Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
PayPal Credit is the consumer credit and pay later product offered by PayPal in selected markets, including the United Kingdom, Germany, France, Italy, Spain, the Netherlands and Australia. It is presented at checkout as a financing option (Pay in 3, Pay in 4, longer term credit). For EU merchants, PayPal (Europe) S.a r.l. et Cie, S.C.A. in Luxembourg acts as data controller and data flows to the United States are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
PayPal Credit is the consumer credit and pay later product offered by PayPal. Depending on the market it appears as PayPal Credit (UK revolving credit), Pay in 3 (UK, Germany, France, Italy, Spain, Netherlands), Pay in 4 (US, Australia) or Ratenzahlung (Germany). It is displayed by the PayPal SDK at checkout, as a Smart Button or as messaging next to the price. PayPal (Europe) S.a r.l. et Cie, S.C.A. is the data controller for EU customers.
PayPal processes name, email, billing and shipping address, IP address, device data, browser fingerprint, transaction amount, basket contents passed by the merchant, and any credit assessment inputs (income or credit reference data depending on the market). The PayPal SDK and Smart Buttons set first party cookies on paypal.com, paypalobjects.com and paypal-objects.com, including risk session cookies (tsrce, ts_c, x-pp-s, l7_az) used for fraud detection. Some pay later messaging components load additional ad and analytics cookies.
PayPal (Europe) is the data controller for EU customers, with the merchant acting as joint controller for some processing (e.g. transmitting checkout data). The PayPal SDK loads from paypal.com when the merchant page is rendered, even before the customer clicks. Under Art. 5(3) ePrivacy and the EDPB guidelines, the SDK loader itself can be considered to trigger third party data processing requiring consent unless it is strictly necessary for a payment that the user has already started.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Pay later messaging that appears on product or category pages (not yet a checkout) generally requires consent because it loads PayPal scripts and tracks impressions for personalisation. The Smart Buttons at checkout itself can rely on contract necessity, but any cookies that are not strictly needed for completing the payment must be loaded only after consent. Disclose PayPal as data controller in the privacy notice and provide a link to PayPal''s own privacy statement.
PayPal (Europe) processes data primarily in Luxembourg and other EU locations, but shares data with PayPal Holdings Inc. in the United States and other affiliates for fraud, credit modelling and regulatory compliance. PayPal is certified under the EU US Data Privacy Framework, and Standard Contractual Clauses apply where applicable. Information sharing for risk and compliance includes data being made available to PayPal Pte. Ltd. in Singapore and other group entities.
Load the PayPal SDK only after consent if you display pay later messaging on product pages, distinguish between checkout SDK (contract necessity) and marketing messaging (consent), disclose PayPal (Europe) as a separate controller and PayPal Holdings as a recipient in the United States, reference SCCs and the EU US Data Privacy Framework, comply with Consumer Credit Directive pre contractual information requirements where applicable, and ensure the credit option is presented neutrally without dark patterns.
Websites using PayPal Credit must obtain user consent under GDPR regulations.
DPIA considerations
PayPal Credit involves credit assessment data, which is sensitive. Key DPIA considerations: (1) PayPal performs a credit decision that uses internal scoring models and may share data with credit reference agencies in the consumer market; (2) PayPal SDK and Smart Buttons can set cookies on the merchant page before the customer clicks, treat the SDK loader as triggering pixel placement; (3) PayPal (Europe) S.a r.l. et Cie, S.C.A. is the EU controller, but data flows to PayPal US for fraud and risk; (4) the Consumer Credit Directive imposes pre contractual information duties; (5) PayPal is EU US Data Privacy Framework certified; (6) Pay in 3 in the UK and pay later in the EU may be subject to FCA or local supervision under PSD2 and consumer credit rules.
Sample consent text
We display PayPal and PayPal Credit as a payment and pay later option at checkout. PayPal (Europe) S.a r.l. et Cie, S.C.A. acts as data controller and processes your data for credit assessment and payment. Some data is transferred to PayPal Holdings in the United States under Standard Contractual Clauses and the EU US Data Privacy Framework. PayPal sets cookies on its own domains for fraud prevention and session continuity.
Third-party domains contacted
paypal.compaypalobjects.compaypal-objects.compaypal.depaypalcredit.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tsrce | Functional | 3 days | PayPal risk session cookie used for fraud detection during checkout and pay later flows. |
| ts_c | Functional | 3 years | Persistent PayPal cookie correlating risk signals across sessions to detect fraudulent patterns. |
| enforce_policy | Functional | 1 year | Stores PayPal compliance and security policy state, including 3DS and SCA preferences. |
| l7_az | Functional | Session | PayPal load balancer routing cookie ensuring session affinity during the checkout flow. |
| LANG | Functional | 6 months | Stores the user's PayPal interface language preference. |
| paypal-offers-tracking-id | Marketing | 2 years | Tracks pay later messaging impressions and conversions across merchant sites. |
PayPal Credit uses cookies for user preferences — inform visitors with a consent banner.
When the PayPal SDK loads, it sets first party cookies on paypal.com and paypalobjects.com, including risk session cookies (tsrce, ts_c, x-pp-s, l7_az, LANG, enforce_policy). The pay later messaging script may also set advertising cookies for impression tracking. The Smart Buttons themselves rely on session and CSRF cookies for the checkout flow.
Yes for pay later messaging shown on product or category pages, because it loads PayPal scripts and tracks impressions for personalisation. The checkout itself can rely on contract necessity once the customer initiates payment, so the Smart Buttons and required risk cookies can be loaded at that stage without prior consent.
Contract performance (Art. 6(1)(b) GDPR) for the credit and payment service requested by the customer. Legitimate interest (Art. 6(1)(f) GDPR) for fraud prevention, risk modelling and credit decisioning. Consent (Art. 6(1)(a) GDPR) for analytics, messaging tracking and marketing cookies the SDK can load. Legal obligation (Art. 6(1)(c) GDPR) for KYC and AML under PSD2.
PayPal (Europe) processes primarily in Luxembourg and other EU locations. Data is shared with PayPal Holdings Inc. in the United States and other affiliates including PayPal Pte. Ltd. in Singapore. PayPal is certified under the EU US Data Privacy Framework, and Standard Contractual Clauses apply for other jurisdictions.
Yes, a DPIA is recommended because PayPal Credit involves credit assessment, sharing with credit reference agencies in some markets, automated decisioning, and transfers to the US and Singapore. The DPIA should cover credit decisioning logic, the role of PayPal (Europe) versus PayPal Holdings and the customer's right to an explanation under Art. 22 GDPR.
Load the PayPal SDK only after consent if used for product page messaging, separate Smart Button code paths from messaging, configure your Tag Manager so that pay later scripts respect consent signals (TCF or Google Consent Mode), disclose PayPal (Europe) as data controller, link PayPal's own privacy notice, document SCCs and the DPF, and comply with Consumer Credit Directive pre contractual information rules.
Klarna, Scalapay, Alma (France), Cofidis Pay (France/Italy), Younited Pay (France), Riverty (formerly AfterPay Europe) and Sequra (Spain) all offer pay later in Europe with EU based controllers. Klarna is headquartered in Sweden and Riverty in the Netherlands, which simplifies the third country transfer story.
Disclose PayPal as a separate data controller for credit and payment, list the categories of data shared, mention transfers to the US and Singapore under SCCs and the EU US Data Privacy Framework, describe the cookies PayPal sets and their fraud prevention purpose, separate consent for product page messaging cookies, link PayPal's privacy notice, and add the Consumer Credit Directive pre contractual information requirements.