Try to create a Google account today and you may hit a wall before you type a single character of your name. The screen says "Verify some info before creating an account", shows a QR code, and tells you to scan it with your phone's camera. There is no link to click, no email fallback, no "skip" path. No smartphone with a working camera means no account. That is the whole interaction, and it is worth stopping to look at, because it quietly turns a phone into a precondition for using the web.

I live in the Netherlands, inside the EU, and the framing on that screen ("Google needs to verify some info about your device or phone number") reads less like a security feature and more like mandatory identity collection dressed up as anti-abuse. This post is about why that distinction matters, and where it runs into GDPR.

What the screen actually demands

Read the prompt literally. To create an account you are asked to:

  • Own a smartphone with a camera capable of scanning a QR code.
  • Hand the flow to that phone, leave the device you started on, and complete steps Google does not show you up front.
  • Tie the new account to a phone number, which in most of the EU is itself tied to verified government identity at the SIM level.
  • Later in the same funnel, provide a date of birth and other personal details.

None of that is a technical requirement for an email account to function. An inbox does not need to know your birthday, your handset model, or your carrier. These are collection decisions, not engineering constraints, and they deserve to be judged as collection decisions.

"Anti-abuse" is doing a lot of work here

The justification is bot prevention: "preventing abuse from computer programs or bots." That is a real problem, and rate-limiting account creation is legitimate. But notice the shape of the control. It does not ask you to solve a puzzle a human can solve and a script cannot. It asks you to present a phone. The thing being verified is not "are you human", it is "can you produce a device and a number we can fingerprint and correlate."

Those are different goals. The first is proportionate to fighting abuse. The second is identity linkage, and once a phone number is attached at signup it rarely stays confined to the purpose it was collected for. Numbers added "for security" have a long history of drifting into ad targeting, account recovery social graphs, and cross-service correlation. Security teams call this function creep. GDPR calls it a purpose limitation problem.

Where this collides with GDPR

I am not claiming a court has ruled this specific flow unlawful. I am pointing at the principles a Data Protection Authority would actually weigh, because they line up badly with "scan this or leave."

Data minimisation, Article 5(1)(c)

Personal data must be "adequate, relevant and limited to what is necessary" for the purpose. The purpose here is creating an email account. A phone number and a date of birth are not necessary to operate a mailbox, which means the burden is on the controller to show why they are collected at all, not on the user to justify refusing.

Freely given consent, Articles 4(11) and 7(4)

Consent is only valid if it is freely given, and the regulation explicitly says you must consider whether a service is made conditional on consent to processing that is not necessary for that service. "No phone number, no account" is the textbook definition of conditional. When the only alternative to sharing data is being excluded from the service entirely, the "choice" is doing very little work.

Proportionality and necessity

Even under a legitimate-interest basis rather than consent, the processing has to pass a necessity and balancing test. Forcing every prospective user through hardware they may not own, to defeat bots that are a fraction of signups, is hard to call the least intrusive option when CAPTCHA, email confirmation, and behavioural signals already exist and do not require a camera.

The exclusion nobody designs for

There is a quieter problem underneath the privacy one. A QR-and-camera gate assumes a specific user: someone who owns a recent smartphone, can physically see and scan a code, and is comfortable moving an account-creation flow onto a handset. That assumption excludes people who use a desktop only, people with visual impairments, people on feature phones, people who keep a deliberately minimal device footprint, and anyone who simply does not want a personal phone wired into every login.

"Just use a phone" is not a neutral default. It is a design decision that pushes the cost of Google's abuse problem onto users, including users for whom a smartphone is not a given. Accessibility and data protection are pointing the same direction here: a service this central should have a path that does not require owning particular hardware.

What the EU could actually do about it

The GDPR machinery to challenge this already exists. It does not need new law, it needs enforcement of the principles above:

  • Treat phone number and date of birth at signup as non-necessary by default, and require the controller to prove necessity rather than assert it.
  • Mandate a genuine alternative path to account creation that does not require a smartphone or a number, on the conditionality logic of Article 7(4).
  • Scrutinise the purpose: if a number collected for anti-abuse is later used for advertising or correlation, that is a purpose-limitation breach regardless of how the signup screen was worded.

A coordinated position from the EDPB, or a single determined DPA, is enough to force a redesign. We have seen exactly that pattern with cookie walls, where regulators eventually ruled that "consent or leave" is not real consent. A hardware wall is the same argument with a camera attached.

What you can do today

None of the above helps you in the five minutes you actually need an account, so practically:

  • Use a provider that does not demand a phone for the accounts you control. Several EU-based mail providers treat a number as optional rather than mandatory.
  • Keep identity and convenience separate. If you must attach a number somewhere, do not reuse the one that anchors your banking and government identity.
  • Exercise your rights. A Subject Access Request, and where appropriate a complaint to your national DPA, are not symbolic. They are the mechanism that turns the principles above into pressure.

The takeaway

A QR-and-phone wall at account creation is sold as security, but the data it actually secures is yours, handed over as the price of entry. In the EU that price has a legal frame: data must be minimised, consent must be free, and a service cannot quietly make itself conditional on giving up information it does not need to function. "Scan this or you cannot have an account" fails all three on their face. Whether a regulator says so out loud is, at this point, a matter of will rather than law.

Read this next

Thinking about how AI assistants handle the identity and consent data they are handed? The field notes at ercan.ai cover that. For consulting on cloud, security, and compliance-shaped platform work, start at ercanermis.com.