Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority over deceptive data collection practices, including mechanisms that shift responsibility to consumers for third-party data sharing.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Contact Information Certification Requirement clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Contact Information Certification Requirement — PayPal

Share 𝕏 Share in Share 🔒 PDF

What it is

If you share your contacts list with PayPal, you are certifying that you have permission from each of those people to share their personal information with PayPal.

Consumer impact (what this means for users)

By importing your contacts into PayPal, you are making a legal certification that you have each contact's permission to share their data — a standard most users cannot genuinely meet, creating potential personal liability.

Cross-platform context

See how other platforms handle Contact Information Certification Requirement and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Most users do not obtain explicit permission from their contacts before sharing a contacts list with an app, meaning this clause could expose users to liability if their contacts later object to their data being shared with PayPal.

View original clause language

Process information about your contacts. We may use Personal Information in order to make it easy for you to find and connect your contacts, improve payment accuracy and suggest connections with people you may know. By providing us with information about your contacts you certify that you have permission to provide that information to PayPal for the purposes described in this Privacy Statement.

Institutional analysis (Compliance & legal intelligence)

1. REGULATORY FRAMEWORK: This provision implicates GDPR Art. 6 (lawful basis for processing third-party contact data), GDPR Art. 14 (transparency obligations to data subjects not directly collected from), and CCPA/CPRA §1798.100 (rights of individuals whose data is shared by third parties). COPPA (16 CFR Part 312) applies if any imported contacts are minors. The FTC Act Section 5 applies if the certification mechanism is used to obscure responsibility for unlawful third-party data collection. 2.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has authority over deceptive data collection practices, including mechanisms that shift responsibility to consumers for third-party data sharing.
File a complaint →

Provision details

Document information

Document

PayPal Privacy Statement

Entity

PayPal

Document last updated

April 29, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 28, 2026

Record ID

CA-P-003931

Document ID

CA-D-00045

Evidence Provenance

Source URL

https://www.paypal.com/us/legalhub/privacy-full

Wayback Machine

View archived versions →

SHA-256

88e15ed1ee29a80c15e1f44d4a7a869e4f68a15049f8669d6949ec87c64d86cb

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: PayPal | Document: PayPal Privacy Statement | Record: CA-P-003931
Captured: 2026-04-18 08:48:00 UTC | SHA-256: 88e15ed1ee29a80c…
URL: https://conductatlas.com/platform/paypal/paypal-privacy-statement/contact-information-certification-requirement/
Accessed: May 2, 2026

Classification

Severity

Medium

Contact Information Certification Requirement