In January 2025, the German Supervisory Authority of Hamburg (“HSA”) examined the practices of online retailers based in Hamburg as to whether they allowed consumers to make purchases without creating a user account. This was mentioned in a press release issued by the HSA regarding a ruling by the Hamburg Higher Regional Court confirming a HSA’s decision that online retailers may, in certain circumstances, require consumers to create a user account. This, in turn, follows the guidance published by the German supervisory authorities (“German SAs”) in 2022 (in German), which stated that online retailers generally may not require consumers to create a user account in order to make a purchase.
Background: German SAs’ Guidance
According to the German SAs, there may be practical reasons for consumers to create an account for online purchases (e.g., to keep relevant information for future purchases), but it cannot be assumed that they are always interested in doing so. Therefore, consumers should be able to shop online without creating an account.
With respect to the processing of the consumer’s account information (e.g., username, password, order history), the German SAs take the view that the creation of an account is generally not necessary for the performance of the purchase contract so that the online retailer generally may not rely on this legal basis (Article 6(1)(b) GDPR). However, the German SAs also recognized that there may be situations where online retailers may require consumers to create an account, for example, specialized dealers for certain professional groups. In any case, the online retailer must limit the processing of the personal data to the extent necessary in order to comply with the data minimization principle (Article 5 (2) (c) GDPR). For example, if a consumer chooses not to create an account, the online retailer should only collect and further process the data necessary to fulfill the order and should delete the data after that fulfillment, unless the online retailer is required by law to archive the data.
In the absence of “contractual performance” as a legal basis (see above), the online retailer requires the consumer’s consent (Article 6(1)(a) GDPR) for the processing of his or her data in connection with the creation of an account, according to the German SAs. As this consent must be freely given, the consumer should have the choice to make a purchase with or without a user account. Consumers that choose not to create a user account should not suffer any disadvantages; in particular, the online trader should not make it more difficult to place an order or reduce the level of security for the protection of personal data.
For consumers who choose to create an account, online retailers may only use account information (such as order history) for advertising purposes if they obtain separate consent from the consumer. They also need separate consent to retain consumers’ payment information for future purchases.Continue Reading German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account