D-

Verdict

EXHIBIT A

PayPal.

"we hold your money. and your Social Security number. for ten years."

PayPal handles money, so the data is uniquely sensitive — SSNs, bank accounts, income, biometrics — and they share it with affiliates, partners, merchants, CRAs, fraud bureaus, governments, and "other third parties" §9. They claim they don't "sell" your data, then hide behind Gramm-Leach-Bliley §15.1 to keep doing things CCPA would otherwise stop. Federal law lets you limit some sharing — but not for everyday business, marketing, or joint marketing with banks §15.2. Your face scans live on for 3 years after you close the account §11.1; everything else for 10 years. They train AI on your data §7.5, use automated decisions to cut you off from services §8, and refuse to honor Do Not Track because "many of our services won't function without tracking data" §3.1.

Fintech / Payments

Analyzed: 2026-05-23

§2 · The short version

TL;DR — 8 answers.

The eight things you actually want to know, at a glance.

TL;DR — 8 answers D-

~ Do they sell your data?

YES Are they tracking you on other sites?

YES Can your data train their AI?

~ Who can see what you do?

NO Can you delete everything?

NO Do they honor your opt-out?

~ Special handling for minors?

YES Been fined for this before?

§3 · The details

The questions, answered.

No legalese. Every answer the way your most cynical friend would put it.

COND.

§15.2

Do they sell your data?

They say no. Then they share with affiliates, joint-marketing banks, CRAs, ad platforms, and "other third parties." Under Gramm-Leach-Bliley you can't even limit most of it.

YES

§3.1

Are they tracking you on other sites?

Cookies on partner and merchant sites collect device info, browsing history, and inferences. Do Not Track? Refused.

YES

§7.5

Can your data train their AI?

Yes — to "power our Services." No opt-out is mentioned. Plus "Agentic AI Tools" that can act on your behalf.

COND.

§9.1

Who can see what you do?

PayPal affiliates · Venmo · Honey · merchants · CRAs · fraud bureaus · payment networks · governments · ad platforms · other PayPal users (by username/email lookup).

§11.1

Can you delete everything?

No. They keep records for ~10 years for AML/bookkeeping, biometrics for 3 years after closure, and "longer where permitted."

§3.1

Do they honor your opt-out?

"We do not respond to DNT settings." Global Privacy Control: not mentioned. CCPA opt-out: not applicable, they claim, because they don't "sell."

COND.

§12.1

Special handling for minors?

Services aren't for under 18. They claim they don't knowingly collect minor data — but verification is essentially self-declared age.

YES

§15.3

Been fined for this before?

Yes — $2M settlement with NY DFS (2018), $4.4M CFPB action (2015), and multiple state-AG inquiries over data and credit practices.

§3 · The privacy card

At a glance, honestly.

Eight signals, color-coded. Like a model card for a machine — except the machine is reading your data.

Privacy Card · PayPal · Analyzed 2026-05-23

D-

Data sold / shared YES MIXED

Cross-site tracking YES BAD

AI training YES opt-out: unavailable

Deletion right LIMIT. MIXED

GPC honored NO BAD

Keeps forever? YES BAD

Child protections COND. MIXED

Automated decisions YES human review: yes

Collects

Identifiers, Financial Info, Sensitive Info, Biometrics, Transaction Data +6 more

Shares with

PayPal affiliates (Bill Me Later, etc.), Excluded Services (Venmo, Honey, Paidy, Simility), Credit reporting agencies, Fraud prevention bureaus +5 more

§5 · The label they should have shown you

The Privacy Label, honestly.

An Apple-style label for what's collected and a Cranor-style back-of-pack for what they do with it. Every cell links to the exact line in their policy.

PAYPAL — DATA COLLECTED

PER APPLE PRIVACY-LABEL TAXONOMY ↗

● USED TO TRACK YOU

Data shared with third parties for cross-property tracking.

