Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
PayPal Marketing Solutions is a suite of tracking and advertising tools by PayPal that uses a pixel and SDK to build audiences from PayPal checkout signals.
PayPal Marketing Solutions, also known as PayPal Advanced Tracking, is a suite of merchant tools that adds a tracking pixel and JavaScript SDK to a website. It captures page views, add to cart events, signups and PayPal checkout outcomes, then turns this data into audiences for retargeting, lookalike modelling and conversion measurement on PayPal owned and partner inventory.
The pixel collects standard tracking signals: cookies, IP address, user agent, page URL and referrer, custom events such as ViewContent, AddToCart and Purchase, transaction values, currency and SKU references. When the visitor is logged into PayPal it can be associated with the PayPal account ID, turning the signal into a directly identified profile.
Storage and reading of advertising cookies require prior consent under Article 5(3) of the ePrivacy Directive. The combination of purchase events with a personal account ID, plus the cross site nature of the audience builder, places the processing under high risk profiling and requires explicit Article 6(1)(a) consent backed by a documented DPIA.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the PayPal pixel and SDK until the visitor accepts the marketing or advertising category. Provide a Reject all option at the same level as Accept all. Tag based or server side conversion tracking that bypasses consent is not compliant. Honour withdrawal by clearing the cookies and stopping further events.
PayPal Inc. processes data in the United States and shares it across its corporate group. Transfers from the EEA require certification under the EU US Data Privacy Framework or Standard Contractual Clauses with a transfer impact assessment that addresses the FISA 702 risk surface for US payment and advertising providers.
Accept the PayPal data sharing addendum, document Marketing Solutions in your record of processing activities, run a DPIA, configure your CMP to gate the pixel, restrict events to those needed for measurement and offer an opt out path that prevents the pixel from firing.
Websites using PayPal Marketing Solutions must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because the platform combines purchase data, cross site tracking and audience segmentation, processed at scale by a US data controller with US sub processors.
Sample consent text
I agree that PayPal can read and write cookies on my device, link my browsing to my PayPal account where applicable and use this data for personalised advertising and audience measurement, including transfers to the United States.
Third-party domains contacted
paypal.comwww.paypal.comb.stats.paypal.comt.paypal.compaypalobjects.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ts | http_cookie | 3 years | PayPal session and tracking timestamp used to attribute checkout and advertising signals to a visitor browser |
| ts_c | http_cookie | 3 years | Companion cookie to ts that stores cross site state for the PayPal advertising network |
| tsrce | http_cookie | 3 days | Tracks the source of a PayPal session for marketing attribution |
| LANG | http_cookie | session | Language preference for PayPal interfaces, used in localised marketing creatives |
PayPal Marketing Solutions places tracking cookies for advertising — comply with GDPR using FlowConsent.
PayPal sets a tracking pixel cookie (ts), an anonymous browser identifier (tsrce or LANG_LOCALE), an attribution cookie and several functional cookies on .paypal.com. They persist between sessions and are used to identify the visitor across PayPal merchant sites for retargeting.
Yes. The pixel is an advertising tracker that stores and reads cookies on the visitor terminal, so Article 5(3) of the ePrivacy Directive requires prior, freely given consent. Loading the script before consent is a violation that several EU regulators have already sanctioned.
Article 6(1)(a) GDPR (consent) is the only valid basis. The processing is profiling for advertising and combines purchase data with cross site browsing, which excludes legitimate interest under EDPB guidance.
Yes. PayPal Inc. processes data in the United States and shares it within its corporate group. Transfers require certification under the EU US Data Privacy Framework or Standard Contractual Clauses with a transfer impact assessment.
Yes. Combining identified purchase data with cross site profiling at scale meets the EDPB criteria for high risk processing. A DPIA must be documented before launch and reviewed annually.
Block the pixel behind your CMP and only fire it after marketing consent. Avoid sending email addresses or other identifiers in plain text. Configure conversion events server side only when consent is captured. Document the integration in your record of processing activities.
First party measurement using your own analytics, server side conversion APIs that only fire after consent, or contextual advertising platforms hosted in the EU offer lower compliance risk while still allowing performance measurement.
List PayPal Inc. as a processor with the categories of data (cookies, IP, page events, transaction values, PayPal account ID when logged in), purposes (advertising, audience building, conversion measurement), retention, US transfer mechanism and a direct opt out link.