European Data Protection Board: a public consultation has been launched until 12 February 2026 on the "Recommendations 2/2025 on the legal basis for the obligation to create user ac-counts on e-commerce sites".

The European Data Protection Board (EDPB) has launched a public consultation on Recommendations 2/2025 dedicated to the legal basis for imposing the creation of mandatory user accounts on e-commerce sites. The document stems from the observation that, although it is frequent to request registration before accessing offers or purchasing, such an approach may increase the risks to the rights and freedoms of data subjects and, in many scenarios, it is not "necessary" for a valid lawfulness basis under the GDPR.

The EDPB first clarifies the scope: "online user account" means a personal space accessible through an authentication mechanism with identification and password (including multi-factor authentication), while temporary accesses with passwordless tokens remain outside; The Recommendations apply to e-commerce sites and apps, including platforms/marketplaces as intermediaries, but do not cover social media, search engines, audiovisual services and news sites. In addition, the text is without prejudice to any EU/national regulations that impose accounts for regulated products/services (e.g. alcohol, gambling, medicines).

On the "why" mandatory registration is problematic, the EDPB highlights some typical effects: "logged-in" environments that favor systematic identification and collection of more data (even inferred), storage on active databases beyond what is necessary with the risk of orphaned accounts and attacks, as well as dynamics of tracking browsing habits and possible pressures through dark patterns or deceptive requests (e.g. requests for further "last-minute" data or consents during checkout). It is also reminded that the account, in itself, is not a decisive measure against bots/scalping and that widespread practices (password reuse, password reset, single sign-on) can introduce additional vulnerabilities.

On the merits of the legal bases, the EDPB adopts a strict reading of the requirement of necessity. For the performance of the contract (Art. 6(1)(b) GDPR), the mandatory creation of the account is normally not justifiable for a "one-time" sale: the data necessary to execute the contract and manage the order can also be collected without an account, for example via "guest" purchase. The case of subscription services is different, where the account may be necessary if the service requires recurring/authenticated interactions for the duration of the relationship and if there is an effective long-term contract. For access to exclusive offers, the lawfulness depends on the nature of the "membership": if the offer is in fact accessible to anyone simply by creating an account (without real criteria), the account does not appear necessary; it may be necessary when access is reserved for a selected community with "proven" characteristics and with a stable relationship with the operator. Even in conditional purchasing (discounts/goods accessible only to individuals with certain requirements, e.g. student status), the EDPB points out that the account should not be imposed for a "one-off" verification, because there are less intrusive and equally effective alternatives.

As regards the basis of legitimacy represented by the fulfilment of a legal obligation under Article 6(1)(c) GDPR), the EDPB recalls that the obligation must be clear, precise and predictable and that the necessity test goes beyond mere "utility"; in particular, identification/authentication to manage requests for GDPR rights or consumer rights (returns, warranties, etc.) can also take place without imposing an account, and therefore the mandatory registration hardly exceeds the requirement of necessity in these cases.

As for the basis of legitimacy represented by legitimate interest pursuant to 6(1)(f) GDPR), the EDPB recalls the obligation to pass the three steps (legitimate interest, necessity, balancing) and comes to restrictive conclusions: even when the goal is to prevent fraud or facilitate follow-up orders, imposing an account tends not to meet the requirement of "strict necessity" and/or not to pass the balance; For fraud prevention, although the purpose may be based on legitimate interest, the mandatory account is not generally considered the necessary solution.

The most relevant operational consequence is the recommendation to offer, in most cases, a real choice between account creation and guest purchase, indicated as an option "in principle" more protective and consistent with data protection by design and by default (art. 25 GDPR).

At the same time, if the account is optional and serves to enable additional services (e.g. order history, faster purchases, loyalty, personalized offers), the EDPB emphasizes the need to clearly separate these functionalities from the purchase process, avoid those who do not register from being "penalized", provide transparent information on purposes and retention and, when consent is used, allow revocation with the same ease/interface with which it was collected (without silent "switches"). to other legal bases).