Location §6.1

GPS (with consent on financial accounts) · IP-based geolocation

Browsing History §3.1

Sites you visited before coming to PayPal · Cookie-tracked activity on partner/merchant sites

◐ LINKED TO YOU

Tied to your identity and stored against your account.

Identifiers §4.1

Name · Address · Phone · Email · IP address · Government-issued ID · Signature

Financial Info §4.1

Bank account & routing numbers · Credit/debit card · CVV · IBAN · Income · Account balances

Sensitive Info §4.3

Social Security number · Tax ID · Government IDs · Biometric data · Precise geolocation

Biometrics §4.2

Voice identification · Photo identification · Face scans

Transaction Data §4.1

Transaction history · Shopping carts · Purchase history · Seller/buyer info · Order tracking

Contact Info §4.1

Imported contacts: names, emails, phone numbers

Audio / Visual §4.1

Call recordings from customer service

Inferred Data §4.4

Gender · Income · Creditworthiness · Fraud/risk scores · Shopping behavior · Preferences

Protected Classifications §4.1

Age · Nationality · Disability · Citizenship · Military status

○ NOT LINKED TO YOU

Aggregated, supposedly anonymous.

Other Data

— none claimed —

↓ BACK OF LABEL · WHAT THEY DO WITH IT (CRANOR FRAMEWORK)

Purposes

Provide payment services, Fraud/risk/AML/KYC, AI training & automated decisions, Marketing & personalized shopping, Creditworthiness assessment via CRAs, Targeted advertising via third parties. §5.1

6+ stated purposes. The interesting ones are buried in §7.

Sold or shared?

Yes. PayPal affiliates (Bill Me Later, etc.), Excluded Services (Venmo, Honey, Paidy, Simility), Credit reporting agencies, Fraud prevention bureaus, Other financial institutions, Partners & Merchants (personalized shopping), Advertising platforms, Authorities & law enforcement, Joint marketing financial partners. §9.1

"We don't sell data" is technically true and substantively false.

Retention

Indefinite, with caveats. §11.1

Relationship plus 10 years after it ends, longer when "permitted by applicable law." Biometric data: up to 3 years after account closure. Data is kept even after deletion to comply with AML/bankruptcy obligations.

User controls

Deletion: Limited · Opt-out: Limited §13.1

Delete works. Opting out of inference does not exist.

Honors GPC?

No. §13.1

Global Privacy Control browser signal: ignored.

Automated decisions

Yes. With human review. §8.1

Refusing or terminating services based on fraud/credit risk scores · Profiling "economic situation, reliability and/or behavior" · Agentic AI initiating actions on your behalf. All algorithmic.

AI training on your data

Yes. No opt-out. §7.5

Your public posts/photos train commercial models.

Children's data

Under 13 blocked · 13–17 limited §8

Ad targeting paused for teens, but content profile still kept.

Breach disclosure

"As required by law." §15.3

Translation: the bare minimum legal window in your jurisdiction.

§5 · The receipts

The receipts, translated.

Five of the worst clauses, lifted verbatim. Strikethroughs are theirs. Marginalia is ours.

PAYPAL PRIVACY STATEMENT · AI and Automated Decision Making §7.5

We may use Personal Information to train our artificial intelligence (AI) models that power our Services and help us deliver more secure, efficient, and personalized services. no opt-out anywhere in the policy PayPal also uses Automated Decision Making to provide our products and Services, conduct risk analysis, fraud prevention and risk management i.e., we let an algorithm decide if you can use PayPal to protect our customers and business, including to prevent fraud against our Partners and Merchants and strategic ventures. "strategic ventures" = whoever pays us

AI TRAINING: OPT-OUT NOT OFFERED

PAYPAL PRIVACY STATEMENT · How Long We Store Your Personal Information §11.1

Personal Information used for the ongoing relationship between you and PayPal is stored for the duration of the relationship plus a period of 10 years ↑ ten. years. after you leave. or such period as mandated by any applicable local law once our relationship comes to an end, unless we need to keep it longer to the extent permitted by applicable law "longer" is the default, not the exception

RETENTION: 10 YEARS MIN.

