Paddle

Overview

Paddle operates as a merchant of record for software companies, meaning it handles not just payment processing but also sales tax, VAT, and compliance obligations on behalf of the seller. Unlike traditional payment gateways where the merchant retains the customer relationship for tax purposes, Paddle acts as the reseller — the end customer technically purchases from Paddle, which then remits revenue to the software vendor. This model is particularly common among SaaS companies selling internationally, as it offloads significant regulatory burden.

What This Script Does

Paddle's client-side integration centers on Paddle.js, loaded from cdn.paddle.com. When initialized, the script renders a checkout overlay directly on the vendor's website rather than redirecting to a separate payment page. This overlay handles plan selection, pricing display (with currency localization), and the full payment collection flow including credit card entry and PayPal authentication.

The script sets several cookies during the checkout process:

• paddle_checkout — session cookie maintaining checkout state across page transitions
• paddle_session — persists the authenticated buyer session for returning customers
• _paddle_ref — tracks the referring URL to attribute conversions to the correct source

Paddle.js communicates with checkout.paddle.com and buy.paddle.com domains during transactions. It collects the buyer's email address, billing country, and payment method details (processed through Paddle's PCI-compliant infrastructure — card numbers never touch the merchant's servers). The script also performs device fingerprinting for fraud detection, collecting browser characteristics, screen resolution, and timezone data.

For subscription businesses, the script may also render a customer portal allowing existing subscribers to update payment methods, change plans, or access invoices. This portal operates under similar session management.

Consent & Compliance

Paddle is classified as essential. Its scripts are strictly necessary for completing purchase transactions — without them, users cannot buy the product or manage their subscriptions. Under GDPR and ePrivacy Directive, cookies that are strictly necessary for a service explicitly requested by the user are exempt from consent requirements. A visitor clicking "Buy" or "Subscribe" has explicitly requested the payment service.

Under CCPA/CPRA, Paddle's data collection during checkout constitutes a business purpose (completing a transaction) and does not qualify as "selling" or "sharing" personal information for cross-context behavioral advertising. The fraud detection fingerprinting falls under the security exception for both European and California frameworks.

Paddle's merchant-of-record model means Paddle itself is the data controller for transaction data in many jurisdictions, which shifts certain compliance obligations away from the website operator.

Should You Block This Without Consent?

No. Paddle scripts are essential for payment processing. Blocking them would prevent customers from completing purchases. Payment processing cookies are exempt from consent requirements under ePrivacy Directive Article 5(3) as strictly necessary for a service requested by the user.