PayPal Under Fire: Excessive Data Collection and Privacy Concerns in Advertising

You can now pay with PayPal in stores – and even at flea markets, as actor Will Ferrell demonstrates in an advertising campaign. In the German version, he says to a little boy who tries to rip him off when he buys an action figure: “At least my data is safe from you swindlers.” But this statement is untrue.

The financial transaction platform PayPal is positioning itself in an advertising campaign as an alternative to cash. However, there is a drastic difference between the two payment methods. While cash transactions are also tracked, the data that PayPal collects – and sells to advertisers – is far more comprehensive than simply information about the amount of money transferred from where to where.

The network of data protection experts has examined PayPal’s data protection practices in a legal report and reached a damning conclusion. The company records what you buy, at what price, from which company you purchase it, and where you have it delivered. It stores location data, the list of apps on your phone, which device and browser you use, and which websites you visit.

PayPal sometimes even stores sexual orientation

According to its privacy policy, the company also reserves the right to collect your fingerprint, income, telephone and tax identification number, occupation, age, gender, credit rating, and financial situation. The data set the company creates about you may also include – according to the privacy policy – ​​religious beliefs, political or philosophical views, disabilities, and sexual orientation, as well as “data from third-party accounts you have linked.”

According to the report, PayPal can collect extremely sensitive information because payments to healthcare facilities or lawyers, as well as donations to political parties and religious institutions, are also processed via the platform. PayPal stores the data for as long as the account exists and for ten years thereafter.

Since spring, PayPal has also been in the advertising business

PayPal is the most popular payment method on the internet . In the spring of 2025 – shortly before the launch of the advertising campaign with Will Ferrell – the company also entered the advertising business. It uses payment data to personalize advertising.

The Data Protection Expertise Network writes in its report: “The high significance of financial transaction data justifies a high potential for both use and misuse.” For example, it enables manipulative advertising and discriminatory pricing.

Payment transactions in Germany and Europe are supposed to be anonymous. Exceptions to this rule are only permitted if they are clearly necessary and well-justified.

PayPal stores sensitive data without explicit consent

According to the report, PayPal does not adequately inform its customers about the purpose, recipients, and legal basis for data transfers, and stores data for unlawfully long periods. Furthermore, the company assumes that users consent to data processing by using the service. However, this consent—especially when it involves sensitive data, marketing and advertising purposes, or data sharing—must be given consciously, in an informed manner, precisely defined, and independent of the service’s availability in order to be lawful. Customers must know exactly what they are agreeing to.

According to the report, the company offers businesses aggregated personal information. These companies can then use PayPal to place advertisements on websites, apps, and smart TVs, allegedly targeting their audience very precisely. The direct sale of the data to advertising companies was also at least once planned. The Data Protection Expertise Network has no information on the current implementation of this project in Europe.

PayPal reportedly collects some of this information to prevent fraudulent account access. In August 2025, login credentials for 15 million PayPal accounts surfaced on the dark web, leading to a massive increase in attempted fraud.

The list of data recipients includes 600 companies

PayPal reserves the right to share the collected data, for example, with authorities, other financial institutions, debt collection agencies, data processors, and partner companies. A list of potential data recipients includes 600 companies from many countries worldwide.

The privacy policy, which comprises 7,000 words, “fails to clarify which data is processed for which purposes, on what legal basis,” according to the Data Protection Analysis Network. The problem is that both the categories of data and the types of processing are listed only as examples and not exhaustively.

The terms and conditions are also extremely user-unfriendly. They comprise 17 documents, and it’s unclear to customers which ones are relevant to them. In addition, there are 20,000 words of terms of service without a table of contents. By opening an account, users agree to all of these conditions.

This is how you object to the use of your data for advertising purposes

The use of data for advertising purposes is enabled by default in PayPal accounts. To disable this, users must first click on “Data and Privacy” on the website and then on “Personalized Offers and Advertising.” There, a slider can be moved back and forth between a gray and a black field. Which option is more privacy-friendly is not explained. However, using developer tools in the browser, PayPal’s response to various settings can be read.

The slider on the left, with the field highlighted in gray, returns the response: DENY_CONSENT. This setting therefore likely denies consent to advertising. This possible opt-out contradicts the General Data Protection Regulation (GDPR), which stipulates that the default setting must provide for the least possible data processing (“Privacy by Default”).

The network of data protection experts considers it particularly problematic that personal data is also transferred outside the EU. PayPal’s headquarters are in the USA, where data is significantly less protected than in Europe. Furthermore, the company is obligated to hand over data to US authorities if they request it.

The data protection experts view their analysis of PayPal’s data protection practices as merely an exemplary case. “It is likely that the deficiencies identified at PayPal exist in a similar form at other companies in this sector,” they write. Big Tech companies are increasingly attempting to access financial transaction data in order to combine it with data from other applications and use it commercially. Therefore, the data protection experts are calling for a general ban on the use of financial data for advertising purposes.

According to Heise Online, PayPal is currently reviewing the report. It can be quoted as follows: “Compliance with EU data protection requirements is of central importance to us for both the development and operation of our products in order to ensure a high-quality experience and security in payment transactions for our customers.”

__

(Featured image by Julio Lopez via Unsplash)

DISCLAIMER: This article was written by a third party contributor and does not reflect the opinion of Born2Invest, its management, staff or its associates. Please review our disclaimer for more information.

This article may include forward-looking statements. These forward-looking statements generally are identified by the words “believe,” “project,” “estimate,” “become,” “plan,” “will,” and similar expressions. These forward-looking statements involve known and unknown risks as well as uncertainties, including those discussed in the following cautionary statements and elsewhere in this article and on this site. Although the Company may believe that its expectations are based on reasonable assumptions, the actual results that the Company may achieve may differ materially from any forward-looking statements, which reflect the opinions of the management of the Company only as of the date hereof. Additionally, please make sure to read these important disclosures.

First published in NETZPOLITIK.ORG. A third-party contributor translated and adapted the article from the original. In case of discrepancy, the original will prevail.

Although we made reasonable efforts to provide accurate translations, some parts may be incorrect. Born2Invest assumes no responsibility for errors, omissions or ambiguities in the translations provided on this website. Any person or entity relying on translated content does so at their own risk. Born2Invest is not responsible for losses caused by such reliance on the accuracy or reliability of translated information. If you wish to report an error or inaccuracy in the translation, we encourage you to contact us