PayPal built its user base on a simple promise: your financial life is your own. Then it built an advertising business.
On April 27, 2026, PayPal launched PayPal Ads ID — a deterministic advertising identifier anchored not to a browser cookie or a device fingerprint, but to 26.3 billion annual transactions across 430 million active accounts. The pitch to advertisers is direct: we know what people bought, not just what they browsed. We know who they are, not just what device they're using. We are, in the words of SVP and GM Mark Grether, "the most valuable commercial dataset because it's cross-merchant."
What PayPal is less direct about is the structural reversal this represents. The company that positioned itself as a payments utility — a neutral pipe between buyers and sellers — now operates one of the largest commercial identity graphs on the planet. The checkout page, once the end of a private transaction, has become the beginning of a targeting signal.
The advertising industry's identity problem is well-documented. Third-party cookies are deprecated or blocked across browsers representing roughly 85% of web traffic. Mobile advertising IDs face mounting restrictions. The probabilistic models built on inferred behavior — this device probably belongs to the same person who visited site X — are increasingly unreliable, producing match rates that crater and audience segments that dissolve on activation. The industry-wide confidence metric reflects this: only 21% of brands, agencies, and publishers report being "very confident" in their ability to accurately identify audiences across digital channels, according to the ID5 2024 State of Digital Identity report.
PayPal Ads ID claims to solve this with verified identity rather than inferred identity. The mechanism is deterministic in the most literal sense: the identifier resolves to a real account, a real card, a verified name and email. When an advertiser reaches a PayPal Ads ID signal, it corresponds to a human being who completed a transaction — not a device that might correspond to a human who added something to a cart. This is identity verification at the point of purchase rather than identity inference from the point of browsing.
The cross-merchant dimension is the structural differentiator. Amazon knows what people bought from Amazon. Walmart knows what people bought from Walmart. PayPal knows what people bought from merchants across the PayPal and Venmo network — a dataset that extends across competitive retail environments in a way no single merchant can replicate. This is not a retail media network. It is a payment network that happens to see every retailer.
The pricing structure contains the revealing detail. PayPal Ads ID is free — no software fees, no CPM charges, no token consumption costs for any ad tech vendor with a commercial relationship. PayPal is not in the business of selling identity. It is in the business of selling advertising.
This framing is deliberate. PayPal is not competing with LiveRamp's RampID or The Trade Desk's UID2 as a data licensing product. It is building an advertising platform — PayPal Offsite Ads launched April 2025, Storefront Ads launched June 2025 — and offering the identity layer as infrastructure. The identifier is the hook. The media budget is the revenue.
The implication is that the identifier is valuable precisely because it is free. A free identifier that reaches 430 million accounts with verified purchase history is worth more to advertisers than any paid alternative that reaches fewer or less-qualified signals. PayPal is buying adoption at below cost, subsidizing the identity graph to attract the campaign dollars that follow.
This is the inverse of the traditional ad tech model, where identity resolution providers charge for access to identity data they have assembled from third-party sources. PayPal is not selling the graph. It is selling the attention it can buy with the graph's implicit guarantee of accuracy. The identifier validates the media. The media funds the identifier.
Launch partners Magnite, PubMatic, Rokt, and Taboola span commerce environments, open web, connected TV, and native — confirming that PayPal's intent is not a walled garden but an identity layer that can travel across the advertising infrastructure the open internet already uses.
PayPal's privacy disclosure runs to considerable length. The identifier is individually encrypted before leaving PayPal's systems. Data is aggregated before sharing. Advertisers receive deidentified signals only — no merchant names, no transaction details, no raw financial data. Usage terms prohibit reverse-engineering, re-identification, or use of the data for sensitive determinations including credit, insurance, or health.
Consumer controls exist. There is an opt-out mechanism, described as an easy-to-use control for managing participation. PayPal states it honors industry standard opt-out preference signals.
What the disclosure does not address is the architecture of consent. PayPal's users agreed to terms of service that include personalized offers and targeted advertising when the product was primarily a payments utility. The question of whether that consent adequately covers the current scale and commercial sophistication of PayPal's advertising business — or whether a reasonable consumer in 2010 anticipated that their PayPal transaction history would power cross-platform programmatic advertising in 2026 — is not one the disclosure grapples with.
GLBA's Section 313.12 presents the harder constraint. The regulation flatly prohibits financial institutions from disclosing account numbers — including transaction account numbers — to nonaffiliated third parties for marketing purposes. PayPal has structured the identifier to comply: the signal advertisers receive is encrypted and deidentified, not a raw account number. But the deidentification requirement is a technical mask placed over a structural relationship. The identifier exists because PayPal holds the account number. Remove the account number and the identifier collapses.
The FTC's 2024–2025 surveillance pricing study is the direct precedent. The agency's 6(b) investigation into companies using personal data — including purchase history, browsing, and location — to set individualized prices flagged a category of firm that aligns precisely with PayPal's position: financial firms with broad spending pattern data entering the ad targeting space. The FTC noted this class of company as a distinct regulatory concern before PayPal Ads ID existed.
The relevant distinction is between using transaction data within an ecosystem versus packaging it for sale to unrelated third parties. PayPal's own offers, and offers from merchants with whom PayPal has a commercial relationship, are well within existing consent and contractual frameworks. The launch partner structure — programmatic infrastructure, open web, CTV — extends those signals to any advertiser willing to activate against them. The legal boundary between "service provider" and "third-party advertiser" is one this business model will test.
The GLBA compliance question is separate from the CCPA question, which is separate from the GDPR question that applies to PayPal's European users. The Extended Identifier Terms PayPal publishes include a GDPR appendix restricting use of financial-derived identifiers for sensitive categories — health, credit, insurance, biometrics. This appendix is a regulatory acknowledgment that financial-derived identifiers carry elevated sensitivity. The restriction exists because the risk is recognized. The question is whether the restriction is sufficient.
The 21% confidence figure is the number that explains why PayPal's entry matters beyond PayPal. The advertising industry has spent years and billions of dollars on identity infrastructure — UID2, RampID, publisher-authenticated IDs, device graphs, hashed email ecosystems — and confidence in cross-channel identification has not materially improved. The problem is not the absence of identifiers. The problem is that identifiers based on authenticated identity are scarce and identifiers based on inferred identity are unreliable, and the industry has not found a way to resolve that tension.
PayPal's bet is that verified transaction identity resolves it. That when you know what someone bought, you know who they are well enough to target them accurately across surfaces they have never visited, on devices they have never used, in contexts no cookies have ever touched. The identifier does not decay when cookies clear. It does not fragment across browsers. It is stable because the underlying identity — the account, the card, the name — is stable.
This is the bet the industry is buying, at least in pilot. The 21% confidence rate means 79% of the market is in the market for a solution. PayPal's transaction graph is the most specific answer anyone has offered to the question of what replaces the cookie: not another proxy for who someone might be, but a verified record of what they did.
Whether that is a privacy solution or a privacy problem depends on who you think owns the record of a purchase. PayPal's position, stated clearly by Grether, is that the record belongs to PayPal — and that selling access to it is advertising, not data sales. The regulatory position will be tested. The industry's confidence in that answer remains, for now, exactly what it was before: 21%.