GDPR Bans Mandatory Accounts: EDPB Position Explained

What happened?

According to the legal blog Ius Mentis, written by Arnoud Engelfriet, the European Data Protection Board (EDPB) has issued a position stating that requiring customers to create an account before they can place an order is not permitted under GDPR. The blog post, published on Ius Mentis, references reporting by De Telegraaf on the same issue.

It is worth noting that Ius Mentis is a secondary commentary source. The EDPB position is referenced and partially quoted in the blog, but the primary EDPB document is not the source of this article. No fines have been issued and no specific company has been named as sanctioned.

What is the problem with mandatory accounts?

According to Ius Mentis, the core issue is that storing a customer's address and other personal data inside an account goes beyond what is strictly necessary to complete a single order. You need a delivery address to send out one parcel, but keeping that address saved in a permanent account is a separate matter.

Webshops sometimes argue that accounts help with fraud detection or improve the shopping experience. However, according to the Ius Mentis commentary on the EDPB position, these justifications are difficult to sustain. On the question of fraud detection specifically, the EDPB reportedly notes that many webshops operate without requiring accounts at all, and that a purchase history is not even available the first time a customer uses an account anyway.

What legal basis applies?

According to Ius Mentis, webshops that do want to offer accounts would need to rely on legitimate interests under Article 6(1)(f) GDPR. However, the blog notes that commercial interests such as tracking or personalised offers are hard to justify against a customer's privacy rights. In practice, this means the outcome is often the same as simply asking: "Would you like to create an account?" That is, account creation should be optional, not a condition of purchase.

There are some situations where a mandatory account may be acceptable, reportedly including subscription services where ongoing access is needed, or loyalty programmes where the account itself serves as proof of membership.

What does this mean for your website?

If your webshop currently requires customers to create an account before they can complete a purchase, this is worth reviewing. According to the EDPB position as reported by Ius Mentis, offering a guest checkout option is the safer approach under GDPR. Making account creation optional rather than mandatory is a straightforward change that reduces your compliance risk without affecting your customers' ability to buy from you.