PRIVACY & DATA PROTECTION ANNUAL REPORT

2012 2013 PRIVACY & DATA PROTECTION ANNUAL REPORT

CONTENTS 2 Leading the Way 4 A Strong Privacy Advocate 7 Protecting Our Customers 16 The Mobile Revolution

PREFACE by Dr. Larry Ponemon Chairman & Founder, Ponemon Institute LLC I am pleased to write this preface for ebay Inc. s first global privacy report. Over the past several years, I have had the opportunity to meet members of ebay Inc. s privacy office and learn about the company s privacy management and data protection compliance activities. As a researcher and auditor of corporate privacy and data protection practices, it is important to maintain an impartial view of the companies I evaluate. Admittedly, I am a satisfied user of ebay and PayPal services and I hold a favorable impression of the company s privacy leadership, policies and related customer commitments. Beyond my own personal experiences, however, I thought it would be helpful to discuss research results that capture the privacy perceptions for a representative sample of adult-aged Americans. Ponemon Institute s Most Trusted Companies for Privacy Study is objective research that asks consumers to name and rate organizations they believe are most committed to protecting the privacy of their personal information. Independently conducted for more than eight years, our annual study tracks consumer perceptions about companies that routinely collect, use and retain personal information. Each year, approximately 100,000 adult-aged consumers located throughout the United States are asked to name five companies they believe to be the most trusted for protecting the privacy of their personal information and five companies they view as least trusted for privacy. According to consumers, the most important privacy attributes concern data security, the ability to be forgotten, a commitment not to sell personal data and the ability to revoke permission for future contact. Some factors influencing consumers perceptions about a company s privacy commitments include opinions about brands or products and personal experiences on company websites. The culmination of our survey activity is a list of most trusted companies, which normally consists of 200 or more separate organizations. ebay earned 9th place in our most recent study. Furthermore, ebay has been listed in the top 10 for all years of this annual research series. In summary, I believe our research provides unambiguous indicators consistently showing ebay as one of the most trusted companies for privacy over eight years. While perception is not a perfect substitute for reality, in our experience this aggregated consumer rating clearly differentiates companies that meet or exceed the public s expectations. To see the most recent Ponemon Institute Privacy Study or for more information on our survey methodology please visit ponemon.org. Respectfully, Dr. Larry Ponemon Chairman & Founder, Ponemon Institute LLC

LEADING THE WAY EBAY INC. PRIVACY TEAM In 2013, Privacy has been one of the leading topics of concern for consumers, businesses and regulators across the globe. Privacy events on national and international levels have been common over the course of the past year. Businesses, consumers and regulators all need to ensure that privacy isn t driven by the headlines of news stories, but rather an understanding of the fundamental principles of data protection, exceeding consumer expectations, and providing choice for people to know how and when their personal information is being used. The ebay Inc. Global Privacy Office has a charter to: Promote trust in ebay Inc. brands through transparent, consistent, and reliable use of personal information. Guide compliance with legal and regulatory obligations and the promises we make to our users and employees in our privacy policies. 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT

ebay Inc. has been on the leading edge of protecting privacy for over a decade, creating and patenting AdChoice 1, which allows users to opt out of targeted advertising right within an ad s creative banner, and also by pioneering leadership in different organizations such as the Business Forum for Consumer Privacy and the Digital Due Process Coalition. ebay Inc. continues to be a privacy leader through its adherence to Binding Corporate Rules. Our BCRs were the first of their kind led by the Luxembourg Data Protection Authority in 2009, and we were the first ecommerce company to receive approval for international EU data transfers using this code of conduct. Given our global approach, we are confident that our privacy practices will proactively address the requirements of evolving legislation in emerging markets. We already are engaged actively in both the Asia Pacific and Latin American markets and proactively protect the privacy of our members in those regions based on the principles of local law and our BCRs. To meet its charter, the ebay Inc. Privacy Office supports our business units by promoting privacy by design principles and providing resources for effective consumer privacy advocacy. This approach is critical as technology will provide business with ever more innovative ways to collect and use personal information. For example, the Privacy Office has been actively involved in mobile initiatives, and has guided the development of apps so that privacy is the default configuration. In addition to the business unit level support that ebay s Privacy Office has historically provided to each of our brands, the ebay Inc. Privacy Office has grown over the last year to include a centralized privacy audit and compliance team that partners with our corporate compliance and internal audit functions to address compliance activities as it relates to user and employee privacy. The future of privacy is one ripe with consumer knowledge and choice, but also one where there will be more technology options than have ever been available. To say that big data is having an impact on businesses and consumers alike is an understatement. At ebay Inc., the era of big data does not mean little privacy. We do not share or sell customers personal information with third parties for their marketing purposes. Consumers deserve to have control over their information dissemination, and businesses should function to represent the customer s desires. 1 http://pages.ebay.com/help/account/adchoice.html 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 3

