Webshops are generally not allowed to require customers to create an account before they can make a purchase. This is according to new recommendations from the European Data Protection Board (EDPB). Mandatory accounts have long been the subject of numerous complaints to privacy regulators in several EU countries. The EDPB therefore clarifies that a mandatory account is usually not necessary for an online purchase and may violate privacy rules.
Many people recognize this situation: you want to order something quickly, but first you have to create an account and provide personal data. According to the EDPB, this often leads to the collection and storage of more personal data than necessary. This increases the risks for people, for example, of data misuse.
The EDPB emphasizes that a mandatory account is not necessary in many cases. A mandatory account is almost never necessary for a one-time purchase. In principle, a mandatory account is also not necessary for tracking or returning an order. It may only be necessary in limited situations. For example:
According to the EDPB, online stores should therefore usually offer consumers the choice between creating an account or checking out as a guest. According to the regulators, the guest option is the most privacy-friendly way to shop online. Only the customer data necessary to process and deliver the order is used.
This approach is in line with the principle of privacy by design and default: organizations design their services in such a way that they process as little personal data as possible.
The recommendations provide online stores with clear guidelines for bringing their ordering processes into line with the General Data Protection Regulation (GDPR). The EDPB points out to webshops that they are responsible for their customers' personal data. The more data is collected and stored, the greater the risks. In practice, it also appears that personal data is often stored for longer than necessary, which further increases the risk of data breaches.
The recommendations are not yet final. The AP invites organizations, industry associations, civil society organizations, and other stakeholders to respond to the consultation.
You can respond until February 12, 2026, viathe EDPB website. The EDPB will then adopt the final recommendations.
