Data protection digest 3-18 Dec 2025: E-commerce websites should offer a choice between ‘guest’ mode, or voluntary account creation

E-commerce user data

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Google antitrust investigation

The EU Commission has opened an investigation into possible anticompetitive conduct by Google in the use of online content for AI purposes – using the content of web publishers, as well as content uploaded on the online video-sharing platform YouTube. The investigation will notably examine whether Google is distorting competition by imposing unfair terms and conditions on publishers and content creators, or by granting itself privileged access to such content, thereby placing developers of rival AI models at a disadvantage. It should be noted that there is no legal deadline in the EU for bringing an antitrust investigation to an end. 

More legal updates

US AI national policy: On 11 December, President Trump signed an Executive Order on  establishing a national policy framework for AI and lifting barriers to innovation. According to digitalpolicyalert.org, the US Administration will work with Congress to establish a single national AI standard that avoids conflicting state legislation. This standard would override any state laws that contradict the policy and would include protections for children, respect for copyrights, prevention of censorship, and measures to keep communities safe. 

US immigration data: According to Pravacy International, the US Government also intends to force visitors who are not required to get visas, such as British and French citizens, to submit their digital history and even DNA as the price of entry. With this much data AI tools will likely be deployed to unlock details of your life for border and immigration agencies. In particular, it wants to know all about: 

1. ‘telephone numbers used in the last five years’
2. ‘email addresses used in the last ten years’
3. ‘family number telephone numbers (sic) used in the last five years’
4. biometrics – face, fingerprint, DNA, and iris
5. business telephone numbers used in the last five years
6. business email addresses used in the last ten years.

If the proposed changes, published on 10th of December, are adopted after the 60-day consultation, travellers will have to use dedicated apps for their ESTA application, and to provide biometric proof of their departure. The latter will disclose the user’s location once they have left the US and run live detection on the selfie photo. 

Password managers

The German Federal Office for Information Security (BSI) examined this product category and investigated the IT security features of ten selected password managers. Three out of ten stored passwords in a way that theoretically allows manufacturers access. This increases the attack surface on the manufacturer’s side, which must be mitigated by additional compensatory measures. Users must trust these additional measures.

If the password manager stores data in the cloud, consumers should be informed about the storage location and data protection measures. This information can be included, for example, on the manufacturer’s website, in the terms and conditions for using the product, or in the privacy policy.

AI Training guidance

The Swedish data protection authority IMY has investigated the possibility of using personal data to create synthetic data for AI training purposes. Such data is created to resemble the original data without being able to be linked to individuals. It can be very positive from a privacy perspective, even though the synthesis itself means that personal data is processed, so it needs to comply with the GDPR. The particular project IMY investigated was about custody cases. It therefore involved a large amount of data of a very sensitive nature, which requires special considerations and measures. 

More from supervisory authorities

Medical research: The Hessian data protection commissioner has published a guide to data protection in medical research (in German). The guide presents four concrete use cases from the practice of medical research and classifies them from a data protection perspective. In particular, the cases describe the use of AI in cancer screening, pathology, intensive care, and the distinction between quality assurance and scientific research. The guide pays particular attention to the question of under what circumstances data can be considered anonymous. The use of anonymised data is especially relevant for medical research and the training of AI models. For research projects where anonymisation is not practical, the guide presents alternative legal bases under data protection law.

Consent forms: Consent is one of the lawful grounds for processing personal data. It means that a person freely, specifically and unambiguously agrees to the processing of their data for one or more purposes. Consent has to be verifiable so that the controller can demonstrate that it was received in accordance with the requirements. Therefore, in situations where consent is requested in person, a written form is useful, which provides clarity for both the organisation and the customer. It can include the minimum information that is most important at the time of consent, so as not to overload the information to be received, as well as not to delay the duration of the service or process itself. The consent form must state: 

• Who will process the data (company, individual entrepreneur), with their name
• Why is data needed
• What data is needed
• How to withdraw consent
• Customer ID (data subject’s first name, last name)
• Date, signature
• Information on where to find more information about data processing, including the duration of data storage and how to contact the controller

Cambridge Analytica compensations

Eligible Australian Facebook users impacted by the Cambridge Analytica affair have until 31 December to register under a payment program established in a landmark settlement. The 50 million dollars payment program was established by Meta Platforms as part of an enforceable undertaking the Australian Information Commissioner accepted from Meta in December 2024. This brings to an end 7 years of investigation and litigation related to the Cambridge Analytica matter in Australia.

