PayPal states it may obtain your personal information from data brokers, credit reporting agencies, financial institutions, government entities, and Partners and Merchants, and may also share your information with these categories of parties.
This analysis describes what PayPal's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The explicit disclosure that data brokers are among the sources from which PayPal obtains personal information means that data about users may be combined with externally purchased data profiles, which can affect the completeness and sensitivity of the information PayPal holds and uses for targeting and risk assessment.
Under this provision, PayPal may supplement data collected directly from you with information purchased from data brokers, and may share your information with credit reporting agencies that could affect your creditworthiness; California residents have the right to request disclosure of the specific third-party sources from which PayPal obtained their data under CCPA.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
PayPal has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Third parties, including service providers, Partners and Merchants, payment partners, such as payment networks and processors, credit reporting agencies and public and private credit databases ("CRAs"), government entities, data brokers, and financial institutions.— Excerpt from PayPal's PayPal Privacy Statement
REGULATORY LANDSCAPE: This provision engages CCPA/CPRA, which requires disclosure of categories of sources from which personal information is collected, including data brokers, and gives California consumers the right to request this information. The California Privacy Protection Agency and California Attorney General are the relevant enforcement authorities. The Federal Trade Commission Act is also engaged where data broker sourcing may involve unfair or deceptive data practices. GDPR requires that where personal information is not collected directly from the data subject, the controller must provide notice of the sources within a reasonable period; the breadth of data broker sourcing disclosed here may require evaluation under GDPR Articles 13 and 14. GOVERNANCE EXPOSURE: High. The explicit inclusion of data brokers as a source category creates a data mapping obligation: compliance teams must be able to identify which brokers are used, what categories of data are sourced, and whether the purposes of use are consistent with CCPA and GDPR notice requirements. Sharing with credit reporting agencies also engages FCRA obligations regarding the accuracy and permissible purposes of data furnished to CRAs. JURISDICTION FLAGS: California (CCPA/CPRA data broker registry and disclosure requirements), EU/EEA and UK (GDPR Articles 13 and 14 indirect collection notice obligations), and US federal (FCRA for CRA-related sharing) create heightened exposure. Vermont and Virginia also have data broker registration requirements that may apply depending on PayPal's sourcing practices. CONTRACT AND VENDOR IMPLICATIONS: Data broker vendor agreements should specify the categories and sources of data supplied, confirm that the data was lawfully obtained, and include representations regarding accuracy and compliance with applicable privacy laws. Where CRA data is furnished by PayPal, FCRA compliance obligations including accuracy, dispute resolution, and permissible purpose documentation apply. COMPLIANCE CONSIDERATIONS: Compliance teams should (1) maintain an up-to-date data broker vendor inventory with documented categories of data sourced; (2) confirm that CCPA notice-at-collection disclosures identify data broker sourcing as a category of source; (3) evaluate whether GDPR indirect collection notice obligations are satisfied for EU/EEA and UK users; (4) review FCRA obligations where data is furnished to or received from CRAs; and (5) assess Vermont and Virginia data broker registration obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The explicit disclosure that data brokers are among the sources from which PayPal obtains personal information means that data about users may be combined with externally purchased data profiles, which can affect the completeness and sensitivity of the information PayPal holds and uses for targeting and risk assessment.
Under this provision, PayPal may supplement data collected directly from you with information purchased from data brokers, and may share your information with credit reporting agencies that could affect your creditworthiness; California residents have the right to request disclosure of the specific third-party sources from which PayPal obtained their data under CCPA.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by PayPal.