December 17, 2025, 12:47 pm | Read time: 2 minutes

For many, PayPal is a staple in online commerce. However, each transaction provides the company with far more data than just the amount and recipient. Information on shopping carts, devices, merchants, and general payment behavior is also collected. Combined, these transaction data allow for extensive insights into consumer habits and personal circumstances–a type of data that the GDPR considers particularly sensitive.

PayPal Uses Data for Advertising Too

The report criticizes that PayPal uses this data not only for payment or fraud prevention. Particularly controversial is the Offsite Ads advertising format, where PayPal analyzes and aggregates purchase data to target users on other platforms. The reviewers see this as a potential conflict with the Payment Services Supervision Act, which strictly limits the use of such data.

The effectiveness of the consents is also questioned. Many are too general or pre-activated by default, thus not meeting the requirements of the GDPR. Additionally, scattered and complexly worded privacy documents make it difficult for users to understand which data is collected, how it is used, and to whom it is disclosed.

Also of interest: Does the Tax Office Have Access to Your PayPal Account?

Doubts About Data Retention Period

Experts are also critical of the retention period for collected data. Blanket periods of up to ten years after the end of the contract could violate the principles of storage limitation and data minimization. Aspects such as automated decisions, profiling, and international data transfers also remain unclear.

PayPal has announced that it will carefully review the report. In a statement to “Heise,” the company emphasized that compliance with European data protection regulations is central to the operation and development of its products and that it takes the criticism seriously.