United States Securities and Exchange Commission
Washington, D.C. 20549
NOTICE OF EXEMPT SOLICITATION
Pursuant to Rule 14a-103
Name of the Registrant: PayPal Holdings, Inc.
Name of persons relying on exemption: Tara Health Foundation
Address of persons relying on exemption: 47 Kearny Street, San Francisco, CA 94108
Written materials are submitted pursuant to Rule 14a-6(g) (1) promulgated under the Securities Exchange Act of 1934. Submission is not required of this filer under the terms of the Rule, but is made voluntarily in the interest of public disclosure and consideration of these important issues.
PROXY MEMORANDUM
| TO: | Shareholders of PayPal Holdings, Inc. |
| RE: | Proposal No. 6 (Reproductive Rights and Data Privacy Report) |
| DATE: | April 25, 2023 |
| CONTACT: | Shelley Alpern, Rhia Ventures at Corporate.Engagement@rhiaventures.org |
This is not a solicitation of authority to vote your proxy. Please DO NOT send us your proxy card; Tara Health Foundation is not able to vote your proxies, nor does this communication contemplate such an event. Tara Health Foundation urges shareholders to vote for Proposal
No. 6 following the instructions provided on management's proxy mailing.
Tara Health Foundation urges shareholders to vote YES on Proposal No. 6 on the 2023 proxy ballot of PayPal Holdings, Inc. (“PayPal” or the “Company”). The “resolved” clause states:
Shareholders request our Board issue a public report detailing known and potential risks and costs to the Company of fulfilling information requests relating to PayPal customers for the enforcement of state laws criminalizing abortion access, and setting forth any strategies beyond legal compliance the Company may deploy to minimize or mitigate these risks. The report should be produced at reasonable expense, exclude proprietary or privileged information, and published within one year of the annual meeting.
Why a YES Vote is Warranted: Rationale in Support of the Proposal
| 1. | The Company handles sensitive consumer data that may be vulnerable to prosecutions concerning abortion access. |
| 2. | PayPal does not offer transparency reporting regarding law enforcement data requests, exposing the Company to financial and reputational risks. |
| 3. | The Company touts its commitment to data privacy but has a questionable track record on data protection and security. |
| 4. | PayPal’s data management practices are unclear to consumers and investors. |
| 5. | Amplifying internal and user data controls could minimize privacy risks related to reproductive healthcare. |
About Tara Health Foundation
Tara Health Foundation aims to improve the health and well-being of women and girls through the creative use of philanthropic capital. Our main areas of focus are reproductive and maternal health in the United States, equitable workplaces, and gender lens impact investing.
Tara Health Foundation is a long term shareholder in PayPal. We support this shareholder proposal because the Company amasses large amounts of sensitive consumer data but lacks transparency as to how such data may imperil access to reproductive healthcare. In a time when abortion access is criminalized or severely restricted by half of the states, greater understanding about the Company’s data handling practices is warranted.
Background on the Proposal
Reproductive rights are under siege in the United States. States have passed more than 1,380 restrictions on abortion access since Roe v. Wade – the U.S. Supreme Court ruling in 1973 that legalized the procedure.1 Following the reversal of Roe v. Wade in June 2022, twelve states have banned most abortion services outright.2 The Supreme Court is likely to decide on a case in the coming weeks that will decide the future of medication abortion in the United States.
_____________________________
1 https://tinyurl.com/4az3pce3
2 https://www.nytimes.com/interactive/2022/us/abortion-laws-roe-v-wade.html
The overturning of constitutional protections for abortion access elevates the need for the report requested in this Proposal. Law enforcement in abortion-restrictive states have relied on consumer data to investigate and prosecute individuals who have sought abortions or have provided aid to those who have, and are expected to continue to do so.
