Key Takeaways
- On 3 December 2025 the EDPB adopted Recommendations 2/2025, concluding that forced account creation on eCommerce sites is justified "only for a very limited — though non-exhaustive — set of purposes," naming subscription services and exclusive offers as its examples.
- Guest checkout is now the regulator-endorsed default. The EDPB calls guest mode "in principle, the most privacy-protective option to enable purchases," anchored in data protection by design and by default under Article 25 GDPR.
- Every lawful basis for a forced account is read narrowly: contract necessity fails for one-off purchases, tax law only requires keeping documents such as invoices (¶45), fraud prevention fails the necessity test (¶75), and consent behind a locked checkout is not freely given (¶17).
- The public consultation closed on 12 February 2026 with formal pushback from Ecommerce Europe; no final version had been published as of early July 2026, but supervisory authorities already align their review practice with EDPB positions.
- Priorities for stores: offer a guest option with equal prominence, re-document the lawful basis for each processing purpose in your records, and separate account perks from the purchase flow.
Introduction
Somewhere in your purchase funnel there is probably a wall: "Create an account to continue." For years that wall was a growth tactic with a UX cost. The European Data Protection Board (EDPB) has reclassified it: it is now a data protection problem with a legal cost. In Recommendations 2/2025, adopted on 3 December 2025, the Board concludes that requiring shoppers to register before they can buy will rarely satisfy the GDPR — and that guest checkout should be the default on EU eCommerce sites. The consultation on the draft closed on 12 February 2026, the industry has objected on the record, and a final version is pending. Here is what the recommendations actually say, why each legal basis fails, where the genuine exceptions are, and what to change in your store first.
This article is informational content, not legal advice. For organisation-specific guidance, consult a qualified legal professional.
What the EDPB's Guest Checkout Recommendations Actually Say
The document's full name is [Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites](https://www.edpb.europa.eu/system/files/2025-12/edpb-recommendations-202502-mandatory-user-accounts_en.pdf), and it answers one question: when may a store make registration a condition of purchase? The EDPB's answer is: almost never.
The general rule: guest mode is the default
The Board's starting position is that users should be able to access offers and complete purchases without creating an account — either through a guest flow or an optional, voluntary registration. It describes guest mode as "in principle, the most privacy-protective option to enable purchases, in line with the obligation of data protection by design and by default under Article 25 GDPR."
Two details matter for implementation. First, guest mode as the EDPB defines it is deliberately mundane: the customer completes an order "by simply filling in a form," with no identifier and no password (¶79). Offering it does not even require a distinct processing activity. Second, the Board treats the benefits of an account — order history, faster repeat purchases, loyalty programmes — as things that "should result from an active choice of the data subject" (¶78), not from a gate.
PayTechLaw's analysis captures the practical shift: "mandatory user registration itself becomes an interference requiring justification, while account-free access constitutes the data protection starting point." The burden of proof has moved to the store.
The narrow exceptions
The EDPB accepts mandatory accounts for "a very limited — though non-exhaustive — set of purposes, such as offering a subscription service or providing access to exclusive offers." Both named examples share one feature: an ongoing relationship the customer actively chose. A monthly coffee subscription cannot be managed without a durable customer record; a members-only price list is, by definition, tied to membership.
Our read: treat "non-exhaustive" conservatively. If your use case does not share that ongoing-relationship feature, assume it falls on the wrong side of the line — every routine retail purpose the draft actually assessed (fulfilment, order management, after-sales, fraud prevention, invoicing) failed the necessity test.
Where the recommendations stand in mid-2026
- 3 December 2025 — version 1.0 adopted for public consultation.
- 12 February 2026 — consultation closed; the EDPB page now shows "closed for feedback."
- As of early July 2026 — no final version published yet.
The pushback was substantial. Ecommerce Europe, the sector's Brussels trade body, argued that guest mode is "not inherently more privacy friendly" — a guest purchase still transmits address and payment data — and warned that building a separate guest-checkout path "could take up two to three years" of IT work for some businesses, with marketplaces, auction sales, trade-in programmes and event sales hit hardest.
The EDPB has not said when the final version will land or what will change. Until it does, the conservative read is to treat the draft as the direction of travel. German practitioners at PLANIT//LEGAL note that supervisory authorities base review and fine decisions on EDPB guidance, so an account-only checkout already carries the risk of cease-and-desist letters and damage claims. And the arithmetic cuts one way: waiting for the final text buys you months, while the remediation Ecommerce Europe describes takes years. Start now.
Is It Legal to Force Customers to Create an Account Under GDPR?
Usually not. Under EDPB Recommendations 2/2025, mandatory account creation on an eCommerce site rarely has a valid legal basis: it is not necessary to perform a one-off sales contract, not required by tax law, generally fails the legitimate-interests necessity test, and cannot be saved by consent at a locked checkout.
The detail is worth walking through, because the Board's reasoning is what you will need to mirror in your own documentation.
Contract necessity: "useful" is not "necessary"
Article 6(1)(b) GDPR covers processing "necessary for the performance of a contract to which the data subject is party." The operative word is necessary — and the EDPB treats necessity as a "central corrective for all legal bases under Article 6(1)," in PayTechLaw's phrase. The question is never whether an account is useful or convenient for you; it is whether the sale objectively cannot happen without one.
Say you sell ceramics to customers in Germany and France. To fulfil an order you need a name, a delivery address and a payment confirmation — all of which fit on a one-page guest form. A permanent authenticated profile adds nothing the parcel requires. That is the necessity test failing in plain sight, and it fails the same way for most one-off retail purchases.
Legal obligation: your invoices don't need a login
Some stores point to tax and accounting law: we must retain transaction records, therefore we must keep accounts. The EDPB addresses this directly. Processing for tax and accounting obligations is "usually restricted to specific documents such as invoices" and does not require storing the personal data used to create those documents — the archive "may be achieved without requiring the user to create an account" (¶45). Keep the invoice; skip the login.
Legitimate interests: the fraud argument cuts the other way
Fraud prevention is the most common defence of forced registration, and the draft takes it seriously — then dismantles it. Fraud prevention can be a legitimate interest under Article 6(1)(f), as Recital 47 GDPR acknowledges. But the Board finds that "the processing involved in a required account creation does not seem necessary for fraud detection and prevention" (¶72). Its reasons are practical: a first-time account has no purchase history to check against, delivery-address changes "usually happen right before an order is placed" anyway, and routine software updates change device fingerprints in ways that mimic fraud signals (¶73). An account cannot vouch for a customer it met thirty seconds ago.
The draft goes further: forced accounts can create fraud risk. Users reuse passwords across sites, secure methods such as passkeys are rarely offered, and a compromised account exposes every stored detail (¶11). The conclusion is blunt — controllers "should not rely on Article 6(1)(f) GDPR to justify the requirement to create an account for the purposes of fraud prevention" (¶75).
Consent: a locked checkout is not a free choice
Could you simply ask shoppers to consent to registration? The draft rules this out from the start: when an account is required to access offers or purchase, "the user cannot freely consent to the processing of their data for such purpose" (¶17). Consent under Article 6(1)(a) must be freely given; a choice between registering and not buying is not a choice. Osborne Clarke's analysis of account-only checkouts reaches the same conclusion.
For voluntary accounts, consent works — with conditions. Perks tied to consent must be "clearly separated from the core purchase process so that customers who choose not to register are not disadvantaged," withdrawal must work "via the same interface" used to give consent, and you may not silently switch to another legal basis when consent is withdrawn (¶81).
When Is a Mandatory Account Actually Justified?
