PayPal may collect your face scan, voice, or photo to verify your identity for a range of account actions, including logging in, changing your profile, managing payments, and initiating cryptocurrency transfers, when you consent within the app.
This analysis describes what PayPal's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision identifies a broad list of use cases for biometric data collection beyond basic login, including cryptocurrency transfers and lifting account limitations, which means biometric data may be collected across multiple account interactions rather than a single enrollment event.
Under this provision, PayPal may collect biometric identifiers including face scans and voice identification with consent, and use them across at least seven distinct account actions; users in Illinois, Texas, and Washington should be aware that state biometric privacy laws may provide additional rights regarding collection, retention, and deletion of this data.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
PayPal has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Biometric data: Such as voice identification, photo identification, or face scans, which we may collect when you consent in the user experience to authenticate you for certain actions related to your account, including, for example, to verify your identity before you access accounts and Services, recover passwords, update profile information, manage payments and payment methods, lift account limitations, and initiate cryptocurrency transfers.— Excerpt from PayPal's PayPal Privacy Statement
REGULATORY LANDSCAPE: This provision implicates the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington My Health MY Data Act, as well as GDPR Article 9 (special category data) for EU and UK users. The relevant enforcement authorities include the Illinois courts (private right of action under BIPA), the Texas Attorney General, the Washington Attorney General, and EU/UK national supervisory authorities. The document asserts consent as the lawful basis for biometric collection; GDPR Article 9(2)(a) and BIPA Section 15(b) require informed, written consent prior to collection, and compliance teams should verify that in-app consent flows satisfy these requirements in each applicable jurisdiction. GOVERNANCE EXPOSURE: High. The breadth of use cases for biometric data collection disclosed in this provision, spanning seven distinct account actions, increases the surface area of consent obligations and retention schedule requirements. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation, and Illinois courts have addressed class certification in biometric data cases. The risk is heightened because biometric data is collected not only for authentication but also for cryptocurrency transfers and account limitation removal. JURISDICTION FLAGS: Illinois (BIPA), Texas (CUBI), Washington (My Health MY Data Act), and the EU/EEA and UK (GDPR special category data) create heightened exposure. In Illinois, failure to maintain a publicly available retention and destruction schedule or obtain written consent prior to collection constitutes a per-violation statutory claim. In the EU/EEA and UK, biometric data processing requires an explicit derogation under GDPR Article 9(2) in addition to a standard lawful basis. CONTRACT AND VENDOR IMPLICATIONS: If PayPal uses third-party AI or identity verification vendors to process biometric data, data processing agreements must address the specific use cases disclosed in this provision and include provisions for deletion, retention limits, and prohibition on secondary use, consistent with BIPA and GDPR Article 28 requirements. Procurement teams should audit vendor contracts to confirm these restrictions are present and enforceable. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) confirm that in-app consent flows are specific to each disclosed use case rather than a single blanket consent; (2) verify that biometric data retention and destruction schedules are publicly posted as required by BIPA; (3) map all vendors processing biometric data and confirm data processing agreements are in place; and (4) assess whether users in Illinois, Texas, and Washington are provided jurisdiction-specific disclosures and consent mechanisms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision identifies a broad list of use cases for biometric data collection beyond basic login, including cryptocurrency transfers and lifting account limitations, which means biometric data may be collected across multiple account interactions rather than a single enrollment event.
Under this provision, PayPal may collect biometric identifiers including face scans and voice identification with consent, and use them across at least seven distinct account actions; users in Illinois, Texas, and Washington should be aware that state biometric privacy laws may provide additional rights regarding collection, retention, and deletion of this data.
ConductAtlas has identified this type of provision across 20 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PayPal.