Does your "account-only" checkout comply with the GDPR?

Many e-commerce websites use a "mandatory account" model, where customers must create an account to view offers or make purchases. Whilst attractive commercially, it is feared that this model increases customer's privacy risks, including systematic tracking, longer data storage, and greater exposure to security incidents and identity theft.

Against this backdrop, the European Data Protection Board ("EDPB") has issued recommendations on when e-commerce businesses may legally oblige customers to create an account to view offers or make purchases under the General Data Protection Regulation ("GDPR"). The message is clear: mandatory accounts are only justified in very limited situations. They should therefore be the exception, not the default.

Legal bases for mandatory accounts: a high bar to clear

E-commerce businesses commonly point to three legal bases when they require account creation:

• Performance of a contract (Article 6(1)(b) GDPR)
• Compliance with a legal obligation (Article 6(1)(c) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

Looking at a series of typical use cases, the EDPB concludes that mandatory accounts are only justifiable in a very limited set of situations and under specific conditions. We will briefly discuss these legal bases that are commonly used, as well as the legal basis consent (Article 6(1)(a) GDPR), below.

Performance of a contract

To determine whether performance of a contract is appropriate for a specific processing operation, the controller[1] must assess whether such processing is "necessary for the performance of a contract to which the data subject is a party" (Article 6(1)(b) GDPR). This requirement has long been interpreted strictly by the EDPB, which now confirms that a mandatory account is only permissible where the controller can demonstrate "how the main subject-matter of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not occur". The controller must also ensure that there is no workable, less intrusive alternative.

In practice, this means that mandatory accounts are rarely justified under the legal basis performance of a contract. For instance for standard one-off purchases, creating an account is typically not necessary - the transaction can be completed through guest checkout whilst still fulfilling all contractual obligations. According to the EDPB, creating an account is also not necessary for after-sales services and exercise of rights, such as withdrawal rights. The EDPB identifies only two, although not exhaustive, scenarios where mandatory accounts may under circumstances be justified under this legal basis:

• Subscription services requiring ongoing authenticated access throughout the contract duration - provided that there is an actual, valid contract demonstrating the customer's intention to enter a long-term relationship
• Exclusive offers inherently requiring a registered customer base (for example, genuinely closed members-only clubs where membership itself is the contracted service), rather than offers nominally labelled "exclusive" but accessible to anyone who creates an account

Compliance with a legal obligation

Certain legal obligations may require controllers to collect and verify customer information (Article 6(1)(c) GDPR). For example, controllers might be required to process and store personal data of their customers to demonstrate the fulfilment of tax and accounting obligations.

Processing operations for tax and accounting obligations are usually restricted to specific documents such as invoices and typically do not require the storage of personal data which has been used to create those documents. According to the EDPB, such data processing and storage may be achieved without requiring the customer to create an account. The necessity test under Article 6(1)(c) GDPR requires that there must be no other less intrusive means which would be as effective to pursue the objective - a test that is difficult to meet when alternatives like guest checkout exist.

Note: Legal requirements to assign mandatory accounts for offering certain regulated products and services (such as alcohol, gambling or pharmaceuticals) fall outside the scope of these EDPB recommendations.

Legitimate interest

Article 6(1)(f) GDPR allows processing where it is necessary for the purposes of legitimate interests pursued by the controller or a third party. Controllers relying on this legal basis must fulfil three cumulative conditions: (i) pursuit of a legitimate interest, (ii) necessity of processing for that interest, and (iii) a balancing test showing that the controller's interests do not override the customer's rights and freedoms.

Whilst a wide range of interests may in principle be considered legitimate, the EDPB considers that, in practice, mandatory accounts rarely satisfy the requirements under legitimate interest. Processing may only be deemed proportionate and necessary if the legitimate interest cannot reasonably be achieved equally effectively by other means which interfere less with fundamental rights and freedoms - a test that requires processing to be "strictly necessary". The EDPB recommendations provide detailed analysis of common purposes e-commerce businesses invoke to justify mandatory accounts, including order tracking, managing order modifications, building customer loyalty and fraud prevention. In all these scenarios, the necessity and balancing tests required for legitimate interest are unlikely to be met, according to the EDPB.

Consent

Importantly, because the recommendations deal with mandatory accounts (no account, no access to offers or purchases), customers cannot freely consent to the account creation for that purpose. Consent under Article 6(1)(a) GDPR is therefore not a suitable legal basis in the eyes of the EDPB.

Osborne Clarke comment

In practice, e‑commerce businesses should revisit "account‑only" purchasing flows and identify where they truly need customers to create an account. Except in very limited situations - such as certain subscription services or genuinely exclusive offers - mandatory account creation is unlikely to meet the requirements of the GDPR. In most cases, making an account mandatory will therefore create a significant risk of non‑compliance with applicable privacy laws.

The EDPB identifies guest checkout as the most privacy-protective option to enable purchases, in line with the obligations of data protection by design and default (Article 25 GDPR). They consider this approach to also contribute to a more secure online environment and better alignment with transparency and data minimisation principles. Voluntary account creation remains possible for customers who wish to benefit from additional features such as order history or loyalty programs.