ARTICLE
24 December 2025

Mandatory Account Creation And "Guest Checkout": EDPB Recommendation No. 2/2025

CL
Canpolat Legal

Contributor

Canpolat Legal logo
Canpolat Legal is a tech-savvy specialist law firm with an agile mindset, located in Istanbul. Canpolat Legal, which has been ranked by Chambers&Partners and World Trademark Review, especially take pride in dealing with complex Fintech and IP matters, and also legal issues of emerging technologies.
Explore Firm Details
The European Data Protection Board (EDPB) has opened for public consultation its Recommendation No. 2/2025, which examines the legal bases for forcing users to create accounts in order to shop on e-commerce websites
Turkey Privacy
Yasar K. Canpolat
Your Author LinkedIn Connections
Yasar K. Canpolat’s articles from Canpolat Legal are most popular:
  • within Privacy topic(s)
Canpolat Legal are most popular:
  • within Privacy and Corporate/Commercial Law topic(s)

The European Data Protection Board (EDPB) has opened for public consultation its Recommendation No. 2/2025, which examines the legal bases for forcing users to create accounts in order to shop on e-commerce websites.

This guidance will remain open for comments until 12 February 2026. The key points highlighted in the draft are as follows:

  • Core Principle: "Guest Checkout" Should Be the Default Option:
    The EDPB states that, as a general rule, allowing users to shop without creating an account (via "Guest Checkout") is the most appropriate approach. Requiring users to create an account is considered contrary to the GDPR principles of data minimisation and data protection by default.
  • Restrictive Interpretation of Legal Bases: The Board reviewed the legal bases most frequently relied upon by e-commerce platforms to justify mandatory account creation (Performance of a Contract, Legal Obligation, Legitimate Interest) and reached the following conclusions:
    • Performance of a Contract: In one-off product sales, creating an account is not "necessary" for the performance of the contract; data required for order fulfilment (such as delivery address) can be collected without opening an account. Mandatory account creation may only be considered lawful in cases involving subscription-based services or situations requiring membership in a specific community.
    • Legitimate Interest: Making account creation mandatory for purposes such as order tracking, facilitating future purchases, or customer loyalty is generally not accepted, as it is deemed to infringe the fundamental rights and freedoms of the data subject.
    • Fraud Prevention:The EDPB also rejects the argument that account creation should be mandatory for fraud prevention purposes. According to the Board, account creation alone does not prevent fraud; on the contrary, compromised accounts may pose even greater risks.
    • Legal and Accounting Obligations: Obligations under tax and accounting laws to retain invoices do not require maintaining an active user account. Invoices and transaction records can be archived without a user account.

If adopted in its current form, the draft guidance would expose e-commerce websites that process personal data under the GDPR and do not offer a "Guest Checkout" option to significant compliance risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Yasar K. Canpolat
Yasar K. Canpolat
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More