PAYPAL PRIVACY STATEMENT · Do Not Track §3.1

Some web browsers have an optional setting called “Do Not Track” (“DNT”) that lets you opt-out of being tracked by advertisers and some third parties. Because many of our services won’t function without tracking data, translation: tracking IS the service we do not respond to DNT settings. Global Privacy Control? Also no.

DNT IGNORED

GRAMM-LEACH-BLILEY NOTICE · Reasons We Share Your Personal Information §15.2

For our everyday business purposes – such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus Yes No share: yes. limit: no. For our marketing purposes – to offer our products and services to you Yes No they market with your data, you can't stop them For joint marketing with other financial companies Yes No "joint marketing" = sharing with banks For our affiliates’ everyday business purposes – information about your transactions and experiences Yes No Venmo, Honey, Bill Me Later — all in.

GLBA LOOPHOLE

PAYPAL PRIVACY STATEMENT · Agentic AI §8.2

PayPal is committed to offering innovative and personalized experiences, and we may, directly or through our trusted partners, provide you with access to Agentic AI Tools "trusted partners" — never defined (“Agentic AI Tools”). These AI tools are designed to operate with a degree of autonomy, enabling them to perform tasks, make recommendations, and even initiate actions on your behalf, initiate. actions. on your behalf. all while learning from your interactions. i.e., training on your finances

AGENTIC AI ON YOUR WALLET

§6 · The deceptive design

Dark patterns spotted.

Tricks the policy and surrounding UX use to make you "consent" without really consenting.

GLBA shield

§15.1

PayPal claims they don't "sell" data under CCPA, then routes the same sharing through Gramm-Leach-Bliley — which lets them share transaction data with affiliates and marketing partners with no real opt-out.

"Some Personal Information collected, processed, or disclosed by a financial institution are subject to federal laws, such as the Gramm-Leach-Bliley Act.

Refusing standard opt-out signals

§3.1

Browsers send Do Not Track. PayPal ignores it on the grounds that their service is tracking. Global Privacy Control isn't mentioned at all.

"Because many of our services won’t function without tracking data, we do not respond to DNT settings.

Deletion that doesn't delete

§11.1

Even if you close your account, PayPal keeps your data for ~10 years citing AML, bookkeeping, and "litigation" — and biometrics for 3 more.

"Personal Information used for the ongoing relationship between you and PayPal is stored for the duration of the relationship plus a period of 10 years

Opt-in by default (post-Nov 2024 personalized shopping)

§9.3

After Nov 27, 2024, PayPal began sharing transactional data with merchants for "personalized shopping" by default. You can opt out — but only after reading 12,000 words and finding the toggle.

"Unless we are required by law to obtain your consent, we disclose Personal Information collected from you after November 27, 2024 (or from earlier if you consent) for personalized shopping experiences in the United States.

Algorithmic account termination

§8.1

An automated decision can refuse new services, kill existing ones, or freeze your money. Human review exists only if you ask, after the fact.

"we may refuse to provide new services to you, stop providing services you currently use, or place limits or restrictions on the services you use.

Carve-out for US users on automated decisions

§8.1

GDPR users can object to automated decisions with legal effect. US users get a written shrug: "these are either exempt practices or do not trigger an opt-out right."

"In the United States, these are either exempt practices or do not trigger an opt-out right under applicable United States privacy laws.

§7 · What you can actually do

Your rights, by where you live.

Same company, wildly different rights depending on your jurisdiction. Direct links to the specific opt-out / delete / access flows.

