Suchen

It is still common practice in many online shops: if you want to place an order, you must register. But what might be attractive to retailers for customer loyalty and data analysis purposes is under constant fire from data protection law. With its “Recommendation 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites”, adopted on December 3, 2025, the European Data Protection Board (EDPB) has now set guidelines that could herald the end of mandatory customer accounts for traditional online commerce. The EDPB makes it clear that guest checkout is no longer just a nice feature, but in most cases a legal necessity. Below, you can find out what the EDPB Recommendation means for your business model.

What does the EDPB opinion say?

In its opinion 2/2025, officially adopted on December 3, 2025, the EDPB addresses the question of whether and when online stores may require their customers to create a password-protected customer account. The answer is clear: only in very limited exceptional cases. As a rule, mandatory customer account creation poses a risk to the rights of those affected, as more data is collected than is necessary for the purchase itself, and the risk of data leaks increases with permanently stored profiles.

The legal basis under scrutiny

Retailers usually base the requirement to create a customer account on three pillars of the GDPR, which the EDPB systematically dismantles:

  1. Fulfillment of a contract (Art. 6 (1)(b) GDPR): The EDPB argues that a one-time purchase can be processed without any problems without a permanent customer account. A customer account is simply not necessary for the exchange of goods for money. Exceptions apply almost exclusively to genuine subscriptions (e.g., streaming or regular delivery boxes), where permanent management is mandatory.
  2. Legal obligation (Art. 6(1)(c) GDPR): Tax retention obligations for invoices justify the internal storage of data by the retailer, but not the obligation of the customer to maintain a customer account with login details.
  3. Legitimate interest (Art. 6(1)(f) GDPR): According to the EDPB, interests such as fraud prevention or convenience for follow-up orders are less important than the user’s right to data minimization. An individual link sent by email is sufficient for shipment tracking; a customer account is not a less intrusive means of achieving fraud prevention.

The nature of the Recommendation: more than a suggestion

From a legal perspective, the Recommendation adopted on December 3, 2025, is so-called “soft law”. It is not a law and is not directly binding on courts in theory. In practice, however, data protection supervisory authorities base their review practices and fine decisions on these guidelines. Anyone who does not follow the EDPB’s Recommendations is acting against the European consensus of the supervisory authorities and runs the risk of receiving cease-and-desist letters and facing damage claims and/or potential legal proceedings. It is therefore advisable to adapt the IT architecture of the shop to this Recommendation.

What do companies need to do now?

To be legally compliant, online retailers should check the following points:

  • Implement guest checkout: Allow orders to be placed without assigning a password and permanently storing a profile via a customer account.
  • Emphasize voluntariness: You may offer a customer account, but it must remain an informed and free decision on the part of the user.
  • Avoid dark patterns: The option to place an order as a guest must not be visually disadvantaged.
  • Data minimization at checkout: When taking orders, only request data that is essential for shipping and billing.
  • Adapt deletion concepts: Ensure that data from customer orders is automatically deleted after the warranty and retention periods have expired (unless other retention periods prevent deletion in individual cases).

The shift to guest checkout is much more than a mere compliance obligation – it is a clear statement of your customers’ digital sovereignty. Instead of viewing guest checkout as a regulatory restriction, companies could see it as a strategic opportunity that perfectly aligns the interests of both sides. By offering freedom of choice, you can optimize your customer experience in a targeted manner: while loyal regular customers continue to enjoy the convenience of a stored profile, you minimize the barriers to entry for new customers and security-conscious buyers. Ultimately, you transform data protection requirements into a tangible competitive advantage that reduces cart abandonment rates and strengthens customer loyalty based on genuine trust rather than technical constraints.

Do you have questions about designing your checkout process in compliance with data protection regulations or implementing the new EDSA requirements? Contact us!

planit legal patrizia neifert

Patrizia Neifert

Lawyer

Email: patrizia.neifert@planit.legal
Phone: +49 (0) 40 609 44 190

Search

Categories

Keywords

adequacy decision Binding Corporate Rules Bitcoin Brexit copying copyright-infring Data Processing data protection data transfer DID DiGA Digital Health Applications digital identity EEC EU EU-US-Privacy-Shield exceptions Federal Labour Court GDPR GDPR fines German Copyright Act German ID card ID card identity card International Data Transfer ION Marketing microsoft Office office 365 privacy Safe-Harbor scanning self-sovereign identity Skype for Business SSI Teams third country TMG top-person-data-law top-person-data-protection top-person-datenrecht top-person-eu-representative-services top-person-it-recht United Kingdom

Autoren