PayPal may collect your face scan, voice, or photo to verify your identity for a range of account actions, including logging in, changing your profile, managing payments, and initiating cryptocurrency transfers, when you consent within the app.
This analysis describes what PayPal's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the operational framework for biometric authentication within PayPal's service delivery. The authorization permits PayPal to deploy biometric verification mechanisms as an alternative or supplementary authentication method for specific account management and transaction functions.
Under this provision, PayPal may collect biometric identifiers including face scans and voice identification with consent, and use them across at least seven distinct account actions; users in Illinois, Texas, and Washington should be aware that state biometric privacy laws may provide additional rights regarding collection, retention, and deletion of this data.
How other platforms handle this
We may use third-party vendors for identity verification. These vendors analyze whether the Client's "selfie" matches the government-issued identity document. The information collected from Client photographs may constitute biometric information in some jurisdictions. Where required by law, we will ...
Your use of the Services is also governed by our Privacy Policy, which is incorporated into these Terms by reference. By using the Services, you consent to the data collection and use practices described in the Privacy Policy. Roblox collects information you provide directly, information collected a...
We collect information about you in a variety of ways depending on how you interact with us and our products and services. This includes information you provide directly, information we collect automatically when you use our services, and information we receive from third parties. We may collect ide...
Monitoring
PayPal has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Biometric data: Such as voice identification, photo identification, or face scans, which we may collect when you consent in the user experience to authenticate you for certain actions related to your account, including, for example, to verify your identity before you access accounts and Services, recover passwords, update profile information, manage payments and payment methods, lift account limitations, and initiate cryptocurrency transfers.— Excerpt from PayPal's PayPal Privacy Statement
REGULATORY LANDSCAPE: This provision implicates the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington My Health MY Data Act, as well as GDPR Article 9 (special category data) for EU and UK users. The relevant enforcement authorities include the Illinois courts (private right of action under BIPA), the Texas Attorney General, the Washington Attorney General, and EU/UK national supervisory authorities. The document asserts consent as the lawful basis for biometric collection; GDPR Article 9(2)(a) and BIPA Section 15(b) require informed, written consent prior to collection, and compliance teams should verify that in-app consent flows satisfy these requirements in each applicable jurisdiction. GOVERNANCE EXPOSURE: High. The breadth of use cases for biometric data collection disclosed in this provision, spanning seven distinct account actions, increases the surface area of consent obligations and retention schedule requirements. BIPA provides a private right of action with statutory damages of $1,000 to $5,000 per violation, and Illinois courts have addressed class certification in biometric data cases. The risk is heightened because biometric data is collected not only for authentication but also for cryptocurrency transfers and account limitation removal. JURISDICTION FLAGS: Illinois (BIPA), Texas (CUBI), Washington (My Health MY Data Act), and the EU/EEA and UK (GDPR special category data) create heightened exposure. In Illinois, failure to maintain a publicly available retention and destruction schedule or obtain written consent prior to collection constitutes a per-violation statutory claim. In the EU/EEA and UK, biometric data processing requires an explicit derogation under GDPR Article 9(2) in addition to a standard lawful basis. CONTRACT AND VENDOR IMPLICATIONS: If PayPal uses third-party AI or identity verification vendors to process biometric data, data processing agreements must address the specific use cases disclosed in this provision and include provisions for deletion, retention limits, and prohibition on secondary use, consistent with BIPA and GDPR Article 28 requirements. Procurement teams should audit vendor contracts to confirm these restrictions are present and enforceable. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) confirm that in-app consent flows are specific to each disclosed use case rather than a single blanket consent; (2) verify that biometric data retention and destruction schedules are publicly posted as required by BIPA; (3) map all vendors processing biometric data and confirm data processing agreements are in place; and (4) assess whether users in Illinois, Texas, and Washington are provided jurisdiction-specific disclosures and consent mechanisms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the operational framework for biometric authentication within PayPal's service delivery. The authorization permits PayPal to deploy biometric verification mechanisms as an alternative or supplementary authentication method for specific account management and transaction functions.
Under this provision, PayPal may collect biometric identifiers including face scans and voice identification with consent, and use them across at least seven distinct account actions; users in Illinois, Texas, and Washington should be aware that state biometric privacy laws may provide additional rights regarding collection, retention, and deletion of this data.
ConductAtlas has identified this type of provision across 17 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PayPal.