{"id":11425,"date":"2025-12-22T10:26:19","date_gmt":"2025-12-22T09:26:19","guid":{"rendered":"https:\/\/techgdpr.com\/?p=11425"},"modified":"2025-12-22T14:05:05","modified_gmt":"2025-12-22T13:05:05","slug":"data-protection-digest-22122025-e-commerce-websites-should-offer-a-choice-between-guest-mode-or-voluntary-account-creation","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-22122025-e-commerce-websites-should-offer-a-choice-between-guest-mode-or-voluntary-account-creation\/","title":{"rendered":"Data protection digest 3-18 Dec 2025: E-commerce websites should offer a choice between ‘guest’ mode, or voluntary account creation"},"content":{"rendered":"\n

E-commerce user data<\/strong><\/h4>\n\n\n\n

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account<\/a>. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. <\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h6>\n\n\n\n

Google antitrust investigation<\/strong><\/h4>\n\n\n\n

The EU Commission has opened an investigation into possible anticompetitive conduct by Google in the use of online content for AI purposes – using the content of web publishers, as well as content uploaded on the online video-sharing platform<\/a> YouTube. The investigation will notably examine whether Google is distorting competition by imposing unfair terms and conditions on publishers and content creators, or by granting itself privileged access to such content, thereby placing developers of rival AI models at a disadvantage. It should be noted that there is no legal deadline in the EU for bringing an antitrust investigation to an end. <\/p>\n\n\n\n

More legal updates<\/h4>\n\n\n\n

US AI national policy: <\/strong>On 11 December, President Trump signed an Executive Order on  establishing a national policy framework for AI<\/a> and lifting barriers to innovation. According to digitalpolicyalert.org, the US Administration will work with Congress to establish a single national AI standard that avoids conflicting state legislation<\/a>. This standard would override any state laws that contradict the policy and would include protections for children, respect for copyrights, prevention of censorship, and measures to keep communities safe. <\/p>\n\n\n\n

US immigration data: <\/strong>According to Privacy International, the US Government also intends to force visitors who are not required to get visas, such as British and French citizens, to submit their digital history and even DNA as the price of entry<\/a>. With this much data AI tools will likely be deployed to unlock details of your life for border and immigration agencies. In particular, it wants to know all about: <\/p>\n\n\n\n

    \n
  1. \u2018telephone numbers used in the last five years\u2019<\/li>\n\n\n\n
  2. \u2018email addresses used in the last ten years\u2019<\/li>\n\n\n\n
  3. \u2018family number telephone numbers (sic) used in the last five years\u2019<\/li>\n\n\n\n
  4. biometrics \u2013 face, fingerprint, DNA, and iris<\/li>\n\n\n\n
  5. business telephone numbers used in the last five years<\/li>\n\n\n\n
  6. business email addresses used in the last ten years.<\/li>\n<\/ol>\n\n\n\n

    If the proposed changes, published on 10th of December, are adopted after the 60-day consultation, travellers will have to use dedicated apps for their ESTA application<\/a>, and to provide biometric proof of their departure. The latter will disclose the user\u2019s location once they have left the US and run live detection on the selfie photo<\/strong>. <\/p>\n\n\n\n

    Password managers<\/strong><\/h4>\n\n\n\n
    \"e-commerce\"<\/figure>
    \n

    <\/p>\n\n\n\n

    <\/strong>The German Federal Office for Information Security (BSI) examined this product category and investigated the IT security features of ten selected password managers. Three out of ten stored passwords in a way that theoretically allows manufacturers access<\/a>. This increases the attack surface on the manufacturer’s side, which must be mitigated by additional compensatory measures. Users must trust these additional measures. <\/p>\n<\/div><\/div>\n\n\n\n

    If the password manager stores data in the cloud, consumers should be informed about the storage location and data protection measures. This information can be included, for example, on the manufacturer’s website, in the terms and conditions for using the product, or in the privacy policy.<\/p>\n\n\n\n

    AI Training guidance<\/strong><\/h4>\n\n\n\n

    The Swedish data protection authority IMY has investigated the possibility of using personal data to create synthetic data for AI training purposes<\/a>. Such data is created to resemble the original data without being able to be linked to individuals. It can be very positive from a privacy perspective, even though the synthesis itself means that personal data is processed, so it needs to comply with the GDPR. The particular project IMY investigated was about custody cases. It therefore involved a large amount of data of a very sensitive nature, which requires special considerations and measure<\/a>s. <\/p>\n\n\n\n

    More from supervisory authorities<\/h4>\n\n\n\n

    Medical research: <\/strong>The Hessian data protection commissioner has published a guide to data protection in medical research (in German). The guide presents four concrete use cases from the practice of medical research and classifies them from a data protection perspective. In particular, the cases describe the use of AI in cancer screening, pathology, intensive care, and the distinction between quality assurance and scientific research<\/a>. The guide pays particular attention to the question of under what circumstances data can be considered anonymous. The use of anonymised data is especially relevant for medical research and the training of AI models<\/a>. For research projects where anonymisation is not practical, the guide presents alternative legal bases under data protection law.<\/p>\n\n\n\n

    Consent forms: <\/strong>Consent is one of the lawful grounds for processing personal data. It means that a person freely, specifically and unambiguously agrees to the processing of their data for one or more purposes<\/a>. Consent has to be verifiable so that the controller can demonstrate that it was received in accordance with the requirements. Therefore, in situations where consent is requested in person, a written form is useful, which provides clarity for both the organisation and the customer. It can include the minimum information that is most important at the time of consent, so as not to overload the information to be received, as well as not to delay the duration of the service or process itself. The consent form must state: <\/p>\n\n\n\n