Many e-commerce websites still treat “create an account to buy” as a standard pattern. The EDPB’s Recommendations 2/2025 (version for public consultation, adopted 3 December 2025) take a restrictive view: imposing account creation can be justified only for a very limited set of purposes, and in most common online retail scenarios the safer conclusion is that you should offer a guest alternative.
This article is a practical guide to the lawful bases the EDPB analysis for mandatory accounts and, importantly, the situations where the EDPB says those bases are unlikely to work.
What exactly is an “online user account” in the EDPB’s analysis?
The EDPB defines an “online user account” as a personal online space assigned to a user (or several profiles) and accessible via an authentication mechanism using an identifier and a password (including multifactor authentication). It explicitly excludes personal spaces that are temporarily accessible with temporary access tokens and do not require a password.
This distinction matters because many “why we need an account” arguments are actually about access, tracking, or post-purchase management. The EDPB points to alternatives such as time-limited, one-use links (e.g., for order edits) and email-based tracking links.
Why the EDPB is skeptical about mandatory accounts?
The Recommendations do not treat account creation as a neutral UX decision. They outline why mandatory accounts increase risks and compliance pressure:
A) Logged-in environments encourage systematic identification and may lead to more data being collected, including data produced or inferred by the controller.
B) Accounts tend to keep personal data in active databases longer than needed for the purchase and delivery, creating storage limitation issues and “orphaned accounts” exposed to attackers.
C) Security dynamics can get worse, not better: password reuse, weak reset flows, and single sign-on can amplify harm if an email account or a single identity provider is compromised.
D) Mandatory registration during checkout increases the risk of over-collection and “last-minute consent” patterns for unrelated purposes, potentially via deceptive designs.
E) Accounts do not reliably stop bots or scalpers; CAPTCHA-like measures can often be implemented without accounts, and bots can also create accounts.
This risk framing is why the EDPB ultimately presents guest mode as “in principle” the most privacy-protective option to enable purchases, aligning with data protection by design and by default.
A key premise: “Account creation” is not a purpose
A frequent compliance mistake is to frame “creating an account” as a purpose. The EDPB is clear: creating an account, whether mandatory or voluntary, does not constitute a specific purpose under purpose limitation. You must articulate the underlying purposes (e.g., subscription access; restricted community access; order tracking; etc.) and then identify legal bases for the processing needed for each purpose.
Which legal bases does the EDPB consider for imposing accounts?
The EDPB focuses on three legal bases controllers typically invoke to justify mandatory account creation for accessing offers or making purchases: performance of a contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)), and legitimate interests (Article 6(1)(f)).
Consent is not treated as a lawful basis for imposing accounts in this context because, when account creation is mandatory to buy/access offers, the user cannot freely consent to that processing for that purpose. (The EDPB discusses consent in the context of voluntary accounts and add-on services.)
Article 6(1)(b) GDPR (Performance of a contract) – narrow “necessity” and strict interpretation
The EDPB reiterates a strict approach: Article 6(1)(b) does not cover processing that is merely useful or convenient, or unilaterally imposed by the controller. The controller must demonstrate that the main subject-matter of the contract cannot, as a matter of fact, be performed without the specific processing, and that there is no workable, less intrusive alternative.
One-time sale: generally not justified ⛔️
Subscriptions: sometimes justified if recurrent authenticated access is genuinely required ⛔️/ ✅
Subscriptions are a main scenario where Article 6(1)(b) may work. The EDPB highlights that in subscription contexts the performance of the contract may require recurrent authenticated interactions throughout the duration of the contract, and the controller may rely on Article 6(1)(b) only for the duration of the contractual relationship. The EDPB also stresses there should be an actual and valid contract and the controller should be able to demonstrate the data subject intended to enter a long-term relationship.
Example: a monthly cosmetics subscription where the account is used to follow packages, communicate with the e-merchant, and change delivery conditions. In that scenario the account may be considered necessary for the subscription contract.
Practical reading: the stronger the “subscription” resembles an ongoing service that repeatedly requires authenticated access, the stronger the Article 6(1)(b) argument. The closer it is to a one-off purchase with optional conveniences, the weaker it gets.
Exclusive offers: only if it is a genuinely closed community ⛔️/ ✅
The EDPB draws a sharp line between (i) membership discounts open to everyone who hands over personal data, and (ii) a restricted community with proven eligibility criteria.
Example: “membership discounts” available only upon account creation, but with no eligibility criteria other than providing personal data. The EDPB says this is not a closed community; account creation cannot be regarded as necessary for performance of a contract under Article 6(1)(b).
