PayPal

PayPal

Payment processing platform that enables buyers to pay via PayPal, Venmo, Pay Later, or card. The PayPal SDK loads the checkout button and handles payment authorization flow. Sets cookies to detect logged-in PayPal users and pre-fill payment details on merchant sites.

Back to Vendor Library

Overview

PayPal is a global payment processing platform enabling customers to pay via PayPal accounts, Venmo, Pay Later installment plans, and credit or debit cards. The PayPal JavaScript SDK renders checkout buttons and manages the secure payment authorization flow directly on merchant sites, without the customer needing to navigate away to PayPal's website.

What This Script Does

The PayPal SDK is loaded from www.paypal.com/sdk/js with merchant-specific query parameters specifying currency, components (buttons, hosted-fields, pay-later messaging), and enabled payment methods. The SDK performs several distinct functions:

Eligibility Detection and Button Rendering On page load, the SDK contacts PayPal's servers at www.paypal.com/graphql to determine which payment methods the visitor is eligible for — PayPal, Venmo, Pay Later — based on IP-based geolocation, device type, and account history. It then renders the appropriate set of payment buttons. This eligibility check does not require the user to be logged in, and the data sent is limited to technical browser context (User-Agent, language, timezone).

Checkout Flow When the user clicks a PayPal button:

  • A popup window or mini-browser opens at www.paypal.com/checkoutnow for account authentication
  • The SDK exchanges an Order ID (created by the merchant's server) with PayPal's servers
  • PayPal's servers confirm payment authorization and return a capture confirmation to the merchant
  • Raw card data is never transmitted through the merchant's page — all card entry and authentication occurs in the PayPal-hosted window

Hosted Fields (Card Payments Without Redirect) When merchants use PayPal's Hosted Fields component, card entry fields (number, expiry, CVV) are rendered as iframes hosted at www.paypal.com. This ensures PCI scope does not extend to the merchant's server. The SDK communicates between the merchant page and the hosted iframes via postMessage.

Fraud Detection and Risk Signals The SDK collects browser signals for fraud risk assessment during the checkout flow:

  • Browser fingerprint: User-Agent, screen dimensions, timezone, language, installed fonts (via canvas probe)
  • Session behavior: time on page, mouse movement entropy
  • Device signals: touch capability, hardware concurrency

These signals are sent to www.paypal.com and t.paypal.com for risk scoring. PayPal uses this data under its legitimate interest in fraud prevention.

Cookies set:

  • ts (first-party on paypal.com, session) — checkout session token
  • ts_c (first-party on paypal.com, 3 years) — persistent session continuity for returning users
  • tsrce (first-party on paypal.com, session) — referencing application identifier
  • enforce_policy (first-party on paypal.com, session) — fraud policy flag
  • x-pp-s (first-party on paypal.com, session) — PayPal session token

Cookies are set under paypal.com (not on the merchant domain), scoped to the payment flow.

Domains contacted: www.paypal.com, t.paypal.com, c.paypal.com, www.sandbox.paypal.com (development), www.venmo.com (if Venmo component enabled)

Consent & Compliance

GDPR/ePrivacy: PayPal SDK is necessary for completing payment transactions, covered by contractual necessity under GDPR Article 6(1)(b). Fraud detection processing is justified under legitimate interest (Article 6(1)(f)). Cookies set under paypal.com during a transaction initiated by the user fall under the ePrivacy strictly necessary exemption. PayPal acts as an independent data controller for payment and fraud data processed through its own platform.

CCPA/CPRA: Payment processing data is a necessary business function exempt from opt-out requirements. PayPal's privacy policy governs its own data practices as an independent controller.

EU-US Data Transfers: PayPal Holdings Inc. participates in the EU-US Data Privacy Framework (DPF) and uses Standard Contractual Clauses for EU-US payment data flows.

Consent category: Essential (payment processing) and Functional (Venmo, Pay Later messaging, saved address prefill).

Should You Block This Without Consent?

No. PayPal provides essential payment processing infrastructure. Blocking it would prevent customers from completing purchases using PayPal, Venmo, or Pay Later. The cookies it sets are strictly necessary for the payment transaction the user initiates. Disclose PayPal as a payment processor in the site's privacy policy.

Visit website

Consent Categories

Essential
Functional

Also Known As

PayPal SDKPayPal checkoutVenmoPay LaterShop Pay

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (2)

paypal.comAnalytics
paypalobjects.comAnalytics

Frequently Asked Questions

Do I need consent to use PayPal?

No for essential payment processing. PayPal SDK cookies are set under paypal.com during a transaction the user initiates, qualifying as strictly necessary. Venmo and Pay Later messaging are functional additions.

What cookies does PayPal set?

PayPal sets ts (session), ts_c (3-year persistent), tsrce, and x-pp-s on the paypal.com domain during checkout. These are scoped to PayPal's own origin, not the merchant site, and support payment session continuity.

How does ConsentStack handle PayPal?

ConsentStack classifies PayPal as essential and functional. It detects the PayPal SDK via paypal.com/sdk/js and does not block core payment scripts. Venmo and Pay Later components are handled under functional consent.

Related Vendors

Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for PayPal

ConsentStack automatically detects and manages PayPal trackers so your site stays compliant with global privacy regulations.

Get started free