In January 2025, the German Supervisory Authority of Hamburg (“HSA”) examined the practices of online retailers based in Hamburg as to whether they allowed consumers to make purchases without creating a user account. This was mentioned in a press release issued by the HSA regarding a ruling by the Hamburg Higher Regional Court confirming a HSA’s decision that online retailers may, in certain circumstances, require consumers to create a user account. This, in turn, follows the guidance published by the German supervisory authorities (“German SAs”) in 2022 (in German), which stated that online retailers generally may not require consumers to create a user account in order to make a purchase.

Background: German SAs’ Guidance

According to the German SAs, there may be practical reasons for consumers to create an account for online purchases (e.g., to keep relevant information for future purchases), but it cannot be assumed that they are always interested in doing so. Therefore, consumers should be able to shop online without creating an account.

With respect to the processing of the consumer’s account information (e.g., username, password, order history), the German SAs take the view that the creation of an account is generally not necessary for the performance of the purchase contract so that the online retailer generally may not rely on this legal basis (Article 6(1)(b) GDPR). However, the German SAs also recognized that there may be situations where online retailers may require consumers to create an account, for example, specialized dealers for certain professional groups. In any case, the online retailer must limit the processing of the personal data to the extent necessary in order to comply with the data minimization principle (Article 5 (2) (c) GDPR). For example, if a consumer chooses not to create an account, the online retailer should only collect and further process the data necessary to fulfill the order and should delete the data after that fulfillment, unless the online retailer is required by law to archive the data.

In the absence of “contractual performance” as a legal basis (see above), the online retailer requires the consumer’s consent (Article 6(1)(a) GDPR) for the processing of his or her data in connection with the creation of an account, according to the German SAs.  As this consent must be freely given, the consumer should have the choice to make a purchase with or without a user account.  Consumers that choose not to create a user account should not suffer any disadvantages; in particular, the online trader should not make it more difficult to place an order or reduce the level of security for the protection of personal data.

For consumers who choose to create an account, online retailers may only use account information (such as order history) for advertising purposes if they obtain separate consent from the consumer. They also need separate consent to retain consumers’ payment information for future purchases.

HSA’ Sweep

According to the HSA, the majority of the Hamburg-based online retailers surveyed offered the possibility of making a purchase without creating a user account, in line with the above-mentioned guidelines of the German SAs.

However, the HSA also noted that online retailers may require consumers to create a user account in particular in the following circumstances – if the online retailer:

  • operates a marketplace with many affiliated merchants and centralized consumer support;
  • needs to manage a large number of returns and enquiries to third party merchants through a single platform;
  • collects only the data necessary to fulfil the contract with the consumer and only stores this data for specific purposes (e.g., for tax purposes); and
  • deletes consumers’ personal data and inactive accounts within a reasonable period of time.

The HSA nevertheless stresses that, in case of doubt, online retailers should offer consumers the possibility to make purchases without creating a user account.

*                      *                              *

The Covington Privacy & Cyber team continues to keep a close eye on the guidance issued by European supervisory authorities and how it is being applied by courts and regulators.  If you have any questions, feel free to reach out to any member of the team.

This blog post was written with the contributions of Alberto Vogel.

Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IP, IT, and data protection, among others, by Chambers, Legal 500, Best Lawyers in cooperation with Handelsblatt, and Wirtschaftswoche.

Read more about Moritz Hüsch
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van Quathem
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act…

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington’s disputes teams on matters at the intersection of regulatory compliance and litigation.

Read more about Anna Sophia Oberschelp de MenesesAnna Sophia's Linkedin Profile
Show more Show less