Recommendations 2/2025 of the EDPB on the legal basis for requiring mandatory accounts in e-commerce

Reports8 April 2026

The document arises from concerns about the risks that this practice may pose to the rights and freedoms of the individuals concerned, particularly due to the collection of a larger volume of personal data and the increased likelihood of a data breach affecting personal data.

1. Introduction

On e-commerce websites, users are often required to create an online account before they can access offers or purchase goods and services. The European Data Protection Committee (hereinafter, “EDPB”) points out that the creation of these online accounts may result in personal data being stored in an active database for longer than strictly necessary to complete the purchase and deliver the order, thereby increasing the risk of security breaches affecting personal data.

Moreover, electronic environments that require login facilitate the data controller's ability to log users' browsing history and track their browsing habits to improve targeted marketing potential. This processing of personal data without a legitimate basis constitutes a violation of the General Data Protection Regulation (hereinafter, “GDPR”).

The Recommendations analyze the most common processing activities that data controllers in the e-commerce sector use to require the creation of user accounts in relation to the legal basis they consider relevant in each case, namely: (i) the performance of a contract to which the data subject is a party; (ii) compliance with a legal obligation to which the data controller is subject; or (iii) pursuing a legitimate interest of the data controller or a third party. Finally, alternatives to the mandatory creation of these accounts are proposed.

2. Performance of a contract

For this legal basis to be relevant, it is essential that the processing is necessary for the performance of the contract or, in other words, that without this processing of personal data it would be impossible to fulfill the contract. Consequently, in the context of creating a user account, processing activities based on the performance of a contract must pass a necessity test.

The processing activities that data controllers most often invoke based on the performance of a contract are as follows:

One-off sale: according to the EDPB, for a one-off sale, necessary personal data can be collected without requiring the creation of an account, for example, by using guest mode.
Subscriptions: a subscription is understood to be an agreement whereby one party agrees to pay a sum of money to the other party in exchange for receiving a product or service on a regular basis, implying that the data controller has an interest in establishing a long-term contractual relationship with the user.

In this case, the creation of an account can be considered relevant as long as the data controller demonstrates that its creation is necessary to access the service to which the user has subscribed.

Access to exclusive offers: the creation of a user account will be deemed necessary in cases where access to offers or services is reserved for a select community of members, with specific and verifiable characteristics, and in which registration in this exclusive community becomes the main purpose of the contract.
Conditional purchase: some e-commerce sites only allow the purchase of goods or services to users who have a specific status, such as that of a student. In this regard, the user's ability to make the purchase does not depend on their contractual relationship with the data controller, but on their status. According to the necessity test, the data controller must demonstrate that there are no less intrusive means than the creation of an account to carry out the necessary checks of this status.
Concluding a contract to receive personalized recommendations in the context of a purchase: this scenario assumes that, in addition to the main contract, the user subscribes to another contract to receive personalized recommendations before completing the purchase. The data controller must demonstrate that this contract exists and that the user has consciously accepted it.
After-sales services and exercising rights: after-sales services (exchanges and returns, complaints) and the management of consumer rights or GDPR rights can be provided without the user needing to create an account, through specific links or communications via email. Therefore, the basis of contractual performance does not justify the mandatory creation of accounts in these cases either.

3. Compliance with a legal obligation

Regarding this legal basis, cases in which the law expressly requires the assignment of user accounts (regulated services) fall outside the scope of the Recommendations. Apart from these exceptions, data controllers must determine to what extent the legal obligations applicable to them require them to create user accounts. The EDPB considers it very unlikely that such processing can be justified on this legal basis, as there are usually less intrusive alternatives available to comply with legal obligations.

4. Legitimate interest

In the absence of a definition of the concept of legitimate interest in the GDPR, data controllers wishing to base any data processing related to the creation of user accounts on Article 6, paragraph 1, letter f, must meet three conditions, as established in Guidelines 1/2024 of the European Data Protection Board:

The data controller or a third party must pursue a legitimate and genuine interest.
There must be a need to process personal data to achieve the purposes that contribute to the invoked legitimate interest. Processing can only be considered necessary on this legal basis if there are no other means to achieve the goal that are less intrusive to the rights and freedoms of the individuals concerned (necessity test).
The interests or fundamental rights and freedoms of the individuals concerned must not outweigh the legitimate interest of the data controller or a third party (balancing test).

In the processing activities analyzed under this legal basis, which involve facilitating order management —through tracking orders or managing changes post-order—, fostering customer loyalty, and facilitating future purchases, the EDPB considers it unlikely that the required necessity and balancing tests will be met; therefore, the creation of user accounts in the context of these processing activities should not be based on the legitimate interest of the data controller.

Regarding fraud prevention, although its detection and prevention may constitute a legitimate interest of the data controller, the data processing carried out for this purpose must also pass the necessity and proportionality tests to be based on Article 6.1.f) of the GDPR.

Fraud may manifest itself through the use of stolen credentials, fraudulent orders, suspicious changes in delivery addresses, or identity theft. Some data controllers argue that requiring the creation of an account helps detect such behavior due to information such as behavior history, changes in account data, or variations in the device's digital footprint. However, the EDPB considers it unlikely that the creation of an account is necessary to prevent fraud, and notes that:

Many retailers do not require customers to create an account and still apply anti-fraud measures.
A new account does not provide a useful history to detect suspicious behavior.
Factors such as changes in devices, addresses, or software updates can generate false positives.
The requirement to create an account may even increase risks for users, as it requires storing data that would otherwise not be collected.

Consequently, it is unlikely that this measure will pass the necessity test. Moreover, even if it were deemed necessary, the data controller would need to pass the fit test, justifying what type of fraud they intend to prevent and what specific data they really need to do so.

5. Conclusions

The position of the EDPB in these Recommendations —the public consultation phase of which ended on 12 February— is clearly oriented towards the idea that the creation of a user account is rarely necessary to achieve the aims pursued by data controllers. However, these examples do not constitute an exhaustive list. Each case must be evaluated individually, rigorously applying the necessity and balancing tests to determine whether the requirement to create a user account is truly relevant and proportionate in each specific case.

Beyond the mandatory creation of these accounts, offering users the option to register voluntarily —that is, basing the creation of the account on the user's consent in accordance with Article 6.1.a of the GDPR— or allowing purchases in guest mode are, according to the EDPB, the most appropriate and efficient alternatives for collecting personal data lawfully in this context.

Informative note from the Data Protection Department of ECIJA Madrid.

Una perspectiva arquitectónica que muestra la curvatura de un edificio moderno rodeado de líneas verticales y un cielo suave.

What are you looking for?