The European Data Protection Board (EDPD) has published draft recommendations that could fundamentally change how websites and e-commerce platforms handle user registration in Europe, including the Netherlands. The guidance, which focuses on when organisations can legally require account creation, has particular implications for the Dutch digital market where consumer complaints about mandatory accounts have been mounting for years.
Published in December 2025 as Recommendations 2/2025, the EDPB’s position centres on a fundamental privacy principle: data minimisation. The board argues that in most cases, forcing users to create permanent accounts before they can access services or complete purchases violates the General Data Protection Regulation’s requirements for proportionate data processing.
Why Dutch website owners should pay attention
The Netherlands’ Autoriteit Persoonsgegevens (NL) has been particularly vocal about this issue, noting that mandatory account requirements have generated persistent complaints from Dutch consumers. The regulator emphasised that the practice often leads to collecting and storing more personal data than necessary, increasing risks ranging from data breaches to identity theft.
For website operators running content platforms, affiliate networks, or niche sites with sponsored content, these recommendations signal a potential shift in how European regulators view user authentication requirements. While the guidance primarily targets e-commerce, its underlying principles apply broadly to any digital service that processes personal data.
The core principle: guest access as default
According to the EDPB’s framework, websites should default to guest modes that allow users to complete transactions or access services without creating persistent, identifiable profiles. The detailed guidance document states that mandatory account creation can only be justified when it meets strict necessity tests under GDPR Article 6(1)(b) for contract performance, Article 6(1)(c) for legal obligations, or Article 6(1)(f) for legitimate interests.
The recommendations specify that for one-time purchases or interactions, requiring account creation is almost never necessary. This extends to common scenarios that website operators might assume justify mandatory registration, such as order tracking, returns processing, or basic personalisation features.
When mandatory accounts remain permissible
The EDPB identifies specific circumstances where mandatory account creation can be justified. These include subscription services where ongoing authenticated access is intrinsic to the service model, such as streaming platforms or software-as-a-service products. Similarly, closed community access where membership requires verification based on professional status, invitation, or predefined criteria would fall within acceptable use cases.
For content platforms and membership sites, this distinction matters significantly. A platform offering exclusive content to verified industry professionals could legitimately require accounts. A general-access blog requiring registration simply to read articles would likely face scrutiny.
The legitimate interest challenge
Many website operators rely on Article 6(1)(f) GDPR, citing legitimate interests such as fraud prevention, security, or improved customer service as justification for mandatory accounts. The EDPB takes a notably sceptical view of these arguments.
The recommendations establish that invoking legitimate interest requires passing both a necessity test and a balancing test. For fraud prevention specifically, the guidance notes that while protecting against fraudulent activity constitutes a legitimate interest, this does not automatically justify any processing activity undertaken in that interest’s name. Website operators would need to demonstrate that guest checkout options genuinely cannot provide adequate fraud protection.
Research from legal analysts examining the recommendations suggests that organisations claiming mandatory accounts are essential for fraud prevention should prepare detailed documentation showing why less intrusive alternatives prove technically or legally impossible.
Implications for content and affiliate platforms
For operators of content placement networks and affiliate platforms, these recommendations raise important questions about registration requirements. Platforms facilitating sponsored content placements might argue that accounts are necessary for contract performance between publishers and advertisers. However, the EDPB’s strict interpretation of necessity suggests that if the platform can facilitate transactions through guest processes with order confirmation emails and tracking numbers, mandatory accounts may not withstand regulatory scrutiny.
Comment systems and interactive features present another consideration. While the recommendations focus primarily on e-commerce, the underlying principle of data minimisation applies equally to user-generated content platforms. Requiring account creation to leave comments could face challenges unless the platform can demonstrate that verified, persistent identities are genuinely necessary for the service’s core function rather than simply convenient for moderation or user tracking.
The remarketing and analytics dilemma
One significant concern for website operators centres on customer data collection for marketing purposes. Mandatory accounts provide valuable persistent identifiers for remarketing campaigns, behavioural analytics, and customer journey mapping. The EDPB’s recommendations make clear that these commercial interests, while legitimate business objectives, do not constitute valid legal bases for mandatory account requirements.
The guidance specifically addresses personalisation, noting that providing non-essential personalised product recommendations during checkout does not justify mandatory account creation. This principle extends logically to content recommendations, personalised advertising, and similar features that many platforms consider core to their value proposition.
Website operators seeking to maintain rich user data for analytics and marketing would need to rely on voluntary account creation, where users choose to register for added benefits. The critical distinction lies in offering genuine choice: users must be able to access core services without creating accounts, even if accounts provide enhanced features.
Technical implementation considerations
For platforms currently requiring mandatory accounts, the EDPB’s recommendations suggest two compliance paths. The most straightforward approach involves implementing guest checkout or guest access options. While basic personal data necessary for service delivery (such as shipping addresses for e-commerce or email addresses for content delivery) can still be collected under the contract performance basis, no persistent user profile should be created unless users actively choose to register.
The second path involves documenting a detailed necessity defence. Organisations convinced that mandatory accounts are genuinely essential would need formal documentation demonstrating why guest options prove technically or legally impossible for specific, non-marketing purposes. This documentation would need to withstand potential regulatory scrutiny from privacy authorities.