A mandatory account is justified only where the account itself is the service. The EDPB names subscription services and access to exclusive offers as its examples. Routine retail purposes — fulfilment, order tracking, warranties, invoicing, fraud checks, marketing — do not qualify, because each can be achieved through a guest flow.
| Purpose | EDPB position in Recommendations 2/2025 | Compliant route |
|---|---|---|
| One-off purchase fulfilment | Not necessary for the contract — Article 6(1)(b) fails | Guest form: name, delivery address, payment |
| Order tracking and updates | Achievable without a permanent profile | Emailed status link tied to the order number |
| After-sales, returns, warranty | Does not require an account | Order reference plus proof of purchase |
| Tax and invoice retention | Only the documents must be kept (¶45) | Archive invoices separately from customer profiles |
| Fraud prevention | Necessity test unlikely to be met (¶75) | Payment-level anti-fraud tools, targeted checks |
| Marketing and personalisation | Needs its own legal basis — cannot ride on registration | Separate, optional consent (¶80–81) |
| Subscription services | Justified — the account is the service | Mandatory account acceptable |
| Exclusive member offers | Justified where access is genuinely exclusive | Mandatory account acceptable — document the reasoning |
One caveat: a justified account does not suspend the rest of the GDPR. Article 5(1)(c) still limits collection to data that is "adequate, relevant and limited to what is necessary," and every purpose still needs its own documented basis (¶80).
How to Make Your Checkout Compliant: 6 Steps
- Audit every path to purchase. Web, mobile app, phone orders, legacy landing pages. List each point where an account is required rather than offered, and note which team owns that flow — the wall is often in more places than the main checkout.
- Enable guest checkout and give it equal billing. The EDPB's guest mode is just a form (¶79); on mainstream platforms this is usually configuration rather than construction. If your architecture genuinely cannot support it soon, write a remediation plan with dates — a documented plan is a materially better position in a supervisory inquiry than silence.
- Re-document your lawful bases, purpose by purpose. Guest mode is not itself a purpose (¶80). For each purpose — the sale, delivery, invoicing, marketing — record the basis you rely on. Your record of processing activities is where this lives; our guide to [building a record of processing activities](/resources/blog/data-mapping-101-how-to-build-a-record-of-processing-activities) walks through the structure.
- Separate the perks from the purchase. Order history, loyalty points and personalised offers move behind a voluntary, clearly separated opt-in (¶81). Customers who decline must not be disadvantaged in the core purchase flow.
- Fix retention for accounts and invoices separately. Invoices belong in a finance archive on a statutory clock; profile data follows your [customer-data retention schedule](/resources/blog/gdpr-data-retention-how-long-keep-customer-data). Two datasets, two clocks.
- Update your privacy notice and consent records. The notice must describe the new flows and bases, and your consent records must capture the separated opt-ins. Our [GDPR compliance checklist for eCommerce](/resources/blog/gdpr-compliance-for-ecommerce-practical-checklist) covers the wider sweep.
Common Mistakes That Invite Complaints
Ranked by how much trouble they tend to invite:
- Waiting for the final version. The single worst move. Supervisory authorities already align reviews with EDPB positions, and the industry's own estimate for deep checkout rebuilds runs to two or three years. The final text may soften details, but the guest-mode default was the document's central finding, not a side note.
- Consent-walling the checkout. Adding an "I agree to create an account" checkbox does not cure compulsion — consent gated by purchase is not freely given (¶17).
- Playing the fraud card without the paperwork. If you keep fraud prevention as a justification, the draft demands specificity: name the fraud type, show why account data is strictly necessary for it, and pass the balancing test (¶74). A one-line "security reasons" note will not survive contact with a regulator.
- Offering guest checkout, then hiding it. A grey "continue as guest" link beneath a glowing "Register" button disadvantages exactly the customers ¶81 protects. Regulators read screens, not just policies.
- Forgetting the accounts you already forced. Profiles collected under the old wall still sit on your servers. Review what you hold, apply your retention schedule, and treat erasure requests on those accounts as the priority they are.
