, however, the text as it stands already outlines the clear position of the EDPB on the matter. Operators of e-commerce websites and marketplaces should take this into account and be prepared to take adequate measures.
***
This article was prepared by Iva Georgieva, Associate at PETERKA PARTNERS, Bulgaria.
No information contained in this article should be considered or interpreted in any manner as legal advice and/or the provision of legal services. This article has been prepared for the purposes of general information only. PETERKA & PARTNERS does not accept any responsibility for any omission and/or action undertaken by you and/or by any third party on the basis of the information contained herein.
For further information on the new Recommendations, please contact georgieva@peterkapartners.bg
