Requiring proof of identity to validate a purchase: is it legal?
You are shopping from an Italian website when they ask you for a copy of your ID card to validate your order. This is often part of the KYC (Know Your Customer) procedures used by some companies. Some sellers are just trying to avoid identity theft or payment fraud. Others, however, may use your information to assess your financial stability, improve their marketing strategy, or learn more about your buying behaviour. How does one deal with these requests? Are they regulated in Europe? This article provides answers to these questions and advises you on how to respond in these situations.
Why do some companies ask for proof of identity before confirming an order?
It’s not uncommon for an e-retailer to request certain information at the beginning of the order process or before confirming your subscription to a service.
These requests are usually standard pieces of information, such as your name, shipping address, and contact information. The online seller may also check your IP address or even analyse the type of device you are using (PC, smartphone, etc.) via certain software.
Some sellers may also ask for a copy of your driver’s licence, passport, or any other document proving your identity.
The purpose of these checks is to minimise the risk of payment fraud or identity theft.
Example: You have regularly purchased a small number of items from a Danish website. If you decide to order a larger amount, the site may ask you for proof of identity, proof of address, or other methods of identification to prove that you are the same customer from prior orders.
Social media, some banks… may also ask you to take a selfie or participate in a video chat to ensure that you are the actual proprietor of your account.
In the financial, banking, and insurance sectors, verification of a customer’s identity is common. It helps to combat money laundering and terrorist financing. But in this arena, KYC practices are heavily regulated in Europe.
Is it legal to ask for proof of identity when validating a purchase?
For card payments, online merchants targeting the French market may ask for – but cannot require – proof of identity. The customer has the right to refuse to provide this information. The French National Authority for Data Regulation (Commission Nationale de l'Informatique et des Libertés) has made it clear that if the collection of the cardholder’s identity is not necessary for the transaction, it should not be requested.
Good to know: in France, refusal to sell is prohibited unless the customer exhibits inappropriate or bad-faith behaviour. If you feel you have been discriminated against in this way, report it to www.signal.conso.gouv.fr
Online traders often ask for personal information from buyers to prevent fraud. However, they must respect the data protection principles of the General Data Protection Regulation (GDPR).
For example, the information collected can only be used for a legitimate and legal purpose. Online retailers and social media platforms may not use your data for any other purpose, nor may they keep it for longer than a justified and proportionate period. Your data must be updated, corrected, and deleted after a certain period of time. And only authorised persons should have access to the information requested in the context of Knoiw Your Customer (KYC) procedures.
If a company wishes to include you on any customer lists, you must be informed. You must provide your consent, and you must be able to change your decision.
Good to know: if a website prompts you to save your bank card information, you must always provide your consent. No website may save your card information, nor may they pre-empt your choice to save your card information.
Buying online: never send a picture of your credit card!
When an online retailer asks you for information to prove that you are the holder of the credit card or bank account used in the purchase, they do so to ensure that it is not:
- A fake bank card,
- A stolen bank card,
- Stolen bank account information.
Warning: an online seller who targets French customers cannot ask for a copy of your bankcard, even if the cryptogram and some of the numbers are hidden. Never send a copy of both sides of your bank card showing the cryptogram. Always choose sites with strong customer authentication.
Can I be asked for my identity card when booking accommodations in Europe?
When booking accommodations in the European Union (EU), some companies may ask you to send them a copy of an identity document. But know that you are only required to produce this document upon arrival.
In France, as is the case in Bulgaria, the company providing your accommodation is not allowed to copy any form of identity, including your identity card or passport. If you are a foreigner (European or otherwise), you will have to present an identity document and complete an "individual police form". This can be used to prevent public disorder and to aid in judicial investigations and searches in the interest of the individual. This form must remain at the disposal of the police for six months. After this period, the card must be securely and permanently destroyed.
In Germany, the identity card cannot be copied or registered, unlike, for instance, Hungary.
Tips to protect your information if you decide to send proof of identity
- Watermark or cross out the photocopy and indicate the reason for sending
Example: "This photocopy is only usable to validate my order/registration n° 123 by the seller XYZ".
- Date the copy.
- Hide certain information on your ID card or passport, for example, the document number, especially if you are sending a photo with this document.
- Filigrane Facile, an online tool (currently only available in French) provided by the French government, allows you to input personalised translucent text on your identity document. For example, "document intended exclusively for my order n°1234 from seller XYZ". In doing this, your identity document cannot be used for fraudulent purposes. The site will not have a copy of the original file, and Filigrane Facile will delete the watermarked version within one day.
What is the collected information used for?
Information that you provide to a seller can also be used to set up a real-time scoring system. Scoring is a marketing technique that involves analysing your data and assigning you a score. This score ranks you according to your likelihood of purchase, your solvency, and the gain or risk that you may generate for the company.
Example: if you’ve lived in Germany, the online seller can assess your solvency by inputting your name into "Schufa". Schufa is a credit scoring organisation that provides information on your level of debt.