Digital reproductive health footprints can be easily accessed by law enforcement and lead to criminal or civil charges. Meta recently received significant negative press after complying with a data request from a local Nebraska police department for private Facebook messages between a mother and daughter, who were both subsequently charged with felony crimes related to the alleged illegal termination of the daughter’s pregnancy (for additional examples, see Addendum A).3
As a nationwide business, the Company amasses large troves of consumer data. Reporting from 2018 found that PayPal accounted for 14% of overall payments in the United States.4 While the Company does not disclose metrics specific to the American market, a 2022 Pew Research study found that PayPal is used by a majority of U.S. adults (57%), with Venmo following as the second most used digital payment platform (38%).5 Venmo, however, is the most popular among 18- to 29-year-olds (57%), who are at high risk of abortion-related prosecutions; over half of women in this age bracket say they would get an abortion if they had an unwanted or unplanned pregnancy even if it were illegal, according to a recent survey.6 Notwithstanding, PayPal has been largely silent on the issue of data privacy following the revocation of constitutional abortion protections. For example, the Company failed to respond to inquiries seeking comment on popular news reports by the New York Times and Vice in June 2022 about how payment data could become evidence of illegal abortions.7
Given the sensitive nature of the Company’s data, PayPal will be especially vulnerable to law enforcement data requests related to abortion, particularly with respect to interstate conflicts regarding exercise of reproductive rights in states where abortion remains legal. Idaho, for instance, makes it illegal to help a minor leave the state to obtain a legal abortion under certain circumstances.8 Yet, Americans largely oppose criminalizing abortion, thereby amplifying the risk of reputational damage that may ensue from the Company’s participation in the enforcement of abortion-related criminal laws. Indeed, a May 2023 Kaiser Family Foundation national survey found that “majorities of the U.S. public oppose criminalizing women, doctors, or people who assist those seeking abortion care.”9 According to the Kaiser survey, at least two-thirds of respondents living in certain states threatened by abortion bans opposed “criminalizing doctors for performing abortions (69%), making it a crime for women to cross state lines to get an abortion (76%), making it a crime for a woman to get an abortion (74%), or allowing private citizens to sue people who provide or assist in abortions (78%).” Similarly, a January 2023 national poll from Change Research on behalf of Planned Parenthood reveals that “Americans strongly oppose law enforcement being used to enforce abortion bans.”10
_____________________________
3 https://tinyurl.com/msazvebu
4 https://tinyurl.com/yckkxrrw
5 https://tinyurl.com/2vn9ksap
6 https://www.axios.com/2022/05/10/abortion-roe-illegal-poll
7 https://www.nytimes.com/interactive/2022/09/28/us/abortion-costs-funds.html; https://tinyurl.com/ymr9swnp
8 https://tinyurl.com/y2a79x4c
9 https://www.kff.org/womens-health-policy/poll-finding/kff-health-tracking-poll-views-knowledge-abortion-2022/
10 https://changeresearch.com/wp-content/uploads/2023/01/PPFA-_-Poll-Results-January-2023-1.pdf
Shareholders have reason to be concerned about whether the enforcement of criminal abortion laws will impact the reputation and financial wellbeing of the Company. The Proposal therefore calls upon management to examine the risks associated with the Company’s current data handling practices, including its response to government information requests, in the face of new restrictive abortion laws.
The Company handles sensitive consumer data that may be vulnerable to prosecutions concerning abortion access.
PayPal and its subsidiaries collect detailed sensitive user data from users, including online shopping cart information, shopping activity on merchant sites, purchase history, order tracking and product information, geolocation data, and inferential data about users’ behaviors.11 Venmo, which has a separate data privacy policy, collects similar user information, in addition to transaction notes and comments, even when made privately between users.12
Independent reporting has found that such data – namely, “information regarding the payer, the payee, the payment amount, and the users’ transaction labels” – could serve as scathing proof of conduct related to criminalized abortions.13 Time Magazine similarly notes that “[p]rivate Venmo or PayPal payments . . . thought by prosecutors to be intended to help a friend afford an abortion could be used as evidence in a state that criminalizes aiding an abortion.”14 Such concerns are especially worrisome since money for food or gas might be sent via PayPal or Venmo to individuals living in abortion-restrictive states who seek support from abortion funds.15
Given the current environment the Company is operating in following the revocation of constitutional abortion rights in the United States, users’ digital reproductive health footprint is at risk of being obtained through law enforcement data requests with the intent to prosecute those who have received an abortion. It is crucial that PayPal explores all options to protect users from these risks.
_____________________________
11 https://www.paypal.com/us/legalhub/privacy-full
12 https://venmo.com/legal/us-privacy-policy/
13 https://tinyurl.com/3dp5tx2r
14 https://time.com/6175194/digital-data-abortion-congress/
15 https://www.nytimes.com/interactive/2022/09/28/us/abortion-costs-funds.html
PayPal does not offer transparency reporting regarding law enforcement data requests, exposing the Company to financial and reputational risks.
