PayPal · PayPal Privacy Statement · View original document ↗

Biometric Data Collection

High severity High confidence Explicitdocumentlanguage Uncommon · 20 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity PayPal recorded 7 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for PayPal Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

PayPal may collect your face scan, voice, or photo to verify your identity for a range of account actions, including logging in, changing your profile, managing payments, and initiating cryptocurrency transfers, when you consent within the app.

This analysis describes what PayPal's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The provision identifies a broad list of use cases for biometric data collection beyond basic login, including cryptocurrency transfers and lifting account limitations, which means biometric data may be collected across multiple account interactions rather than a single enrollment event.

Clause Stability Stable

0
Changes
3
Months Monitored
Apr 3, 2026
First Seen
May 22, 2026
Last Seen
This clause type exists across 3350 other provisions on other platforms.

Consumer impact (what this means for users)

Under this provision, PayPal may collect biometric identifiers including face scans and voice identification with consent, and use them across at least seven distinct account actions; users in Illinois, Texas, and Washington should be aware that state biometric privacy laws may provide additional rights regarding collection, retention, and deletion of this data.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Log into your PayPal account, navigate to your privacy settings, and submit a request to delete biometric data or withdraw consent for biometric collection where the option is available.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Strava Medium

If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.

eBay Medium

We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.

See all platforms with this clause type →

Monitoring

PayPal has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Biometric data: Such as voice identification, photo identification, or face scans, which we may collect when you consent in the user experience to authenticate you for certain actions related to your account, including, for example, to verify your identity before you access accounts and Services, recover passwords, update profile information, manage payments and payment methods, lift account limitations, and initiate cryptocurrency transfers.

— Excerpt from PayPal's PayPal Privacy Statement

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision implicates the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington My Health MY Data Act, as well as GDPR Article 9 (special category data) for EU and UK users. The relevant enforcement authorities include the Illinois courts (private right of action under BIPA), the Texas Attorney General, the Washington Attorney General, and EU/UK national supervisory authorities. The document asserts consent as the lawful basis for biometric collection; GDPR Article 9(2)(a) and BIPA Section 15(b) require informed, written consent prior to collection, and compliance teams should verify that in-app consent flows satisfy these requirements in each applicable jurisdiction. GOVERNANCE EXPOSURE: High. The breadth of use cases for biometric data collection disclosed in this provision, spanning seven distinct account actions, increases the surface area of consent obligations and retention schedule requirements. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation, and Illinois courts have addressed class certification in biometric data cases. The risk is heightened because biometric data is collected not only for authentication but also for cryptocurrency transfers and account limitation removal. JURISDICTION FLAGS: Illinois (BIPA), Texas (CUBI), Washington (My Health MY Data Act), and the EU/EEA and UK (GDPR special category data) create heightened exposure. In Illinois, failure to maintain a publicly available retention and destruction schedule or obtain written consent prior to collection constitutes a per-violation statutory claim. In the EU/EEA and UK, biometric data processing requires an explicit derogation under GDPR Article 9(2) in addition to a standard lawful basis. CONTRACT AND VENDOR IMPLICATIONS: If PayPal uses third-party AI or identity verification vendors to process biometric data, data processing agreements must address the specific use cases disclosed in this provision and include provisions for deletion, retention limits, and prohibition on secondary use, consistent with BIPA and GDPR Article 28 requirements. Procurement teams should audit vendor contracts to confirm these restrictions are present and enforceable. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) confirm that in-app consent flows are specific to each disclosed use case rather than a single blanket consent; (2) verify that biometric data retention and destruction schedules are publicly posted as required by BIPA; (3) map all vendors processing biometric data and confirm data processing agreements are in place; and (4) assess whether users in Illinois, Texas, and Washington are provided jurisdiction-specific disclosures and consent mechanisms.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has authority over unfair or deceptive practices in biometric data collection and has issued guidance on biometric privacy under its consumer protection mandate.
    File a complaint →
  • State AG
    State attorneys general in Illinois, Texas, and Washington have enforcement authority over biometric privacy laws including BIPA, CUBI, and the Washington My Health MY Data Act.
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FCRA
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
GLBA
United States Federal
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
TCPA
United States Federal
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
PayPal Privacy Statement
Entity
PayPal
Document last updated
May 5, 2026
Tracking information
First tracked
May 10, 2026
Last verified
May 12, 2026
Record ID
CA-P-000384
Document ID
CA-D-00045
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
3472030bc5dcca97c07809d8a57c82459fa06f7e44c6e287a15f7ba1c512805e
Analysis generated
May 10, 2026 00:17 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: PayPal
Document: PayPal Privacy Statement
Record ID: CA-P-000384
Captured: 2026-05-10 00:17:27 UTC
SHA-256: 3472030bc5dcca97…
URL: https://conductatlas.com/platform/paypal/paypal-privacy-statement/biometric-data-collection/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does PayPal's Biometric Data Collection clause do?

The provision identifies a broad list of use cases for biometric data collection beyond basic login, including cryptocurrency transfers and lifting account limitations, which means biometric data may be collected across multiple account interactions rather than a single enrollment event.

How does this clause affect you?

Under this provision, PayPal may collect biometric identifiers including face scans and voice identification with consent, and use them across at least seven distinct account actions; users in Illinois, Texas, and Washington should be aware that state biometric privacy laws may provide additional rights regarding collection, retention, and deletion of this data.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 20 platforms. See the full comparison.

Is ConductAtlas affiliated with PayPal?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PayPal.