Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
PayPal is a leading online payment platform enabling businesses to accept payments without storing card data. For EU merchants, PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) acts as the payment data controller for the transaction. The core PayPal checkout process relies on contract performance — no separate consent is needed for payment processing. However, the PayPal JavaScript button script may set additional tracking cookies beyond pure payment functionality, which require consent management on non-checkout pages.
PayPal is a global online payment platform enabling consumers and businesses to send and receive payments digitally. For e-commerce, PayPal offers checkout solutions (PayPal Checkout, PayPal Buttons, Pay Later) that allow customers to pay without sharing card details with the merchant. PayPal also provides business tools including invoicing, subscriptions, and payment links.
For European transactions, PayPal (Europe) S.à r.l. et Cie, S.C.A. is the licensed payment service provider and data controller for the payment transaction. This Luxembourg entity is regulated by the Commission de Surveillance du Secteur Financier (CSSF) and subject to EU law including GDPR. The existence of a EU-regulated entity simplifies GDPR compliance compared to pure US-hosted alternatives.
The PayPal checkout button JavaScript loads scripts from paypal.com that set cookies when loaded on any page — not just checkout pages. If the PayPal button is embedded on product pages or homepage, it may set tracking cookies (tsrce, x-csrf-jwt, PYPF) before any purchase intent. Loading the PayPal script only on checkout pages where contract performance applies reduces consent complexity significantly.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Only load the PayPal JavaScript on checkout pages (not site-wide). Accept PayPal''s Merchant Agreement which includes GDPR DPA terms for EU merchants. Disclose PayPal in your privacy policy as a payment processor, including that PayPal is an independent controller for fraud detection. For the PayPal button outside checkout, use a CMP to block until payment/functional consent is given.
Websites using PayPal must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for standard PayPal payment integration. PayPal handles PCI DSS compliance for payment card data, reducing the merchant's compliance burden for the payment data itself.
Sample consent text
This website uses PayPal for secure payment processing. PayPal processes your payment information to complete your transaction. For payments, PayPal (Europe) is the data controller. See PayPal's privacy policy for full details on payment data processing.
Third-party domains contacted
paypal.comwww.paypal.comjs.braintreegateway.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ENFORCE_POLICY | session | Session | PayPal payment session enforcement cookie strictly necessary for secure checkout processing |
| tsrce | session | Session | PayPal telemetry and session cookie for maintaining the active payment session |
PayPal is an essential service, but transparency matters. Manage all your consent with FlowConsent.
No. Contract performance applies. However if the PayPal button loads on non-checkout pages it may set tracking cookies requiring consent management.
PayPal (Europe) S.à r.l. et Cie, S.C.A. is Luxembourg-licensed and the EU data controller for payment transactions, subject to EU law and GDPR directly.
tsrce (fraud detection), x-csrf-jwt (security), PYPF (browser fingerprint for fraud), l7_az (session routing). Necessary on checkout pages; may need consent elsewhere.
PayPal's Merchant Agreement includes data processing terms for EU merchants. Enterprise merchants can request a formal DPA. Standard acceptance covers most requirements.
State: PayPal processes payments, PayPal (Europe) is an independent controller, what data is shared, that PayPal has its own privacy policy, and link to PayPal's Privacy Statement.
Yes. Pay in instalments involves automated credit assessment under GDPR Art. 22. PayPal manages this as the credit provider. Merchants should disclose it in their privacy policy.
Some data may transfer to US infrastructure for fraud detection. PayPal's merchant terms include SCCs. The Luxembourg entity provides a stronger position than pure US alternatives.
Stripe (Irish entity), Adyen (Dutch), Mollie (Dutch), Klarna (Swedish). For maximum EU data residency, Mollie and Adyen are the strongest EU-first options.