Germany: Must Online Platforms Provide a Guest Checkout?

A recent ruling by the Higher Regional Court of Hamburg (OLG Hamburg) has reignited an ongoing debate in Germany about whether online shops must offer guest checkouts due to the EU General Data Protection Regulation (GDPR).

In March 2022, the German Data Protection Conference (Datenschutzkonferenz, DSK) - an assembly of Germany’s federal and state data protection authorities - published a decision indicating that online retailers who do not offer a guest checkout option are, in principle, infringing the GDPR. According to the DSK, a mandatory permanent customer account would not only breach the GDPR’s data minimisation principle but also require the customer’s GDPR-level consent under Article 6(1)(a) GDPR, which could only be “freely given” if the retailer offers a guest checkout option. According to the DSK, a mandatory customer account can only be justified in “exceptional, special circumstances”.

While the DSK's stance is not legally binding on German courts, it has sparked significant discussion, given that many online businesses depend on mandatory customer accounts for reasons such as streamlined order management and fraud prevention.

The OLG Hamburg Decision

In a ruling dated 27 February 2025 (Case No. 5 U 30/24), the OLG Hamburg examined the customer journey of a major German online marketplace that did not offer a guest checkout. The German Federal Association of Consumer Protection (Verbraucherschutzzentrale Bundesverband, “vzbv”) brought the case, referencing the earlier DSK decision and arguing that the marketplace’s setup was unlawful.

However, the OLG Hamburg upheld the retailer’s approach, concluding that mandatory customer accounts can comply with the GDPR if:

• they are genuinely necessary for operating a marketplace with multiple third-party sellers, enabling effective communication and proper enforcement of buyer rights; and 
• the collection and storage of personal data is limited to what is strictly needed to process orders, with automatic deletion of inactive profiles after a reasonable period.

The court clarified that the GDPR permits data processing not only on the basis of consent or contract performance but also where the online retailer has a legitimate interest (e.g., fraud prevention and efficiency in order processing).

The OLG Hamburg further emphasised that an online account benefits customers as well, offering an overview of orders, simpler returns, the handling of warranty claims, and more efficient communication, also considering that data is not stored permanently and customers can request deletion (Article 17 GDPR) at any time.

In conclusion, the OLG Hamburg found that guest checkouts are not necessarily equivalent alternatives to permanent customer accounts. Instead, requiring guest checkouts in certain contexts may introduce unnecessary technical and organisational complications without offering tangible data protection benefits.

Conclusion 

Although the OLG Hamburg’s decision does not definitively resolve the debate, it strongly works to the benefit of online retailers and offers valuable guidance for assessing their own customer journeys. A case-by-case evaluation remains indispensable. Unlike the DSK, the OLG Hamburg does not interpret the principle of data minimisation as requiring strictly minimal data collection; rather, the court understands the principle as a call for proportionate, purpose-oriented and transparent data processing.

By adopting a pragmatic approach, the court has taken into account both the GDPR’s protective objectives and the practical requirements of modern e-commerce. This interpretation could also legitimise mandatory customer accounts on a range of other online platforms. The criteria set by the court will help businesses evaluate whether requiring customers to register for an account is genuinely necessary and proportionate, given their specific business objectives.