EU / UK (GDPR)

DIFFICULTY: MEDIUM

✓ Right of access
✓ Right to correct
✓ Right to erasure (subject to AML retention)
✓ Right to object to legitimate-interest processing
✓ Right to withdraw consent
✓ Right to have automated decisions reviewed
✓ Right to data portability
✓ Right to lodge a complaint with Luxembourg CNPD

REQUEST →

Source: §13.2

California (CCPA / CPRA)

DIFFICULTY: HARD

✓ Right to know categories collected
✓ Right to request list of third parties
✓ Right to correct
✓ Right to delete (subject to GLBA/AML carve-outs)
✓ No "opt-out of sale" because PayPal claims they don't sell
✓ Right to limit sensitive PI use — but PayPal claims an exemption

REQUEST →

Source: §15.1

Default (rest of world)

DIFFICULTY: NIGHTMARE

✓ Whatever local law forces them to grant
✓ ARCO rights in Mexico (Access, Rectification, Cancellation, Opposition, plus portability/restriction)
✓ No statutory deletion that overrides AML retention
✓ No AI training opt-out
✓ DNT not honored anywhere

REQUEST →

Source: §15.3

§8 · Receipts

The actual sources.

Every claim above is anchored to a line in the policy we analyzed. Click any section ID to view it in context.

ANALYZED BY: claude (via Claude Code sub-agent) · PROMPT VERSION: honest-policy-v1.4-subagent · ANALYZED AT: 2026-05-23T00:00:00Z
SOURCE: https://www.paypal.com/us/legalhub/privacy-full · POLICY VERSION: 2026-05-06 · SNAPSHOT HASH: auto

§3.1

Our Use of Cookies and Tracking Technologies / Do Not Track

"Because many of our services won’t function without tracking data, we do not respond to DNT settings."

Original → Snapshot →
§4.1

Notice at Collection — Categories of Personal Information We Collect

"Personal identifiers: Such as name, business name, address, phone number, email, IP address, device information, information collected from cookies or other tracking technologies, government-issued identification, signature, and other information necessary to establish an account or profile."

Original → Snapshot →
§4.2

Notice at Collection — Biometric data

"Biometric data: Such as voice identification, photo identification, or face scans, which we may collect when you consent in the user experience to authenticate you for certain actions related to your account…"

Original → Snapshot →
§4.3

Notice at Collection — Sensitive Personal Information

"Sensitive Personal Information: Such as Social Security and tax ID number, government-issued and other related identification, bank account and routing numbers, credit and debit card information, financial information, biometric data (as described above), or precise geolocation data, depending on applicable privacy law."

Original → Snapshot →
§4.4

Notice at Collection — Inferred data

"Inferred data: Such as gender, income, browsing and purchasing habits, creditworthiness, fraud and risk assessment, your preferences and shopping behavior, which we may infer based on your transactions and interactions with our Services, ads and offers or with our Partners and Merchants."

Original → Snapshot →
§5.1

How We Use Personal Information — Provide our Services

"We may use Personal Information to help you send, receive or request money, initiate a payment, add monetary value to an account, pay a bill, administer your purchases…"

Original → Snapshot →
§5.2

How We Use Personal Information — Comply with laws and risk oversight (KYC/AML)

"We may use Personal Information to comply with applicable laws and rules (including anti-money laundering (“AML”), bookkeeping laws and rules issued by our designated banks and relevant card networks, and know-your-customer (“KYC”))…"

Original → Snapshot →
§5.3

How We Use Personal Information — Market & personalize

"We may use Personal Information to provide you offers and rewards, show ads or otherwise personalize your experience…"

Original → Snapshot →
§5.4

How We Use Personal Information — Manage your creditworthiness

"Pursuant to applicable law, we will use and exchange Personal Information about you with CRAs to assess creditworthiness and product suitability, check your identity, trace and recover debts, and prevent fraud and criminal activity."

Original → Snapshot →
§6.1

Geolocation data

"Geolocation data: Such as Global Positioning System (“GPS”), which we may collect with your consent if you have an account for financial Services, and IP-based geolocation data during your user experience or based on your mobile application settings."

