Many entrepreneurs who run a webshop recognise the dilemma: do you ask your customers to create an account, or do you also offer the option of checking out without registering? A recent publication by the Dutch Data Protection Authority (AP) shows that the European Data Protection Board (EDPB) will provide more clarity on this issue with new recommendations. The key message is clear: in many cases, a mandatory account is not permitted and may be in breach of the GDPR.
What is the problem?
Consumers have long complained about online shops that force them to create an account before they can place an order. These mandatory accounts are not only irritating, but also cause structural privacy issues. As a result, many online shops collect more personal data than necessary and store it for longer than necessary. This includes email addresses, telephone numbers, dates of birth and order history. This also increases the risk of data leaks or misuse.
What do the regulators say?
The EDPB, which brings together European privacy regulators, published new recommendations at the end of 2025. These make it clear that a mandatory account is not justified in most cases.
Examples where, according to the EDPB, it is not necessary: a customer orders a product once or the customer wants to track or return their order.
Examples where it is possible: subscription services, such as a monthly coffee delivery, or when access is granted to a private members’ area, for example an exclusive community for professionals.
In most other cases, give the customer freedom of choice. Let them choose between creating an account or checking out as a guest.
The guest option as default
According to the EDPB, the guest option is the most privacy-friendly choice. As an online shop, you only request the information you really need: name, address, email address and, if necessary, a telephone number for delivery. No more, no less. This is in line with the privacy principle of ‘data minimisation’ and the obligation to design your services to be as privacy-friendly as possible (privacy by design/default).
What does this mean for your online shop?
As an entrepreneur, you need to take a critical look at how your ordering process is set up. Is it really necessary for every customer to create an account? Or is that mainly useful for marketing or repeat purchases? The GDPR does not simply allow the collection of data for ‘convenience’ or ‘marketing purposes’. This requires a clear legal basis and careful consideration of interests.
A practical example: a sports equipment webshop only allows customers to place orders if they create an account, even if they only want to buy one pair of socks. According to the EDPB, this is not permitted. It would be better for the business to offer a guest option and make creating an account optional, for example to view previous orders or to be able to reorder more quickly.
Less data = less risk
There is an additional advantage: the less data you store, the less risk you run. Not only in terms of fines, but also in terms of reputational damage in the event of a data breach. Many data breaches occur because systems are full of outdated customer data that is no longer needed. By collecting less data and storing it for shorter periods of time, you limit your vulnerability.
What now?
The EDPB’s recommendations are currently still under consultation. Organisations, industry associations and other stakeholders have until 12 February 2026 to respond. After that, the recommendations will become final. Nevertheless, it is wise for entrepreneurs to take action now, as the direction the regulators are taking is clear.
Do you have a webshop or do you sell products online and are you unsure whether your ordering process is GDPR-compliant? Then contact lawyer Julia van Leeuwen at Guldemond Advocaten. She will be happy to advise you on privacy, data minimisation and customer-friendly solutions that comply with the law.
