Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board (EDPB) has published and opened for public comments new recommendations addressing the widespread practice of requiring users to create accounts before browsing or purchasing on e-commerce websites. The guide concludes that mandatory account creation can be lawfully justified only in narrow circumstances.
EDPB recommendations for eCommerce sites
The EDPB systematically analyzed the three legal bases controllers typically invoke—contract performance, legal obligation, and legitimate interest—and found each insufficient in most scenarios. For one-time purchases, the EDPB determined that account creation fails the necessity test since the data required to execute a sale can be collected without a persistent account, as demonstrated by retailers offering guest checkout. Controllers also cannot rely on legitimate interest for purposes such as order tracking, facilitating subsequent purchases, building customer loyalty, or fraud prevention, because less intrusive alternatives exist, and customer expectations generally do not encompass mandatory account creation for simple transactions.
The EDPB identified only limited situations where mandatory accounts may be justified: subscription services involving recurring authenticated interactions throughout a contractual relationship, and access to genuinely exclusive offers reserved for verified members of restricted communities with specific proven characteristics. Notably, membership programs open to anyone who provides personal data do not qualify as “exclusive offers”, justifying mandatory registration.
The guidance emphasizes that mandatory accounts expose data subjects to heightened risks, including excessive data collection, prolonged retention creating security vulnerabilities, facilitated behavioral tracking, and deceptive design patterns prompting unnecessary disclosure. The Board concludes that offering users a choice between account creation and guest checkout represents the most privacy-protective approach, aligning with data protection by design and default obligations.
EU high court says marketplace is a joint controller.
Meanwhile, the Court of Justice of the European Union (CJEU) issued its judgment in X v. Russmedia Digital, establishing significant new obligations for online marketplace operators regarding advertisements containing personal data.
The case arose from a fraudulent advertisement posted anonymously on a Romanian classified ads platform, falsely presenting the claimant as offering sexual services using her photographs and phone number without consent. The content was subsequently copied to other websites, causing ongoing harm.
The Court held that marketplace operators qualify as joint controllers under the GDPR alongside user advertisers when they publish advertisements for their own commercial purposes and retain rights to exploit the content. Critically, the Court ruled that such operators must implement appropriate technical and organizational measures before publication to: identify advertisements containing sensitive personal data; verify whether the user advertiser is the data subject whose sensitive information appears in the advertisement; and refuse publication unless the advertiser demonstrates explicit consent from the data subject or another exception applies.
The judgment further requires marketplace operators to implement security measures to prevent published advertisements containing sensitive data from being copied and unlawfully redistributed to other websites.
Significantly, the CJEU held that marketplace operators cannot invoke the hosting liability exemption under the E-Commerce Directive to escape these GDPR obligations. The Court reasoned that the E-Commerce Directive excludes personal data protection matters from its scope, meaning e-commerce liability limitations cannot interfere with the GDPR regime.
Click here to read the EDPB’s recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites.
Click here to read the CJEU’s judgment in X v. Russmedia Digital.