A STRONG PRIVACY ADVOCATE GOVERNMENT RELATIONS ebay Inc. has consistently been an Internet industry leader in advocating for strong global privacy protections based on an appropriate legislative framework. In order to protect users and build their trust in the broader online environment, it is important to set legal parameters that permit companies to innovate while delineating clear rules to which companies must adhere. ebay Inc. advocates for legislation and regulation that supports ecommerce and our commitment to connected commerce. ebay Inc. believes privacy legislation or regulation should include the following principles: Notice of any personal information collected A transparent policy on use and sharing Reasonable access to personal information The ability to review adverse automated decisions Uniform regulation of personal information across industry Clear preemptive national standards Effective national enforcement Protection to monitor and prevent fraud and other illegal activity Security commensurate with the type and volume of personal information Transparent account termination and data deletion process EU REGULATION The EU Data Protection Directive (95/46/EC) 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 4

has been the governing code in ensuring the protection of EU citizen data since 1995. The Directive is currently being reviewed and updated, and will likely take the form of an EU Regulation sometime within the next few years. ebay was an early advocate for the ongoing review of the EU s Data Protection regime and for a Regulation to ensure full harmonization of the EU s data protection requirements. ebay Inc. strongly supports consistency and clarity for European consumers, Data Protection Authorities and companies, and continues to support the ongoing legislative process. The Regulation proposes a number of elements, including a single set of data protection and privacy standards, increased information about the use of data for customers and a data breach notification law that has strict penalties for non-compliance. ebay Inc. welcomes the efforts to further harmonize the EU s privacy laws. This Regulation has the potential to be an important step towards a true Digital Single Market in the EU, protecting EU citizens privacy, supporting European economic growth, and creating a process for resolving issues that is clearer for citizens, companies and regulators. ebay Inc. wants to ensure that there is a positive outcome in any regulation that takes effect, and we are confident that the operating regulation will be an EU-wide approach to privacy that builds confidence among consumers and offers legal certainty to businesses. It will help inform a robust global standard for privacy and online business, which is good for everyone. Businesses, particularly small ones, often have to focus considerable resources trying ebay Inc. strongly supports consistency and clarity for European consumers, Data Protection Authorities and companies, and continues to support the ongoing legislative process. to follow differing local and international privacy laws and regulations. As a company that has always prioritized privacy, it is appropriate for ebay Inc. to contribute to this important debate. ebay Inc. has been working with all relevant stakeholders to ensure that the policies are effective to meet the best needs of EU citizens. 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 5

U.S. PRIVACY LAWS ebay Inc. supports a comprehensive data protection law for the United States. By championing legislative and administrative actions such as the Kerry-McCain Privacy Bill and the White House Privacy Bill of Rights, ebay s goal is to ensure that U.S. privacy laws are on par with the rest of the world, which is good for both U.S. consumers and businesses. ebay Inc. has been an active participant in the NTIA s multi-stakeholder processes for revised mobile privacy notices and will continue to participate in future multi-stakeholder processes. International interoperability must be a critical element of any comprehensive privacy plan. For businesses operating internationally today, there are more than 200 country laws that have to be considered. A viewpoint that maintains globally consistent privacy baselines will help American businesses succeed. In addition, U.S. codified and enforced privacy principles will help businesses in the U.S. gain certainty for international transactions. The United States has historically been a leader in personal protections and privacy principles, from Constitutional provisions to William Brandeis s thought leadership at the turn of the last century, and our laws for the Internet Age should reflect this concern for personal freedom. ebay Inc. believes that a national dialogue and debate is necessary to ensure that any approach to privacy legislation is thoughtful rather than reactive, and encourages innovation rather than inhibits it. 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 6

PROTECTING OUR CUSTOMERS PRIVACY METRICS ebay Inc. is committed to delighting our customers and exceeding their expectations at every turn. We recognize that privacy is a key component of their experience and the trust they place with us. To help serve our customers better, we actively review privacy metrics to understand and address data protection concerns. The ebay Inc. Privacy team and our Business leaders set priorities and ensure control, auditability and transparency exists in compliance processes across our various business functions. One reporting stream into the Privacy Compliance function is management of user rights, which can be exercised through requests to Data Protection Authorities, or through escalated customer service cases. This reporting stream, which is already active in our analysis of EU business activity, is currently being implemented in our global markets. 7

EU DATA PROTECTION AUTHORITY ACTIVITY In the EU, ebay and PayPal are Data Controllers out of Luxembourg, but we work directly with local Data Protection Authorities other than the CNPD, in the general spirit of cooperation. However, if issues cannot be resolved in these cases, they are referred to the CNPD. For ebay EU, the adjacent chart indicates that only 5 EU DPA inquiries have been received in the first half of 2013. 80 40 EU EBAY CUSTOMER SERVICE RIGHTS SERVICING As of June 30, 2013, ebay has received 332 Subject Access Requests, which is in line with our 0 Subject Access request average in 2012. J 13 F 13 M 13 A 13 M 13 J 13 Avg. 2012 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 8

