EDPB Weighs In: When Is An E-Commerce Account Truly Necessary?

The European Data Protection Board ("EDPB") recently published recommendations relating to mandatory user accounts on e-commerce platforms. These recommendations establish a strict standard for when an organisation can rely on the legal basis of "necessity for the performance of a contract" (Article 6(1)(b) of the GDPR) in order to impose the creation of permanent user accounts.

The necessity principle

At the core of the EDPB's position is the principle of data protection by design (Article 25 of the GDPR). The guidance suggests that a "guest mode" checkout is the most privacy-protective option and should be the default, as it minimizes the amount of data collected and stored persistently.

The EDPB scrutinizes whether mandatory account creation is strictly necessary to fulfill the specific request made by the user. If an action — such as completing a one-time sale — can be performed without creating a persistent, identifiable profile, then mandating an account is likely to be deemed disproportionate and risky under current GDPR enforcement interpretations.

Scenarios where persistent user accounts are justified (lower risk)

The recommendations outline limited situations where the creation of a persistent user account is considered necessary because recurrent, authenticated interaction is intrinsic to the nature of the service itself:

• Subscription Services: Where the contractual obligation involves ongoing, authenticated access to content or services over a defined period (e.g. streaming platforms, software-as-a-service).
• Closed Community Access: Services that are explicitly limited to a closed, verified user group based on professional status, invitation, or other predefined criteria.

Scenarios where persistent user accounts are not necessary (higher risk)

The EDPB provides examples of common e-commerce activities where mandatory account creation is viewed as not necessary to fulfill the contractual obligation of the transaction. Relying on contract performance or legitimate interest (Article 6(1)(f)) in these situations could present a heightened compliance risk:

• One-Time Sales: Completing a single purchase or transaction.
• Order Tracking: Providing shipment status updates (which can be facilitated via an emailed link without a login).
• Post-Sale Functions: Managing common after-sales requests, such as returns, warranty claims, or processing GDPR data subject requests.
• Internal Obligations: Fulfilling technical requirements like generating invoices for tax/accounting purposes or general fraud prevention measures.
• Personalization: Providing non-essential, personalized product recommendations during the checkout process.

Compliance Strategy

For organisations whose e-commerce flow currently mandates the creation of an account before making a purchase, the EDPB's guidance suggests two paths:

1. Implement Guest Checkout: This is widely viewed as the safest path to immediate compliance. While personal data necessary for shipping and payment (name, address, etc.) can still be collected under the contract basis, no persistent user account profile is created unless the user actively consents.
2. Document a Detailed Necessity Defence: If mandatory account creation is deemed business-critical and impossible to bypass, the organization should formally document a necessity test. This documentation should detail why a guest checkout is technically or legally impossible for specific, non-marketing purposes and prepare to defend this position against regulatory scrutiny.

The EDPB has opened a public consultation on these recommendations until 12 February 2026. This provides a valuable opportunity for organisations to submit strategic feedback on the operational impact, particularly concerning activities (like fraud prevention or long-term warranty management) that the EDPB currently views as "not necessary."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.