A recent empirical study in the Journal of Marketing showed that the misuse of commercial data can generate negative outcomes for businesses, including negative abnormal stock returns and damaging customer behaviors such as negative word of mouth and switching to a close business rival.16 These negative customer effects are due to both anxiety about the potential for data misuse and feelings of corporate betrayal, as well as actual data misuse. Corporations collecting large troves of consumer data, such as PayPal, are thus likely exposing themselves to higher financial and reputational risks. Apropos to the current Proposal, the study found that data transparency, among other things, can alleviate these detrimental effects by mitigating feelings of anxiety and betrayal and enhancing consumer trust.
PayPal does not publish transparency reporting on the issue of law enforcement data requests, in contrast to many other publicly-traded digital economy companies. Meta, Amazon, Google and Apple, for example, offer such reporting semiannually, which includes details on the types of data requests, compliance rates and jurisdictional information.17 This information would be extremely helpful for investors to make determinations about the Company’s risk exposure as well as serve as an accountability tool. In turn, consumers would gain more assurances that PayPal respects the privacy of their data.
A Response to PayPal’s Opposition Statement
The Company touts its commitment to data privacy but has a questionable track record on data protection and security.
PayPal objects to the need of the report requested in this Proposal by noting that data safety and privacy is a “top priority” for the Company. However, the Company’s failures related to data privacy and security in recent years suggest otherwise, as for example:
| ● | In March 2023, a class action was initiated against PayPal based on the Company’s alleged failure to safeguard the personal information of about 35,0000 users, leaving them vulnerable to identity theft and related harms at the hands of unidentified perpetrators of a data breach that occurred in 2022.18 |
_____________________________
16 See Kelly D. Martin et al., Data Privacy: Effects on Customer and Firm Performance, 81.1 Journal of Marketing at 36-58 (2017), https://doi.org/10.1509/jm.15.0497
17 https://tinyurl.com/e7j4me8u (Meta); https://tinyurl.com/y37bzv97 (Amazon); https://tinyurl.com/4bvubser (Google); https://tinyurl.com/4zbwk6bv (Apple).
18 https://news.bloomberglaw.com/litigation/paypal-hit-with-class-action-over-data-breach-affecting-35-000
| ● | In 2020, a research team found vulnerabilities with PayPal’s login authentication process and claimed that the Company brushed these vulnerabilities off by treating them trivially.19 |
| ● | In 2019, a researcher scraped seven million Venmo transactions to prove that users’ public activity could be easily obtained even a year after another privacy researcher downloaded hundreds of millions of Venmo transactions in a similar feat. Using that data, it was found that anyone could look at an entire user’s public transaction history, who they shared money with, when, and in some cases for what reason.20 |
| ● | In November 2017, PayPal dissolved operations of its subsidiary TIO Networks after a data breach affected 1.6M TIO customers.21 |
PayPal’s data management practices are unclear to consumers and investors.
In opposing the Proposal, the Company states its Privacy Statement, accessible online, outlines how it may use customer data and under what circumstances it may disclose data to third parties. Yet, the Privacy Statement appears to be inconsistent with other PayPal documents concerning the Company’s handling of government data requests. For instance, while PayPal’s Privacy Statement provides that the Company may disclose user data with authorities “when accompanied by a subpoena or other legal documentation that requires PayPal . . . to respond,” PayPal’s Law Enforcement Guide informs government officers they must submit a data request along with “supporting documents such as a letterhead, court order or subpoena.”22 Similarly, the privacy policy governing Braintree, a PayPal subsidiary, states that the Company may share customer data when “assisting law enforcement agencies by responding to requests for the disclosure of information,” without explicitly requiring submission of a warrant or subpoena.23
Based on these seemingly conflicting statements, PayPal users and investors cannot ascertain whether a judicially enforceable order is necessary for the Company to turn over user data to law enforcement in all cases, or whether an informal request on government letterhead may suffice, making it easy for law enforcement to access user data without judicial scrutiny. The requested report could provide guidance on how to correct, clarify or reconcile these statements.
_____________________________
19 https://cybernews.com/security/we-found-6-critical-paypal-vulnerabilities-and-paypal-punished-us/
20 https://tcrn.ch/2wWCZVs
21 https://tinyurl.com/dxa4dsfp
22 https://tinyurl.com/52dycuxs (emphasis added)
23 https://www.braintreepayments.com/legal/data-protection-addendum
Amplifying internal and user data controls could minimize privacy risks related to reproductive healthcare.
