The European Data Protection Board (EDPB) has just issued draft recommendations setting out the circumstances when e-commerce websites can require a user to create an account on an e-commerce website. 

In broad terms, the EDPB considers that—except in very limited cases such as subscription services—mandatory account creation to access offers or complete a purchase will generally not meet GDPR lawfulness requirements. This is because the processing which the retailer would be undertaking to set up/administer the account is unlikely to be necessary to achieve the purposes of arranging the purchase of products or services. It is also unlikely that the processing is required to fulfil a legal obligation, the performance of a contract or for a legitimate interest. 

The EDPB considers that the purposes to be achieved to facilitate the consumer transaction can be done using less intrusive means (for example, by allowing a user to use a ‘guest’ checkout option or a voluntary account creation option). Use of a guest checkout function also supports the principles of transparency, data minimisation and the obligation of data protection by default and by design.    

The EDPB also notes that using the guest checkout option also contributes to a more secure online environment, as it will reduce the amount of personal data a user gives to the retailer in the context of a particular transaction and reduces the development of logged-in environments where data subjects are systematically identified in order to complete actions, including purchases or accessing content. This may result in a greater amount of data being collected and processed regarding the data subject, including data collected directly from the data subject and data produced or inferred by the controller, in circumstances where the data controller may not be able to demonstrate it has an appropriate legal basis for the processing. It can also result in the retention of personal data on an active database for a period of time longer than is strictly necessary for the purchase and delivery of the order.  This can lead to personal data being retained for an unduly long period of time (which would not meet the GDPR data storage limitation principle) and / or render the stored personal data vulnerable to unauthorised access. 

The EDPB makes the point that users required to open an account often use a password that has already been used for other accounts. This increases the risk that unauthorised users gain access to the account and potentially exploit it for fraudulent activities, which could be attributed to the original account holder. Attackers could also gain access to all personal data stored within the account. This can result in attackers using the access to one account to compromise the user’s access to all other connected services as well.  Logged-in environments also mean retailers can store a user’s browsing history and track the browsing habits to improve possible commercial targeting, especially by combining personal data collected via different purchasing channels. The EDPB notes that if the retailer does not have a proper legal basis, this would result in a breach of the GDPR. The personal data provided by users — such as name and contact details — are often “persistent” and can be used as unique identifiers. The collected data creates a unique fingerprint using a hash function. This fingerprint allows e-merchants to link multiple online user accounts and understand their browsing and purchasing behaviour. The EDPB also identifies the account creation step as a time when retailers may request users to disclose more personal data than is required for purchase and delivery of goods, through the use of deceptive online choice architecture, by formulating the consent requests in a misleading way, at the moment the consumer is due to make the purchase. It considers that a retailer will not be able to demonstrate GDPR compliance in these circumstances.

On the other hand, subscriptions businesses are permitted to implement mechanics requiring a compulsory account, where they can demonstrate that the account is strictly necessary for data subjects to access the services to which they have subscribed, on the basis of Article 6(1)(b) GDPR. The retailer will need to show that performance of the contract requires recurrent authenticated interactions throughout the duration of the contract and will only be able to rely on this legal basis for the duration of the contractual relationship. The EDPB notes that there should be an actual and valid contract for the subscription, so that it can show the customer agreed to enter into a long-term contractual relationship with the retailer (and evidencing the customer’s intention to be contractually bound).

The EDPB has also provided guidance on whether a retailer can require users to create an online account in order to access exclusive offers. It considers that controllers must assess whether the creation of an online user account is necessary for the customer to access a closed community of members who can benefit from privileged access to certain offers of the controller. Whether access to exclusive offers can be considered an essential part necessary for the performance of a contract will depend on the nature of the service provided, the reasonable expectations of the data subjects and whether the contract can be considered to be ‘performed’ without the provision of exclusive offers. The EDPB emphasises that, when such offers are actually accessible to all data subjects through the mere creation of an account, the mandatory creation of an account (and the associated processing of personal data) does not appear to be necessary for the performance of a contract.

The EDPB also casts doubt on the need for a user to have an online account for the purposes of accessing after-sales services (such as exchanges and returns, ability to lodge a complaint in case of dissatisfaction or benefiting from a contractual guarantee). It considers these needs can be met by allowing data subjects to use secure online forms or contact customer service, and therefore that the necessity test for requiring a user account is unlikely to be met. These services can be provided, for instance, by providing the customer with a specific hyperlink via email that allows the controller to automatically respond to queries related to the specific order in their customer relationship management system. It emphasises that the need for a retailer to meet its consumer protection obligations should not depend on whether the customer has provided his or her personal data by means of a mandatory online user account. 

The EDPB also identifies ways in which a retailer can manage order tracking and managing subsequent changes to a customer order, without the need to implement mandatory customer accounts – as it considers retailers will not meet the Article 6(1)(f) GDPR legal basis as they will be unable to meet the necessity threshold for either of these activities.

At the heart of the recommendations is a core focus of the EDPB: the need to facilitate consumer choice. The EDPB is clear that giving the user a choice between creating an account or purchasing as a guest is more compatible with the obligations of data protection by default and by design contained in Article 25 GDPR.  Giving users the choice of making online purchases by creating an account or with the guest mode option, encourages the retailer to provide in-depth information on both procedures, particularly with regard to their respective purposes and thereby ensures the retailer acts in line with the transparency and data minimisation principles.

The recommendations are now out for public consultation.