Skip to content

menu

Covington & Burling LLP logo
HomeAudiocast LibraryAbout UsContact
Search
Close
Subscribe

Inside Privacy

Updates on Developments in Data Privacy and Cybersecurity

German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account

By Moritz Hüsch, Kristof Van Quathem & Anna Oberschelp de Meneses on March 19, 2025
Posted in European Union, GDPR

In January 2025, the German Supervisory Authority of Hamburg (“HSA”) examined the practices of online retailers based in Hamburg as to whether they allowed consumers to make purchases without creating a user account. This was mentioned in a press release issued by the HSA regarding a ruling by the Hamburg Higher Regional Court confirming a HSA’s decision that online retailers may, in certain circumstances, require consumers to create a user account. This, in turn, follows the guidance published by the German supervisory authorities (“German SAs”) in 2022 (in German), which stated that online retailers generally may not require consumers to create a user account in order to make a purchase.

Background: German SAs’ Guidance

According to the German SAs, there may be practical reasons for consumers to create an account for online purchases (e.g., to keep relevant information for future purchases), but it cannot be assumed that they are always interested in doing so. Therefore, consumers should be able to shop online without creating an account.

With respect to the processing of the consumer’s account information (e.g., username, password, order history), the German SAs take the view that the creation of an account is generally not necessary for the performance of the purchase contract so that the online retailer generally may not rely on this legal basis (Article 6(1)(b) GDPR). However, the German SAs also recognized that there may be situations where online retailers may require consumers to create an account, for example, specialized dealers for certain professional groups. In any case, the online retailer must limit the processing of the personal data to the extent necessary in order to comply with the data minimization principle (Article 5 (2) (c) GDPR). For example, if a consumer chooses not to create an account, the online retailer should only collect and further process the data necessary to fulfill the order and should delete the data after that fulfillment, unless the online retailer is required by law to archive the data.

In the absence of “contractual performance” as a legal basis (see above), the online retailer requires the consumer’s consent (Article 6(1)(a) GDPR) for the processing of his or her data in connection with the creation of an account, according to the German SAs.  As this consent must be freely given, the consumer should have the choice to make a purchase with or without a user account.  Consumers that choose not to create a user account should not suffer any disadvantages; in particular, the online trader should not make it more difficult to place an order or reduce the level of security for the protection of personal data.

For consumers who choose to create an account, online retailers may only use account information (such as order history) for advertising purposes if they obtain separate consent from the consumer. They also need separate consent to retain consumers’ payment information for future purchases.

HSA’ Sweep

According to the HSA, the majority of the Hamburg-based online retailers surveyed offered the possibility of making a purchase without creating a user account, in line with the above-mentioned guidelines of the German SAs.

However, the HSA also noted that online retailers may require consumers to create a user account in particular in the following circumstances – if the online retailer:

  • operates a marketplace with many affiliated merchants and centralized consumer support;
  • needs to manage a large number of returns and enquiries to third party merchants through a single platform;
  • collects only the data necessary to fulfil the contract with the consumer and only stores this data for specific purposes (e.g., for tax purposes); and
  • deletes consumers’ personal data and inactive accounts within a reasonable period of time.

The HSA nevertheless stresses that, in case of doubt, online retailers should offer consumers the possibility to make purchases without creating a user account.

*                      *                              *

The Covington Privacy & Cyber team continues to keep a close eye on the guidance issued by European supervisory authorities and how it is being applied by courts and regulators.  If you have any questions, feel free to reach out to any member of the team.

This blog post was written with the contributions of Alberto Vogel.

Tags: Germany, guest account, Hamburg, online retailers, user account
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IP, IT, and data protection, among others, by Chambers, Legal 500, Best Lawyers in cooperation with Handelsblatt, and Wirtschaftswoche.

Read more about Moritz HüschEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de MenesesEmail
Show more Show less

Subscribe by Email

Topics

Archives

The Covington Blog Network

View All Covington Blogs
Covington & Burling LLP logo

Inside Privacy

RSS Facebook LinkedIn Twitter
Privacy PolicyDisclaimer

Attorney Advertising

About this Blog

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.

Read More...
Copyright © 2025, Covington & Burling LLP. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo