EDPB Challenges “Forced Accounts” in Online Shopping: Guest Checkout Back in Focus

The EDPB has opened a public consultation on Recommendations 2/2025, addressing when e-commerce websites can lawfully require users to create accounts before purchasing goods or services. The consultation runs from 4 December 2025 to 12 February 2026, and the guidance sits squarely within GDPR themes of data minimisation and privacy by default.

Mandatory account creation is a common online pattern, often justified as necessary for order management, fraud prevention, customer experience, or marketing. The EDPB’s guidance challenges organisations to be precise: where account creation is not objectively necessary, it should not be imposed as the default route to purchase. In effect, the recommendations encourage retailers to provide alternatives such as guest checkout, and to avoid collecting persistent identifiers and profile data where a transaction can be completed without them.

The broader implication is that “user experience design” is treated as part of compliance. If a site architecture nudges users into creating accounts, storing more data for longer, or enabling broader downstream use (such as marketing), organisations should expect regulators to test whether those choices are proportionate and justified. The consultation also links the question to Article 25 (data protection by design and by default), emphasising that compliance is not merely what happens after data is collected, but how collection is engineered.

This guidance is particularly relevant to organisations building cookie and consent tooling, customer identity layers, or checkout flows. It is also relevant beyond retail: any service that uses account creation as a “gate” to access content, functionality, or service delivery may need to re-check its legal basis and necessity arguments.

Acompli perspective: For product teams, this is a reminder that privacy is increasingly assessed at the level of pattern libraries: onboarding flows, account requirements, default settings, and retention behaviours. The quickest win is to map where account creation is genuinely required (subscriptions, ongoing services) versus where it is merely convenient. If you can support guest modes safely, you reduce stored data, shrink breach impact, and simplify compliance narratives.