Original → Snapshot →
§7.5

AI and Automated Decision Making — AI training

"We may use Personal Information to train our artificial intelligence (AI) models that power our Services and help us deliver more secure, efficient, and personalized services."

Original → Snapshot →
§8.1

AI and Automated Decision Making — Automated Decision Making

"If we determine that you pose a credit, fraud, money laundering or other risk, we may refuse to provide new services to you, stop providing services you currently use, or place limits or restrictions on the services you use."

Original → Snapshot →
§8.2

AI and Automated Decision Making — Agentic AI

"PayPal is committed to offering innovative and personalized experiences, and we may, directly or through our trusted partners, provide you with access to Agentic AI Tools (“Agentic AI Tools”). These AI tools are designed to operate with a degree of autonomy, enabling them to perform tasks, make recommendations, and even initiate actions on your behalf, all while learning from your interactions."

Original → Snapshot →
§9.1

When and How We Share Personal Information With Others

"We disclose your Personal Information with service providers and third parties, including those participating in the payment network, to help us provide Services, protect our customers from risk and fraud, market our products, and comply with legal obligations."

Original → Snapshot →
§9.2

Sharing — Authorities

"We may disclose Personal Information with authorities if compelled by a subpoena, court order, or similar legal procedure, when necessary to comply with law, or where the disclosure of Personal Information is reasonably necessary to prevent physical harm or financial loss…"

Original → Snapshot →
§9.3

Sharing — Personalized Shopping with Merchants

"Unless we are required by law to obtain your consent, we disclose Personal Information collected from you after November 27, 2024 (or from earlier if you consent) for personalized shopping experiences in the United States."

Original → Snapshot →
§9.5

Sharing — Other third parties / advertising platforms

"For example, we disclose Personal Information to advertising platforms, at your direction. … For marketing purposes, we may use third parties to identify and display ads on our Services tailored to your interests and track interactions with these ads."

Original → Snapshot →
§11.1

How Long We Store Your Personal Information

"Personal Information used for the ongoing relationship between you and PayPal is stored for the duration of the relationship plus a period of 10 years or such period as mandated by any applicable local law once our relationship comes to an end, unless we need to keep it longer to the extent permitted by applicable law… We retain biometric data for as long as needed or permitted given the purpose for which it was collected and no more than 3 years after your account closes, unless otherwise required by applicable law."

Original → Snapshot →
§12.1

Whether Children May Use Our Services

"The Sites and Services are not directed to children under the age of 18. We do not knowingly collect information, including Personal Information, from children under the age of 18 or other individuals who are not legally allowed to use our Services."

Original → Snapshot →
§13.1

Your Data Protection Rights — Deletion / opt-out limits

"If you close your PayPal account(s) or profile, delete, or request that we delete Personal Information, we still need to keep some Personal Information as explained in How Long Do We Store Your Personal Information…"

Original → Snapshot →
§13.2

Your Data Protection Rights — How you can exercise your rights

"Whether you decide to exercise your privacy rights or not, we will not discriminate or deny you services, charge you different prices, or provide you with a different level of service solely for exercising your privacy rights."

Original → Snapshot →
§15.1

Disclosures for Individuals in the United States — Sale & Sharing / GLBA

"PayPal does not “sell” Personal Information or “share” Personal Information for cross-context behavioral or targeted advertising that is subject to non-exempt practices under comprehensive privacy laws in the United States… Some Personal Information collected, processed, or disclosed by a financial institution are subject to federal laws, such as the Gramm-Leach-Bliley Act."

Original → Snapshot →
§15.2

Notice for Consumers of Financial Products and Services (GLBA notice)

"For our everyday business purposes – such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus Yes No"

Original → Snapshot →
§15.3

Other jurisdictions & enforcement history

"Please see the table below for additional information relevant to your local country/region. You may lodge a complaint with the Supervisory Authority for data protection in your region if permitted under applicable law."

Original → Snapshot →