Mandatory user accounts in webshops: compliance risk and potential fines under the GDPR

At this scale, webshop operations are inseparable from large-scale personal data processing. Online purchases necessarily involve the processing of personal data throughout the transaction lifecycle, from order placement and payment to delivery and customer communication. In practice, many webshops address these operational needs by requiring customers to create a user account before completing a purchase. While this approach may offer clear business advantages, mandatory user account registration raises a number of compliance questions under the GDPR, particularly with regard to identifying a valid legal basis and ensuring adherence to the principles of lawfulness, fairness, transparency and data minimisation.

EDPB Recommendations 2/2025: what's the problem with forcing user accounts?

The European Data Protection Board (EDPB) – the EU body responsible for the consistent interpretation of the GDPR across Member States – issued its Recommendations 2/2025 explaining when businesses may require customers to create user accounts on e‑commerce sites and which legal bases might apply. The EDPB's starting point is simple: forcing account creation typically ramps up privacy risk, from more tracking and profiling to longer retention of purchase and contact data, and the security exposure that comes with dormant or "orphaned" accounts. Because of these risks, the EDPB takes a cautious line on when accounts can be made mandatory.

The key test is whether a mandatory account is genuinely necessary for the stated purpose and whether there is a less intrusive way to achieve the same outcome.

When can mandatory accounts be justified?

The EDPB considers that mandatory accounts may be justified only in narrowly circumscribed scenarios, for instance, where a genuine subscription service requires recurrent authenticated interactions over time to deliver the service, or where access is restricted to a true "closed community" of members with specific, proven characteristics, such that membership itself constitutes the core subject‑matter. In such cases, the requirement can be justified as necessary to deliver the service, but only where strict necessity is shown, no equally effective and less intrusive alternative exists, and the account is needed for the duration of the relationship.

By contrast, purported "exclusive offers" that are in fact open to anyone who simply registers do not constitute a closed community and therefore do not meet the necessity test.

What does not justify mandatory accounts?

The Recommendations make clear that in common retail use cases, businesses typically cannot meet the necessity test and therefore should not require accounts:

• A one‑time purchase can be completed without an account, as widely demonstrated by guest checkout models.
• Order tracking and post‑purchase changes can be provided via links, e-mails or secure forms without creating a permanent account.
• After‑sales services (returns, complaints, warranties) and the exercise of consumer or privacy rights do not require a user account; identification can be achieved through other channels, and businesses must fulfil these obligations irrespective of account status.
• Building customer loyalty, facilitating future orders, and similar convenience‑oriented aims are typically neither strictly necessary nor reasonably expected at the point of purchase, and in many cases require consent and must also comply with cookie and tracking rules for personalisation.
• Fraud prevention, although a legitimate goal in principle, generally does not require mandating account creation because less intrusive and effective measures exist, and the necessity and balancing tests are unlikely to be met.

In short, except in very limited cases such as subscriptions or access restricted to a genuinely closed membership community, requiring accounts will not normally meet the conditions for lawfulness, as less intrusive means are available to achieve the same purposes.

Guest checkout and privacy‑by‑design

The EDPB strongly encourages offering a guest checkout option, allowing users to complete transactions without creating an account, as this is generally the most privacy‑protective and efficient approach and aligns with the principles of data protection by design and by default. Guest checkout promotes transparency by clarifying that only the data necessary to perform the sale will be processed, whereas account creation – where appropriate and voluntary – can be explained as enabling additional features such as order history or loyalty benefits.

Enforcement exposure and practical takeaway

Failure to align mandatory account practices with these principles constitutes an infringement and, in Hungary, may trigger enforcement by the National Authority for Data Protection and Freedom of Information (NAIH), including administrative fines of up to EUR 20m or 4 % of worldwide annual turnover (whichever is higher).

As a practical takeaway, webshops that currently require mandatory account creation should assess whether this practice is genuinely justified under the GDPR, as in most standard retail scenarios offering a guest checkout option will be the more compliant and lower-risk approach.

authors: Barbara Darcsi, Gergely Horvath