E-commerce and data protection: Swiss law prohibits mandatory customer accounts for online purchases

The FDPIC determined that forcing customers to create an account before completing a purchase – thereby providing personal data – violated the principle of proportionality (or data minimisation) under the Swiss Federal Data Protection Act. Among key findings, it found that:

• certain data fields (not specified by the FDPIC, but likely to include phone numbers, birthdates and genders) were not essential to complete a purchase; and
• creating a customer account provided the retailer with insights into customer purchasing behaviour, which was also unnecessary for completing transactions.

The retailer argued that account creation was essential for identifying customer preferences, managing after-sales services, reducing administrative costs and enhancing service quality by tracking past interactions. It also highlighted the advantages to customers, such as a personalised shopping experience (with tailored recommendations based on preferences and past purchases), as well as the opportunity to engage with community features like product reviews and ratings.

The FDPIC was unpersuaded by such arguments and recommended that the retailer allow customers to check out as guests, without account creation.

Although non-binding, this recommendation is likely to affect other online retailers operating in Switzerland. The FDPIC’s investigation signals that Swiss authorities are increasingly attentive to data protection in e-commerce, suggesting that other businesses may also come under scrutiny.

A similar stance has been observed in the EU (in application of the GDPR), though the European Court of Justice has not yet addressed this issue:

• in March 2024[2], the Finnish data protection authority rejected an online retailer’s requirement for mandatory account creation, despite the retailer’s claim that such accounts facilitated expedited customer identification, compliance with accountability requirements, access to and correction of personal data, and consent management for direct marketing;
• The German Datenschutzkonferenz (DSK) issued a comparable opinion in March 2022[3], concluding that e-commerce platforms must allow customers to check out as guests without mandatory account creation;
• In 2019[4], the Belgium data protection authority held that requiring the creation of a Microsoft account to access a public website or app did not comply with the GDPR.

For further questions or comments about this topic, please contact the authors.

References

[1] https://www.admin.ch/gov/fr/accueil/documentation/communiques.msg-id-100736.html

[2] https://www.droit-technologie.org/wp-content/uploads/2024/04/Decision-finlandaise-du-6-mars-2024-1.pdf

[3] https://www.datenschutzkonferenz-online.de/media/dskb/20222604_beschluss_datenminimierung_onlinehandel.pdf

[4] Recommendation 01/2019 of 6 February 2019 rendered by the Belgian data protection Authority, https://www.autoriteprotectiondonnees.be/publications/recommandation-n-01-2019.pdf.