Newsletter subscriptions and downloadable content
A common practice on content platforms involves requiring account creation to access downloadable resources or subscribe to newsletters. Under the EDPB’s framework, these scenarios require careful analysis. Newsletter subscriptions typically rely on consent rather than contract performance or legitimate interest. If users can subscribe by simply providing an email address without creating a broader account profile, that approach better aligns with data minimisation principles.
For downloadable content such as whitepapers, e-books, or resources that content marketers use for lead generation, the necessity test becomes crucial. If the download can be facilitated by collecting only an email address for delivery, requiring full account creation with password-protected profiles likely exceeds what’s necessary. The EDPB’s strict interpretation suggests that convenience for the website operator does not override data minimisation requirements.
Current status and timeline
These recommendations remain in draft form, with the public consultation period running until 12 February 2026. The EDPB explicitly invites feedback from organisations, industry associations, and stakeholders, providing an opportunity for website operators to raise practical concerns or implementation challenges.
The Autoriteit Persoonsgegevens has encouraged Dutch organisations to participate in this consultation process, recognising that the final recommendations will influence enforcement priorities across European privacy regulators. For website operators in the Netherlands, this consultation period represents a valuable window to assess current practices, consider necessary adjustments, and potentially contribute to shaping the final guidance.
Enforcement implications and regulatory outlook
While these are recommendations rather than immediately binding regulations, their practical impact should not be underestimated. EDPB guidance carries significant weight in how national privacy authorities interpret and enforce GDPR provisions. The Autoriteit Persoonsgegevens has already signalled alignment with these principles, suggesting that Dutch website operators relying on mandatory accounts may face increased scrutiny.
GDPR enforcement typically involves graduated responses, beginning with guidance and warnings before proceeding to formal sanctions. Website operators should not expect immediate fines simply for maintaining mandatory accounts. However, the regulatory landscape is clearly shifting toward stricter interpretation of necessity requirements, and organisations that fail to adapt may eventually face enforcement actions.
The Consumentenbond’s research (NL) from 2023 identified 20 of the Netherlands’ 100 largest webshops as requiring mandatory accounts, including major platforms like Bol.com and Zalando. If the EDPB’s recommendations become final in their current form, these platforms – and countless smaller operators – would face pressure to implement guest access options or provide compelling necessity justifications.
Privacy policy and terms of service considerations
Website operators will need to review and potentially update privacy policies and terms of service to reflect any changes in account requirements. If implementing guest access alongside account options, privacy documentation must clearly explain how data processing differs between the two paths. Users choosing guest access should understand exactly what data is collected, how long it’s retained, and for what purposes.
For organisations maintaining mandatory accounts based on documented necessity defences, privacy policies should transparently explain why accounts are required and what alternative approaches were considered but found inadequate. This transparency serves both compliance and user trust objectives.
Balancing user preferences with regulatory requirements
An interesting aspect of this debate involves user preferences themselves. Some consumers genuinely prefer accounts for convenience, enjoying features like order history, saved preferences, and streamlined repeat purchases. The EDPB’s recommendations do not prohibit offering these features; they simply require that accounts remain optional rather than mandatory.
This creates an opportunity for website operators to compete on user experience rather than data collection. Platforms that make account creation genuinely valuable through enhanced features, better service, or exclusive benefits may find that many users voluntarily register. The shift from mandatory to voluntary accounts need not result in reduced user engagement if the account benefits are compelling enough.
Strategic considerations for website operators
For content platform operators, affiliate networks, and niche site portfolios, these recommendations suggest several strategic considerations. First, audit current registration requirements across all properties. Identify which sites or services genuinely require persistent user accounts versus those where guest access could function adequately.
Second, evaluate the business case for voluntary versus mandatory accounts. Calculate how many users might choose not to register if given the option, and assess the impact on remarketing capabilities, customer lifetime value tracking, and other data-dependent strategies. This analysis should inform decisions about whether to maintain mandatory accounts with strong necessity documentation or transition to voluntary registration with enhanced benefits.
Third, consider the competitive landscape. If major platforms in your sector adopt guest access options while you maintain mandatory registration, user experience expectations may shift. Early adoption of privacy-friendly practices can become a competitive advantage rather than merely a compliance burden.
Looking ahead: the broader privacy landscape
These recommendations on mandatory accounts fit within a broader trend of European privacy regulators tightening interpretation of GDPR requirements. Recent enforcement actions have targeted cookie consent practices, legitimate interest claims for marketing, and data retention periods. The pattern suggests that initial permissive interpretations of GDPR provisions are giving way to stricter standards as the regulation matures.
For website operators, this trajectory indicates that privacy compliance will require ongoing attention rather than one-time adjustments. Practices that seemed acceptable in 2018 when GDPR took effect may face challenges in 2026 and beyond. Building flexibility into technical systems and maintaining awareness of regulatory developments becomes increasingly important.
The consultation period for these recommendations provides a critical opportunity to engage with the evolving regulatory framework. Website operators should consider not only how to comply with likely requirements but also how privacy-conscious practices can enhance rather than hinder their business models. The most successful digital platforms in coming years may be those that treat privacy as a feature rather than an obstacle.