Meta data access

The Austrian Supreme Court ordered Meta must provide full access to all personal users data requests within 14 days, including the sources, recipients and purposes for which each information was used, Privacy advocacy group NOYB reports. Meta’s claims of trade secrets or other limitations were rejected. The company claimed it would lead to unprecedented access to the inner systems of the platform. 

Meta must also ensure that sensitive information (political views, sexual orientation, or health) is not processed together with other data unless a valid legal basis according to Art. 9 GDPR applies, even if it was collected unintentionally or technically distinguishing it would be impossible. The case was brought by the NOYB activist Max Schrems in 2014 and laboured 11 years in Austrian courts and the CJEU. The plaintiff was awarded 500 euros in damages.

American Express cookie fine

The French privacy regulator CNIL fined American Express Carte France, the French subsidiary of the American Express group, 1.5 million euros for non-compliance with the rules applicable to cookies: a) by depositing trackers without having user consent, or b) despite their refusal to consent, or c) by continuing to read the trackers previously deposited despite subsequent consent withdrawal. 

In other news

Germany telecommunications fine: Due to massive violations of data protection rights, the North Rhine-Westphalia data protection commissioner has imposed a fine of 300,000 euros on a local telecommunications company. Since 2022, consumers have repeatedly contacted the regulator for the same reason: they received personalised ad letters promoting a contract for an internet and telephone connection. The recipients consistently stated that they had never had any prior contact with this company. However, the advertising letters were remarkably detailed. The recipients were only required to add their IBAN and sign the form.

Due to the design of the letters and the similarity of the name to very well-known telecommunications provider, many consumers were unaware that it wasn’t an offer for a different tariff with their existing provider, but rather an offer to switch providers. As a result, those affected often signed the contract documents. Only when they later realized they had switched providers did they cancel or revoke the contracts – and were then hit with a demand for a flat-rate compensation fee by the company. 

Direct marketing fine: The Italian data protection authority has fined Verisure Italia for unlawful processing of personal data for marketing purposes. The measure stems from a complaint from a former customer who continued to receive unwanted promotional text messages even after objecting to the processing of his data, and from a report from a potential customer who, after requesting a quote, began receiving promotional phone calls, emails, and text messages. The communications continued despite the exercise of the right to object provided for by the GDPR. Furthermore, the regulator deemed the retention period for potential customer data envisaged for telemarketing (12 months) to be excessive. 

More enforcement actions

Data processor breach: The French CNIL imposed a fine on Mobius Solutions, the processor behind a data breach affecting users of Deezer. The company was fined 1 million euros for failing to comply with the applicable rules regarding subcontracting. In 2022, Deezer reported that its users’ data had been posted on the dark web and that its former processor, Mobius Solutions, whose services it used to carry out personalised advertising campaigns for its customers, was involved.

The processor retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract.

University data breach: The Dutch AP imposed a 175,000-euro fine on HAN University of Applied Sciences for breaching the GDPR data security rules.  A hacker used SQL injection through a web form to access HAN’s database. The individual threatened to make personal data, including addresses, names, passwords, and citizen service numbers, public and unsuccessfully demanded ransom from the university.

Password manager data breach: The UK Information Commissioner fined password manager provider LastPass 1.2 million pounds following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. The incidents occurred when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and was then able to capture the employee’s master password.

In case you missed it

Meta personalised ads: On 8 December,The European Commission acknowledged Meta’s undertaking to offer users in the EU an alternative choice of Facebook and Instagram services that would show them fewer personalised ads, to comply with the Digital Markets Act. This is the first time that such a choice is offered on Meta’s social networks. Meta will give users the effective choice between: 

• consenting to share all their data and seeing fully personalised advertising, or 
• opting to share less personal data for an experience with more limited personalised advertising. 

Meta will present these new options to users in the EU in January 2026. This follows a close dialogue between the Commission and Meta after the Commission found Meta in breach of the Digital Markets Act and issued Meta a non-compliance decision related to Meta’s “consent or pay” model in April 2025.

TikTok usage risks in the EU: The Dutch AP urges users and organisations to carefully consider whether they wish to continue using TikTok and other services that transfer personal data to countries outside the EU, including China. The Irish data protection authority DPC has previously ruled that this transfer is in breach of the GDPR. In addition, the Irish court required TikTok to better inform users on data processing activities. Users can still decide whether they want to continue using TikTok under these circumstances. If not, they can (temporarily) delete the app or deactivate an account.