If your score is high, then the projection for your payment behaviour will be favourable. For example, the online retailer may offer you a wider variety of payment methods. If you become a regular customer, they might even offer riskier payment methods, such as credit cards, account payments, SEPA direct debit…
On the other hand, if your score is poor, then your payment methods will likely be limited to debit card only.
Know Your Customer (KYC) techniques also enable retailers to adapt their sales techniques and methods to the consumer.
Maybe you regularly participate in post-purchase surveys or polls. If so, you should know that online retailers can use your socio-demographic data (age, gender, family situation, profession), your psychological data (interests, opinions, etc.), or your behavioural data (purchase history, frequency of purchases, response rate to emails, etc.). Based on this information, they assign you a score and a classification. For example, they may classify you as an occasional customer, a regular buyer, or a VIP customer.
By doing this, retailers can tailor their marketing offers based on your profile and score. Depending on your profile, you will receive targeted promotional offers, product previews, discounts, etc.
Be careful not to be tempted by offers on products you don’t really need. Think critically before you buy!
Your IP address is also an interesting piece of data, as it informs websites of your location. Because of this, merchants can tailor the language, means of payment, or even block your order.
Example: the IP address indicates a country to which the seller does not deliver, but the customer chooses another country for delivery.
Know Your Customer (KYC) information requests also enable retailers to learn about your purchasing behaviour.
Examples:
- The number of orders returned within the withdrawal period
- Any refund disputes you have filed
- The number of complaints you have sent to customer service
Social rating banned in Europe
After a purchase, a trip, a stay, an online service, you’ve likely received a request to "share your experience ". You’re asked to rate the product, the restaurant, the hotel, the delivery person, the driver…
This system of permanently rating a consumer’s behaviour in public or online is called social scoring. Thanks to algorithms based on artificial intelligence (AI), your buying habits can be analysed in real time.
Since 2025, this practice has been prohibited in the European Union (EU). The European regulation on artificial intelligence, known as the AI Act, targets all companies, in Europe and beyond, that sell, use, and deploy AI systems within the EU. Its aim is to protect European consumers against social rating systems.
Under the AI Act, a company is not allowed to give you a score in order to give you access to or restrict certain benefits. This means that consumers cannot be evaluated on the basis of their behaviour when it comes to discounts, credits, or payment terms.
Moving towards a European digital identity
A European digital identity accessible in all EU countries should soon be available. A 2024 European regulation provides individuals with the ability to:
- Create a European digital wallet (EUDI wallet)
- Require all countries in the EU to offer a digital identity solution recognised throughout Europe
In more concrete terms, the EUDI wallet is an application that can be used in any EU country that enables you to register various personal data and documents. With this application, you can identify yourself online without having to rely on external commercial providers. The application will also enable the creation and use of electronic signatures to be accepted throughout the EU.
The digital identity wallet can be used for identification purposes on public and private service sites, to open a bank account, to obtain a digital driver’s license, or to pick up medical prescriptions.
Currently, when you receive a new physical identity card in France, it is possible to link it to a digital version. The electronic identity card can be accessed and used via the France Identité application. By June 2025, the European digital wallet will be deployed more widely throughout Europe. This will simplify many administrative procedures abroad, such as renting a car or checking into a hotel.
Is your account blocked? It’s not always a question of identity!
Maybe you can’t log in to your social media account, or maybe you don’t understand why your profile on a video-sharing platform has been blocked. Maybe a video you posted has been removed without explanation.
Blocking can occur for a variety of reasons, but it is often a result of non-compliance with the service’s terms of use. For example, you may have posted content that was considered hateful, and therefore a breach of the platform’s code of conduct.
When and how does a platform have the right to block a user’s access?
This type of blocking is completely legal. The European Digital Services Act regulation strengthens content moderation rules. Implemented in 2024, these guidelines apply to all European online platforms or those targeting European consumers.
Under these rules, users may be penalised if they publish content that is illicit or incompatible with the general terms and conditions. The platform can remove this content, suspend a user’s access to its services, or suspend the account altogether, after issuing a prior warning.
The company must have set out its policy on misuse clearly and in detail in its general terms and conditions. This includes examples of facts and circumstances. By doing so, users may understand what specifically constitutes misuse, and what the potential consequences for engaging in misuse are.
Depending on the seriousness of the misconduct, the platform can sometimes go even further in its response. For example, your account may be closed permanently, or your access to certain services may be permanently restricted.
In all cases, however, you must be provided with certain explanations.
- The facts and circumstances that led to this decision.
- The existence of any automated means used to make this decision or remove illicit content.
- The reasons why the content in question is considered illegal.
- Which clause in its general terms and conditions you have breached.
What can I do if my account has been blocked?
The platform must inform you of possible solutions (internal processing mechanism, out-of-court dispute settlement, legal recourse). You must be able to challenge any decision concerning your misconduct via an internal complaint handling system. You have access to this system for a period of 6 months. This applies from the date of notification of suspension, account termination, or removal of published content.
In addition to responding to your request, the platform must inform you of the possibility of accessing a certified mediator. It will also provide you with information on other avenues of recourse.
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Innovation Council and Small and Medium-sized Enterprises Executive Agency (EISMEA). Neither the European Union nor the granting authority can be held responsible for them.