Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Braintree is the merchant payment processing platform of PayPal Holdings, offering credit card, PayPal, Venmo, Apple Pay, Google Pay and SEPA Direct Debit in a single integration.
Braintree is the merchant payment processing platform owned by PayPal Holdings Inc., headquartered in Chicago. It offers a single integration for card payments, PayPal, Venmo, Apple Pay, Google Pay, SEPA Direct Debit, Bancontact, iDEAL, Sofort, Klarna and many other local European payment methods. Merchants integrate Braintree through Hosted Fields (PCI scope reduced iframes), the Drop in UI or the GraphQL API. Behind the scenes, Braintree handles tokenisation, 3DS2 Strong Customer Authentication, fraud detection (Kount, ThreatMetrix) and the Vault for recurring payments.
Braintree drops first party cookies on the merchant domain (BraintreeJS_ for the SDK state) and third party cookies on braintreegateway.com and paypal.com when PayPal or Venmo buttons are displayed (LANG, tsrce, x-pp-s, l7_az, ts, ts_c, _ga linked to paypal.com). The advanced fraud detection scripts (collector.js, data collector) fingerprint device attributes such as user agent, screen resolution, plug ins, fonts, IP and behavioural signals. Card data is tokenised and transmitted directly from the iframe to Braintree without ever touching the merchant server.
Payment cookies that are strictly necessary to complete the transaction requested by the user fall under the exemption of article 5(3) ePrivacy. The fraud detection scripts, however, go beyond what is strictly necessary in many cases and typically require consent, except where they can be justified by overriding legitimate interest in preventing payment fraud. CNIL and EDPB guidance distinguishes essential anti fraud features (allowed under legitimate interest) from broad behavioural profiling (which needs consent). Braintree and the merchant are independent controllers for the payment processing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Load the Braintree Hosted Fields and Drop in UI without prior consent because they are strictly necessary to complete the payment. Load the advanced fraud detection collector.js only after the user has consented to the relevant purpose, or document a legitimate interest assessment that limits the data collected to what is necessary for fraud prevention. Do not preload PayPal Smart Buttons before consent if they trigger third party cookies on paypal.com beyond what is needed for the checkout.
Braintree provides an EU gateway hosted in Ireland (payments-eu.braintree-api.com), but card data and fraud signals can still be processed in the United States by PayPal Holdings for PCI DSS, anti money laundering, dispute management and risk scoring. Transfers rely on EU Standard Contractual Clauses and on the PayPal DPF certification. Document the transfer mechanism in your records of processing activities and clearly inform users in your privacy notice.
Sign the Braintree merchant agreement and the PayPal DPA with EU SCCs. Activate the EU gateway when possible. Trigger Hosted Fields and Drop in UI without consent (strictly necessary). Wrap the advanced fraud detector behind a CMP gate or document a legitimate interest assessment. List Braintree cookies in your cookie policy as Functional or Fraud Prevention. Identify PayPal (Europe) Sarl & Cie, S.C.A and PayPal Inc. as independent controllers in your privacy notice with the US transfer disclosure.
Websites using Braintree must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Braintree is paired with the advanced fraud detection scripts (Kount, ThreatMetrix), when merchants store cardholder data through the Vault feature for recurring billing, or when 3DS2 risk based authentication processes a broad set of behavioural signals.
Sample consent text
We use Braintree by PayPal to process your payments and to detect fraudulent transactions. Braintree sets cookies on your device to secure the checkout and to fingerprint suspicious behaviour. Payment cookies are strictly necessary, but the advanced fraud scripts that profile your device only run if you grant consent.
Third-party domains contacted
braintreegateway.combraintree-api.compayments-eu.braintree-api.compaypal.compaypalobjects.comvenmo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| BraintreeJS_* | Functional | Session | Maintains the Hosted Fields and Drop in UI state on the merchant domain during checkout. Strictly necessary for the payment to complete. |
| ts | Functional | 3 years | PayPal session cookie used by Braintree when PayPal buttons are loaded. Helps recognise the user during the PayPal flow. |
| ts_c | Functional | 3 years | PayPal companion cookie to ts, used together for session continuity in the PayPal checkout. |
| l7_az | Functional | 30 minutes | Load balancer routing cookie on paypal.com used during the checkout to keep the user on the same backend instance. |
| tsrce | Functional | 3 days | PayPal traffic source cookie set when Smart Buttons are displayed for analytics and attribution. |
| x-pp-s | Functional | Session | PayPal session identifier used during the PayPal Smart Button flow. |
Braintree is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Braintree sets first party cookies on the merchant domain to maintain the Hosted Fields state, plus third party cookies on braintreegateway.com and paypal.com (LANG, tsrce, x-pp-s, l7_az, ts, ts_c) when PayPal or Venmo buttons render. Advanced fraud detection (collector.js) also creates a device fingerprint stored in browser storage.
Hosted Fields and Drop in UI cookies are strictly necessary and exempt from consent under article 5(3) ePrivacy. The advanced fraud detection scripts and the PayPal Smart Buttons usually require consent unless a documented legitimate interest assessment supports them.
Performance of a contract (article 6(1)(b) GDPR) for the actual payment processing. Legitimate interest (article 6(1)(f) GDPR) for essential anti fraud measures. Consent (article 6(1)(a) GDPR) for non essential profiling, marketing buttons and behavioural anti fraud.
Braintree provides an EU gateway in Ireland but card and fraud data can be processed in the United States by PayPal Holdings. Transfers rely on EU SCCs and on the PayPal DPF certification.
A DPIA is recommended when activating the advanced fraud detection (Kount, ThreatMetrix), when running 3DS2 risk based authentication with broad behavioural signals, or when storing card data in the Vault for recurring payments at significant scale.
Load Hosted Fields without consent. Load the advanced fraud collector only after consent or under a documented legitimate interest. Sign the Braintree merchant agreement and the PayPal DPA with EU SCCs. Activate the EU gateway when possible. Inform users in the privacy notice with the right balance between transparency and security.
Stripe Connect, Adyen, Mollie (Dutch, EU only), Worldline, Checkout.com, GoCardless for SEPA, Klarna for BNPL, or local providers such as Lemonway and Lyra Network. Most offer similar PCI DSS compliance and 3DS2 support but with different EU footprints.
List the BraintreeJS_ first party cookies and the third party cookies on braintreegateway.com and paypal.com with their domain, duration and purpose. Categorise payment cookies as Strictly Necessary and fraud detection cookies as Fraud Prevention. Identify PayPal (Europe) Sarl & Cie, S.C.A and PayPal Inc. as independent controllers in the privacy notice with the transfer disclosure.