On 3 December 2025, the European Data Protection Board (EDPB), the EU independent body responsible for ensuring the consistent application of the GDPR across Europe, adopted its Draft Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites. The draft document, which was open for consultation until 12 February 2026, sets out a general rule that users should have a choice either to create an account or proceed to the purchase as a guest through a guest mode. It introduces very narrow exceptions to the rule in very limited cases, such as websites offering a subscription service or providing access to exclusive offers.
The draft Recommendations are based on the EDPB’s finding that, in the vast majority of cases, mandatory account creation fails to meet the conditions for lawful processing under Article 6 GDPR. Specifically, it cannot be justified as necessary for the performance of a contract (Article 6(1)(b)), or based on legitimate interest (Article 6(1)(c). However, the draft Recommendations fail to consider that the legitimate interest of an e-commerce website to require a user accounts lies in the considerable organisational optimisations and cost savings made possible by their existence.
What makes customer accounts so important in e-commerce?
Customer accounts are central to delivering a personalised and tailored shopping experience to consumers. This personalisation mechanism is comparable to that offered by video-on-demand platforms, whose extensive catalogues only become attractive if they present users with content that is most likely to interest them. By mandating a guest mode, the EDPB would effectively require e-commerce businesses to offer a non-personalised and degraded version of their service, disregarding market realities and well-established consumer expectations.
Customer accounts are also essential tools to cyber security and data protection itself. Alternatives such as access links sent via email or SMS are less efficient and expose users to increased phishing and malware risks. Eliminating user accounts removes an important security layer, while guest mode require sensitive information (invoices, addresses, and tracking links) to be transmitted via email. Other reasons to implement user accounts include facilitating the exercise of consumer and GDPR rights through user-friendly functionalities, reducing returns through accurate sizing recommendations in the fashion industry, or ensuring the authenticity of reviews which is critical to consumer trust.
A GDPR-effective approach
By suggesting a mandatory guest mode, the draft Recommendations fail to recognise the complex and diverse reality of modern e-commerce business models and miss on proportionality grounds. As a matter of fact, guest modes are not inherently more privacy friendly than customer account creation.
It is a common misconception that guest mode necessarily leads to less personal data being processed as completing an online purchase requires the processing of more personal data (address and payment information) than the creation of a customer account alone which only requires providing a first name, last name, e-mail address and a password. In terms of data minimisation, making repeated purchases via guest mode generates multiple separate and potentially conflicting records, whereas a single account consolidates data around one identifier. Guest mode does not reduce retention periods either, as obligations under the Digital Service Act (DSA), the General Product Safety Regulation (GPSR), and fiscal law require merchants to retain purchase data regardless.
Safeguarding the freedom to conduct a business
Mandating a guest mode on nearly all e-commerce website would be inconsistent with EU legislative principles and represents an overreach by the EDPB into e-commerce companies’ freedom to conduct their business, guaranteed under Article 16 of the EU Charter of Fundamental Rights. In this respect, the draft Recommendations are not consistent with the principle of proportionality set out in Recital 4 of the GDPR, which requires a fair balance between the right to the protection of personal data and other fundamental rights, including the freedom to conduct a business. The CJEU has consistently stressed that the GDPR must be interpreted in line with fundamental rights and should not be used as a mean to reshape business models, such as in SAS Institute Inc. v. Wyeth (C-634/17) where the CJEU clarified that the GDPR establishes conditions for lawful data processing but does not dictate the fundamental design of business models.
The concrete impact on the e-commerce sector
Ecommerce Europe raises serious concerns about the operational consequences of a mandatory guest mode on hundreds of thousands of online shops in Europe. These are some key concerns:
- Jeopardise business models: The introduction of a guest mode would force many businesses to rethink their entire business structure, especially online marketplaces with third party sellers, e-commerce websites offering auction or limited quantity items, trade-in programs, event sales, e-commerce platforms providing interactive features, consumer-to-consumer sales, etc.
- Reorganisation of IT system: Implementing a separate guest checkout infrastructure would, for many businesses, require an end-to-end IT rebuild that could take up two to three years.
- Generation of unrealistic costs: Beyond time and human resources, the guest mode would imply new costs associated with duplicative system architectures, increased customer service, maintenance requirements, and operational inefficiencies.
A way forward
Ecommerce Europe calls for a case-by-case approach in place of a near-horizontal obligation. The draft recommendations apply a one-size-fits-all reading of the GDPR that disregards the diversity of e-commerce business models, from multi-party marketplaces to live shopping sites. Each of these models presents distinct operational, legal, and security realities that a blanket guest mode requirement fails to accommodate.
The topic of guest mode on e-commerce websites goes beyond data protection alone and touches on consumer law, security, contract law, and the freedom to conduct a business. In this respect, the draft Recommendations do not align with the principle of proportionality set out in Recital 4 of the GDPR. For this reason, the sector calls for a more holistic and balanced assessment at Commission level.
You can read the sector-wide response which invites the EDPB to pause adoption of the Recommendations and engage in a more structured dialogue with the industry before finalising its conclusions.