The Company notes in opposition that it has established “appropriate” data privacy controls. However, such controls may be insufficient to minimize privacy risks related to reproductive healthcare. The report requested in this Proposal would assess whether consumers’ trust in the Company could be increased by enhancing or adding new privacy safeguards, which, in consultation with reproductive rights and civil liberties organizations, may include:
| ● | Establishing a robust policy of challenging overbroad or vague government data requests; |
| ● | Providing user-friendly and easy-to-read privacy guidelines (e.g., infographics, disclosure banners, privacy policy outlines); |
| ● | Implementing a default policy of, whenever legally permissible, notifying users whose data is requested by law enforcement; and, |
| ● | Publishing periodic transparency reporting on data privacy and government data request, with special attention to issues related to reproductive rights. |
In sum, we believe that implementing the requested report will help ensure that PayPal does more to monitor its data handling practices to reduce consumer exposure to serious risks stemming from abortion-related criminal prosecutions. Failure to do so may erode shareholder value by diminishing the Company’s reputation, consumer loyalty, brand, and values.
Vote “Yes” on Shareholder Proposal No. 6.
For questions, please contact Corporate.Engagement@rhiaventures.org.
The foregoing information should not be construed as investment advice.
ADDENDUM A:
Examples of harms from companies sharing reproductive health-related data with third parties without consumer consent
Aaron Sanderford, Facebook data used to prosecute Nebraska mother, daughter after alleged abortion, Nebraska Examiner (Aug. 10, 2022), https://tinyurl.com/2etavr8t
In 2022, Meta complied with a data request from a local Nebraska police department for private Facebook messages between a mother and daughter, who were both subsequently charged with felony crimes related to the alleged illegal termination of the daughter’s pregnancy.
Cynthia Conti-Cook, Surveilling the Digital Abortion Diary, University of Baltimore Law Review (Oct. 2020), https://tinyurl.com/49wcm5uy
In 2017, a woman in Mississippi experienced an at-home pregnancy loss. A grand jury later indicted her for second-degree murder, based in part on her online search history, which recorded that she had looked up how to induce a miscarriage.
Drew Harwell, Is your pregnancy app sharing your intimate data with your boss?, The Washington Post (Apr. 10, 2019), https://tinyurl.com/57mrfs3n
A 2019 report revealed that pregnancy app Ovia Health sold user health data to their employers, without user consent.
Patel v State of Indiana, 60 N.E.3d 1041 (Ind. App. 2016), https://tinyurl.com/yc6v27f9
In 2013, a woman was sentenced to twenty years in Indiana prison for “neglect of a dependent and feticide” after taking abortion pills she purchased online. Evidence presented against her at trial included online research she conducted, the email confirmation she received from an online mail order pharmacy, and unencrypted text messages to a friend about her relationship, becoming pregnant, and the abortion medication she purchased.
Shoshana Wodinsky & Kyle Barr, These Companies Know When You're Pregnant—And They're Not Keeping It Secret, Gizmodo (Jul. 30, 2022), https://tinyurl.com/mthv8jzc
In 2022, Gizmodo identified 32 brokers selling data on 2.9 billion profiles of U.S. residents pegged as "actively pregnant" or "shopping for maternity products."
Jennifer Gollan, Websites Selling Abortion Pills Are Sharing Sensitive Data With Google, ProPublica (Jan. 18, 2023), https://tinyurl.com/3ty8cb45
A 2023 investigation by ProPublica found online pharmacies that sell abortion medication such as mifepristone and misoprostol are sharing sensitive data, including users' web addresses, relative location, and search data, with Google and other third-party sites — which allows the data to be recoverable through law-enforcement requests.
Federal Trade Commission v Kochava, Inc. (Aug. 29, 2022), https://tinyurl.com/ywbffb4b
In 2022, the Federal Trade Commission sued Kochava – a data analysis platform primarily used by companies for marketing purposes – for selling data that tracks people at reproductive health clinics, places of worship, and other sensitive locations.
THE FOREGOING INFORMATION MAY BE DISSEMINATED TO SHAREHOLDERS VIA TELEPHONE, U.S. MAIL, E-MAIL, CERTAIN WEBSITES AND CERTAIN SOCIAL MEDIA VENUES, AND SHOULD NOT BE CONSTRUED AS INVESTMENT ADVICE OR AS A SOLICITATION OF AUTHORITY TO VOTE YOUR PROXY. PROXY CARDS WILL NOT BE ACCEPTED. PLEASE DO NOT SEND YOUR PROXY TO TARA HEALTH FOUNDATION. TO VOTE YOUR PROXY, PLEASE FOLLOW THE INSTRUCTIONS ON YOUR PROXY CARD.