In a growing trend of online services quietly altering their data collection practices, PayPal is the latest to join the fray.
According to PayPal’s policy updates page, issued on September 23 for U.S. users, the service is set to begin sharing your data with third-party merchants “to help improve your shopping experience and make it more personalized for you.”
New PayPal policy allows your data to be shared
Starting in early summer 2025, this new policy will allow PayPal to collect and share user data. However, data collection will begin as early as November 27, 2024. Unfortunately, users are opted into this data-sharing by default, raising privacy concerns, especially for those under regulations like GDPR.
Some U.S.-based users on Twitter have flagged the default opt-in as potentially problematic. One user, based in the UK, found that the same policy had been silently activated for them as well.
PayPal is updating their ToS to let themselves give your data to merchants starting Nov & they're banking on people not knowing to opt out, SO to opt out before they start: go to Settings >Data & Privacy > Manage shared info >Personalized shopping, & toggle that shit off
— Ellen Datlow (@EllenDatlow) September 29, 2024
New policy on how data is shared to users will however differ depending on the location of the user. In the UK, the policy will be implemented starting from October 10, 2024.
PayPal’s July 8 update clarifies that in the UK, “merchants are permitted to share customer personal information provided to them by PayPal with their service providers.”
Opt out now:
For those concerned about the sharing of their personal data, there’s still time to opt out. PayPal users in the U.S. can find the option under Data & privacy > Manage shared info > Personalized shopping, while UK and EU users can find it under Data & privacy > Manage your privacy settings > Interest-based marketing.
Why is this concerning?
The issue with PayPal’s latest move lies not only in the fact that users are automatically opted in but also in how such practices are becoming normalized. PayPal is not the first company to quietly change its data policies without upfront user consent. As recently, LinkedIn activated AI training on user data by default, and before that, Facebook, Instagram, and X (formerly known as Twitter) did the same with AI tools using public information.
What makes this move different?
PayPal’s justification for the data-sharing is tied to enhancing the user experience through personalization. While personalization is often positioned as a benefit, it doesn’t necessarily justify the broad sharing of user data. Users should have a say in how much of their data is used to “improve” their shopping experience. By defaulting users into data sharing, PayPal effectively places the burden on individuals to find and disable these settings—a task many may overlook or be unaware of.
The impact of this new policy isn’t universally consistent across all regions, adding to the confusion. While users in the U.S. and UK are immediately affected, other jurisdictions like the EU may have different rules depending on their regulations. Such variability in data practices makes it difficult for global users to understand exactly what’s happening to their information.
The growing problem of data opt-outs
PayPal’s decision to opt users into data sharing without upfront consent is part of a larger trend in which companies assume users will comply with new policies by default. This opt-out model forces users to take action to protect their privacy, rather than companies seeking permission first.
The burden is shifted entirely to the user, and this has bigger implications for privacy laws. GDPR, for instance, clearly stipulates that companies must obtain explicit consent before processing personal data. Although PayPal has not rolled out the policy in all regions, these practices could push the boundaries of compliance with such regulations.
What can you do to protect your data?
- The first step in protecting your data from being shared is to regularly check your account’s privacy settings. PayPal users, for example, can opt out of data sharing before it goes into effect. U.S. users can disable the Personalized shopping option, while UK users should look for the Interest-based marketing
- Secondly, it’s important to stay vigilant for future changes. It is quite probable that PayPal will not be the only such company to introduce such changes to its policies. Now, companies want to capitalize on the user data, thus, tracking changes in the privacy settings is the part of protecting users online. Examine the extension of these changes in the data privacy.olicies. As more services seek to monetize user data, keeping an eye on updates to privacy settings has become a necessary part of online security.
- Lastly, consider the broader implications of these shifts in data privacy. Although by using personalization the process is more convenient, we have to consider the disadvantage of giving our data to third parties. Many times, users themselves do not pay attention to the ways in which information about them is being employed, and that is a problem which PayPal and its equivalents have to explain more persistently.
Don’t let your data be monetized without your knowledge!
PayPal’s recent move to quietly opt users into data sharing is just one more example of how companies are taking liberties with user information, hoping that the default settings go unnoticed. By staying informed and regularly checking your privacy settings, you can prevent your data from being shared without your consent.
It’s time that companies adopt a more transparent approach, offering clear choices rather than assuming consent. Until that change happens, users must remain proactive, protecting their personal information from being used without their full understanding or approval.
Featured image credit: Kerem Gülen/Ideogram
