Do I need to disclose PayPal in my privacy policy?

Yes. PayPal processes personal data on your behalf, making it a data processor under GDPR and CCPA. You must disclose its use, explain what data it collects, and clarify that users' payment information is handled by PayPal, not stored on your servers. This transparency is legally required and builds user trust.

What specific data does PayPal collect from users?

PayPal collects payment details (card or account number), billing address, email address, transaction data (amount, date, merchant details), and IP address. PayPal also assigns a transaction ID and may collect device information for fraud prevention. Users should review PayPal's full privacy policy for additional data collection during account creation or linked services.

Does PayPal require a cookie consent banner?

Yes. PayPal uses the 'tsrce' cookie (3-day duration) classified as strictly necessary for transaction security. Under GDPR and CCPA, you must disclose this cookie in your consent banner, though strictly necessary cookies typically don't require explicit opt-in. List PayPal cookies separately if you provide a detailed cookie inventory.

Who processes PayPal data and where is it stored?

PayPal Holdings Inc., headquartered in the United States, is the data processor. User payment data is transferred to and processed in the US, where PayPal maintains servers. If your users are in the EU, you should note this international transfer in your privacy policy and confirm adequate safeguards (Standard Contractual Clauses) are in place.

Payments

Privacy policy clauses for PayPal

PayPal is an online payment processor that handles checkout and transaction processing on our website. We use PayPal to securely process customer payments, verify identities, and transfer funds without exposing sensitive financial information directly to our servers.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data PayPal collects

Your privacy policy must disclose each of the following data types when you use PayPal.

Payment details

Billing address

Transaction data

IP address

When does PayPal trigger privacy obligations?

Installation triggers immediate obligations

The moment PayPal's checkout or payment gateway is integrated into your site or app, you begin collecting and transferring payment card data, billing addresses, email addresses, transaction records, and IP addresses to PayPal Holdings Inc (a US processor). This is not optional data — it flows the instant a customer initiates checkout.

Applicable regulations by jurisdiction

GDPR (EU/UK users): PayPal processes personal data as your processor under GDPR Article 28. You must execute a Data Processing Agreement (DPA) with PayPal before processing any EU user data. Article 5(1)(a) requires lawful basis (typically performance of contract); Article 13/14 requires you to disclose to customers what data PayPal receives and why. The tsrce cookie is subject to ePrivacy Directive Article 5(3) — it's categorized strictly_necessary, so it requires no prior consent, but you must still document this in your cookie policy.

Privacy policy clauses for PayPal

What data PayPal collects

When does PayPal trigger privacy obligations?

Installation triggers immediate obligations

Applicable regulations by jurisdiction

First concrete step

Where data goes

Cookies set by PayPal

Common compliance pitfalls

Pitfall 1: Missing or outdated Data Processing Agreement

Pitfall 2: Failing to disclose PayPal in your privacy policy

Pitfall 3: Misclassifying the tsrce cookie as non-essential

Sample privacy policy clause

What regulators look for

Primary audit focus: International Data Transfers

Secondary focus: Transparency and Consent

Enforcement signals

Frequently asked questions

Do I need to disclose PayPal in my privacy policy?

What specific data does PayPal collect from users?

Does PayPal require a cookie consent banner?

Who processes PayPal data and where is it stored?

Don't ship without Bandit.