How PrivacyForge Helps
The recommendations are, at bottom, a documentation exercise: for every purpose, show the basis — or change the flow. PrivacyForge's data mapping module records exactly that purpose-to-lawful-basis pairing in your record of processing activities, so the analysis ¶80 expects exists before a supervisory authority asks for it. Consent management and embeddable forms handle the separated opt-ins the draft requires for account perks, with withdrawal available in the same interface, as ¶81 expects. And when erasure requests arrive for legacy account data, the DSAR workflow tracks them against their statutory deadlines. None of this decides the legal question for you — it makes the answer you settle on demonstrable.
Frequently Asked Questions
Is it legal to require customers to create an account to buy online?
Usually not under the GDPR as the EDPB reads it. Recommendations 2/2025 conclude that mandatory registration for ordinary purchases lacks a valid legal basis: it is not necessary for the contract, not required by tax law, and fails the legitimate-interests test. Offer a guest option and make accounts voluntary.
Does the GDPR actually mention guest checkout?
No. The GDPR never uses the term. The requirement emerges from applying existing provisions — lawfulness under Article 6(1), data minimisation under Article 5(1)(c), and data protection by design and by default under Article 25 — to checkout flows, which is what EDPB Recommendations 2/2025 does.
Are the EDPB recommendations legally binding?
No. EDPB recommendations are guidance, not legislation, and this one is still a draft awaiting its final version after the consultation closed on 12 February 2026. In practice, supervisory authorities align reviews and enforcement with EDPB positions, so the guidance is a strong signal of how your DPA will assess an account-only checkout.
When is a mandatory customer account allowed?
When the account is genuinely the service: the EDPB names subscription services and access to exclusive offers as justified examples. The list is non-exhaustive, but every routine retail purpose assessed in the draft — fulfilment, order management, after-sales, fraud prevention, invoicing — failed the necessity test. Document your reasoning if you claim an exception.
What should we do with accounts we already forced customers to create?
Do not mass-delete them; act deliberately. Offer guest checkout going forward, stop gating new purchases, review the retention schedule for existing profile data, and prioritise any erasure requests. Where consent underpins account extras, confirm it was freely given and can be withdrawn in the same interface it was granted.
Conclusion
The EDPB has moved the default. Account-free purchase is the starting point; forced registration is the exception that needs a documented case. The final version of Recommendations 2/2025 is still pending, but every practical factor — regulator practice, rebuild lead times, complaint risk — points to acting on the draft rather than waiting it out. Audit where your checkout demands an account, open a guest path, and put the lawful-basis reasoning on paper. Your checkout has one job; let it do that job for everyone, signed in or not.
When you are ready to put the documentation in order, map your purposes and lawful bases in PrivacyForge — and have the answer ready before anyone asks.
Sources
- [EDPB Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites (PDF)](https://www.edpb.europa.eu/system/files/2025-12/edpb-recommendations-202502-mandatory-user-accounts_en.pdf)
- [EDPB press release: recommendations to make online shopping more respectful of users' privacy](https://www.edpb.europa.eu/news/news/2025/edpb-gives-recommendations-make-online-shopping-more-respectful-users-privacy_en)
- [EDPB public consultation page for Recommendations 2/2025](https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/recommendations-22025-legal-basis-requiring_en)
- [GDPR Article 6 — Lawfulness of processing](https://gdpr-info.eu/art-6-gdpr/)
- [GDPR Article 5 — Principles relating to processing of personal data](https://gdpr-info.eu/art-5-gdpr/)
- [PayTechLaw: Data protection law permissibility of mandatory user accounts in e-commerce](https://paytechlaw.com/en/data-protection-law-permissibility-of-mandatory-user-accounts-in-e-commerce/)
- [Osborne Clarke: Does your 'account only' checkout comply with the GDPR?](https://www.osborneclarke.com/insights/does-your-account-only-checkout-comply-gdpr)
- [Ecommerce Europe: The e-commerce sector responds to the EDPB's draft recommendations on guest mode](https://ecommerce-europe.eu/news-item/the-e-commerce-sector-responds-to-the-edpbs-draft-recommendations-on-guest-mode/)
- [PLANIT//LEGAL: Mandatory customer accounts under scrutiny](https://planit.legal/en/customer-account-guest-checkout/)