In December 2025, the EDPB published Recommendations 02/2025 for public consultation, providing guidance on the requirement of mandatory user accounts as a condition for accessing digital services. The document responds to increasingly common practices in the digital market and seeks to harmonize the application of the GDPR across European Union member states.
According to the EDPB, requiring users to create an account is not unlawful in itself. However, the organization responsible for the service must demonstrate that such a requirement is necessary for the operation of the platform or for delivering the service. Arguments based on operational convenience, general commercial interests, or expanded data collection are not considered sufficient justifications.
The recommendations warn of frequent risks associated with mandatory accounts, such as excessive collection of personal data, continuous tracking of user behavior, unjustified profiling, and undue restrictions on access to information or services. Whenever possible, less intrusive alternatives should be considered, including access without an account, anonymous use, or use with limited data.
The EDPB also reinforces transparency obligations. Users must be clearly informed why an account is required, which data will be collected, how long they will be stored, and which rights they may exercise. In situations where mandatory accounts may pose high risks, the document recommends conducting a Data Protection Impact Assessment (DPIA).
Overall, the recommendations reinforce a broader European regulatory trend of assessing product choices, system architecture, and user experience through a data protection lens from the design stage onward.