By contrast, the EDPB says criteria like referral, invitation, selection, or verification of a professional status could establish a restricted community. Example: an online event reserved to loyal customers with a long-term commercial relationship; invitations provide access to a restricted platform with early access to selected products. In that case, account creation may be necessary for the performance of the contract with the eligible customer.
The compliance point is not “exclusive offers are fine”; it is “exclusive offers can only support mandatory accounts if exclusivity is real.” If anyone can join by submitting personal data, the EDPB treats that as insufficient.
Conditional purchasing (status-based eligibility): verify without a permanent account ⛔️
Some shops restrict purchases to people with a particular status (e.g., student discounts; licensed professionals). The EDPB’s analysis here is strongly minimisation-driven: to satisfy necessity, the controller must demonstrate there are no less intrusive means of carrying out the verification.
The EDPB explicitly offers a less intrusive alternative: a secure online form allowing collection of data to verify status, complete the purchase, and upload supporting documents; data can then be deleted as soon as it is no longer necessary.
Example: a seller of professional-grade medical/lab equipment that can be purchased only by licensed doctors or certified laboratories. The controller verifies eligibility during purchase via a secure form, without a permanent account, and deletes verification data when no longer necessary. The EDPB concludes controllers should not rely on Article 6(1)(b) to justify mandatory accounts for one-time status verification because equally effective, less intrusive alternatives exist.
Account required for personalised recommendations: especially weak if introduced late in checkout ⛔️
The EDPB addresses a scenario where controllers argue that by creating an account at purchase time, the user also agrees to a contract for personalised shopping advice based on profiling. The EDPB places the burden on the controller to prove the existence and content of such a contract and that the terms are validly included and relate to the contract’s main subject-matter. It also notes that where account creation is required after the user has already placed goods in the cart and is about to confirm, it is unlikely the controller can demonstrate the user is aware of and agrees to a contract beyond the purchase.
Article 6(1)(c) GDPR (Legal obligation) – usually not a route to mandatory accounts ⛔️
The EDPB accepts that some laws require processing and retention of customer data (e.g., to demonstrate fulfilment of contractual or tax/accounting obligations), but emphasises two constraints:
First, the legal obligation must be clear and foreseeable, and processing must be proportionate, meaning there must be no equally effective, less intrusive means.
Second, tax and accounting obligations are usually restricted to specific documents such as invoices and typically do not require storing the personal data that were used to create those documents in a persistent account context. The EDPB states this kind of storage can be achieved without requiring a user account and without prejudice to the user’s ability to exercise GDPR rights.
The EDPB also notes that identification/authentication for rights requests (e.g., access requests) is possible without requiring accounts; Article 6(1)(c) includes necessity beyond usefulness, and controllers must take into account Article 11(1) GDPR (no obligation to maintain identification solely to comply with GDPR rights if identification is no longer required for the processing purpose).
Conclusion: controllers should not rely on Article 6(1)(c) to justify mandatory accounts for general “compliance reasons” because the necessity test is unlikely to be met.
Article 6(1)(f) GDPR (Legitimate interests) – the three-step test often fails for mandatory accounts
The EDPB repeats the standard three cumulative conditions for legitimate interests: (i) a legitimate interest, (ii) necessity, and (iii) balancing against the interests/fundamental rights and freedoms of the data subject.
A crucial part of balancing is “reasonable expectations”. The EDPB gives two illustrative examples:
Example: a person wants to buy a single item and has no intention to develop a long-term relationship; required account creation may not be expected.
Example: the user reaches checkout and only then is required to create an account; expectations are even less likely because the process started without registration.
Operational management of an order: tracking and edits can be achieved without accounts ⛔️
Order tracking: The EDPB says the purpose can be achieved by less intrusive means, such as emailing the tracking number and a hyperlink where the customer can get information. It also notes customers cannot reasonably expect their data to be processed for tracking for a period far longer than the actual delivery time. Therefore controllers should not rely on Article 6(1)(f) to justify mandatory accounts for tracking because necessity and balancing are unlikely to be met.
Order changes before dispatch: The EDPB accepts that easy modification may benefit users, but says an account is not strictly necessary because changes can be handled via customer service or via a time-limited one-use link requested by the user or included in order confirmation (provided contact details can be associated with a recent order). Again, expectations and timing are important: customers do not reasonably expect data to be processed for order changes beyond dispatch. Therefore controllers should not rely on Article 6(1)(f) here either.
After-sales services and exercise of rights: mandatory accounts are not necessary ⛔️
After-sales services include returns, exchanges, complaints, and contractual guarantees. The EDPB says these services can be provided without accounts, for example via secure forms, customer service channels, or email hyperlinks linked to the specific order in the controller’s CRM.
Similarly, the EDPB says accounts are unlikely to be necessary to identify users and respond to consumer rights or GDPR rights, because the controller can identify the person through other known channels (email/phone). Controllers must comply with consumer protection and GDPR obligations regardless of account existence. If there are reasonable doubts about identity, the controller can request additional information necessary to confirm identity (Article 12(6)).
Loyalty and personalisation: often consent-driven and not reasonably expected as “mandatory” ⛔️
The EDPB recognises e-merchants may have a legitimate interest in developing customer loyalty through discounts, exclusive benefits, or commercial messages. But it points out that loyalty-related processing such as tracking may require consent under GDPR and the ePrivacy Directive. It also states that requiring an account is generally not necessary to propose loyalty initiatives, and customers cannot reasonably expect mandatory account creation for loyalty purposes. Therefore controllers should not rely on Article 6(1)(f) to justify mandatory accounts for loyalty.
Facilitating subsequent orders: legitimate interest exists, but necessity/balancing are weak ⛔️
The EDPB acknowledges that facilitating subsequent transactions may be a legitimate interest, but questions whether mandatory accounts are necessary, because whether another purchase occurs depends on the consumer’s decision, and at the time of purchase people may not reasonably expect retention beyond what is needed to deliver the goods/services being bought. The EDPB concludes controllers should not rely on Article 6(1)(f) to require accounts for this purpose because necessity and balancing are unlikely to be met.
Fraud prevention: legitimate interest may exist, but mandatory accounts are usually not necessary (and may increase risk) ⛔️
Fraud prevention is often invoked as the strongest business argument. The EDPB accepts fraud prevention can rely on legitimate interests in principle, but stresses that this does not mean any processing is automatically justified. Processing must be strictly necessary for preventing fraud and must be assessed with data minimisation in mind.
The EDPB explains why necessity is generally unlikely to be met for mandatory accounts: many e-commerce sites operate without requiring accounts; there is no purchase history when an account is first used; some signals (device fingerprint changes; different devices) are unreliable; address changes often happen right before an order anyway; and requiring accounts can itself create fraud risk (e.g., account takeovers) to the detriment of data subjects.
Even if a controller could show necessity in an exceptional case, the EDPB says the controller must be specific about the type of fraud it is trying to prevent and what data are truly needed; if the fraud is not of substantial importance, balancing will likely favour the data subject. The EDPB’s final position is that controllers should not rely on Article 6(1)(f) to justify mandatory accounts for fraud prevention because the necessity test is unlikely to be met.
What the EDPB expects instead: guest mode + voluntary account, with purpose separation
The EDPB’s practical conclusion is consistent throughout: if mandatory accounts are not justified, users should be offered a genuine choice between creating an account or proceeding as a guest. Guest mode is described as completing an order by filling in a form, without authentication by identifier and password, and without a personal digital environment.
Two details are particularly operational:
-
Choice architecture is not “compliance theatre”. The EDPB frames the choice as supporting transparency and enabling users to understand the implications of each route. It also supports data minimisation because mandatory accounts require processing of credentials and create a significant risk of collecting more data than necessary for a sales agreement.
-
No “purpose laundering”. Even with guest mode or voluntary accounts, you still must determine processing purposes and choose corresponding legal bases. Neither guest mode nor voluntary account creation is a purpose in itself. For example, contract performance may cover order fulfilment, while marketing may require consent and (where relevant) compliance with ePrivacy rules.
If voluntary account creation unlocks add-ons like order history, facilitated subsequent purchases, personalised offers, or loyalty programmes, the EDPB says controllers should rely on an appropriate legal basis depending on the purpose.
Where the add-on is based on consent, it should be clearly separated from the core purchase process so non-registrants are not disadvantaged. Controllers should provide clear information on purposes, retention, and rights (including withdrawal of consent and erasure). The user must be able to withdraw consent via the same interface as it was obtained, and controllers should not silently switch the lawful ground from consent to another basis when consent is withdrawn.
Conclusion
The EDPB’s core message is not that accounts are forbidden. It is that requiring them is a high-interference measure that will usually fail the necessity tests under Articles 6(1)(b), 6(1)(c), and 6(1)(f) for ordinary retail purchases. Except in limited situations (notably certain subscriptions and genuinely restricted communities), the EDPB’s preferred compliance outcome is to allow customers to buy as guests and make account creation a separate, voluntary choice with clear purpose separation.