EU PAYPAL RIGHTS SERVICING For PayPal EU, no DPA inquiries have been received in 2013. PayPal has received 36 Subject Access Requests in 2013. 10 5 SAR What do you do with my data? Delete data 0 DPA Inquiries J 13 F 13 M 13 A 13 M 13 J 13 Avg. 2012 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 9

ACCOUNT CLOSURE REQUESTS FOR EBAY AND PAYPAL IN EU AS PERCENTAGE OF TOTAL # OF ACTIVE ACCOUNTS.08%.04% TRUSTe ebay and PayPal subscribe to TRUSTe s certified privacy program to demonstrate to our customers that we are transparent about our privacy practices and respect consumer privacy. TRUSTe also serves as a neutral third party by integrating a dispute resolution process which extends customer care. In the first half of 2013, TRUSTe received 156 requests from our users as part of this third-party dispute resolution service. Our Privacy program works closely with TRUSTe to resolve all privacy related requests from our users. The chart to the right shows the distribution requests received by TRUSTe in the first half of 2013..00% J 13 F 13 M 13 A 13 M 13 J 13 ebay EU PayPal EU 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 10

10% 36% 37% CONSUMER INQUIRIES THROUGH TRUSTe Monetary/Billing/Transactional Other Requests Account Access/Creation Help with Features/Functionality Removal of Personal Information 9% 8% 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 11

EBAY INC. PRIVACY CENTER ebay Inc. is focused on enabling our members to understand our products, solutions, and our privacy practices. We are always willing to listen and work with our community on suggestions or concerns related to privacy. To improve our communication with customers and regulators, ebay Inc. has developed a dedicated privacy center website for all of our members (ebayprivacycenter.com). This year, in addition to expanding our foreign language sites on our privacy center, we added a channel for customers to contact us directly on the ebay Inc. Privacy Center. In the first half of 2013, we have responded to 157 requests that came from our ebay Inc. Privacy Center. ebay Inc. prides itself in being responsive to our customers on Privacy Issues, and every request was responded to within 72 hours from the time of receipt. 12

35% 19% 34% CONSUMER INQUIRIES THROUGH EBAYPRIVACYCENTER.COM 11% 1% Monetary/Billing/Transactional Opt Out of Communication Privacy Policy Account Access, Creation or Closure Requests Subject Access Requests 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 13

ADCHOICE OPT OUTS ebay Inc. has consistently been an Internet industry leader in advocating for strong privacy protections and consumer control. Since ebay Inc. s inception, our core privacy commitment has been that ebay Inc. will not sell the personal information of our customers to third parties for their marketing purposes. In addition, we recognized that a mechanism was needed to provide consumers with more meaningful choices over the way their aggregate anonymous data was used for behaviorally targeted advertising purposes. Years before there were any industry wide solutions, ebay Inc. developed and implemented a program called AdChoice. AdChoice allows ebay users to choose whether to receive behaviorally targeted third party advertising on ebay Inc. websites and on the websites of our advertising partners. Implemented in 2007, a number of online businesses have since adopted similar programs through industry initiatives. AdChoice has two major components: A preference that provides users with more information about our personalized advertising programs and allows users to make choices about their participation; A prominent link on the customized advertisements we serve, allowing users to access information about AdChoice (and any partners that might be involved) and to set their preference. The chart below tracks the AdChoice Opt Outs across our largest web properties. These numbers reflect an overall trend in online behavioral advertising: that more people are exercising their rights to not be served targeted advertising. In 2012-2013 ebay users who expressed a desire to not be behaviorally targeted have used this tool to set their own specific preferences. As PayPal continues to grow globally, users are using our tool to set their preferences in relation to advertising. (At the time of printing, PayPal quarterly data was only available through Q1 2013). 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT

ADCHOICE OPT OUTS AS PERCENTAGE OF TOTAL # OF ACTIVE ACCOUNTS.06%.03%.00% 2012 Q1 2012 Q2 2012 Q3 2012 Q4 2013 Q1 2013 Q2 PayPal ebay ebay UK ebay Germany 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 15

THE MOBILE REVOLUTION In 2013 ebay Inc. celebrated 5 years of mobile innovation, making e-commerce more simple and more accessible to our customers. Mobile is a critical element for connected commerce, and ebay Inc. is on the forefront of this channel, developing consumer friendly apps. PRIVACY ON OUR MOBILE APPS We follow best practices on all our mobile applications: 179 M EBAY INC. MOBILE APP DOWNLOADS SINCE Q3 08 ebay Inc. mobile product development follows Privacy by Design principles: Privacy as a default setting on all mobile apps End-to-End Security Respect for Consumer privacy 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 16

We have transparent privacy notices to inform our members: WE POST AND DISPLAY our privacy policies within our mobile apps and stores WE ASK FOR PERMISSION before collecting geo location or sensitive information WE ARE DEVELOPING a Mobile Short Form Notice to provide simplified information to consumers, with a prototype set to launch in early 2014 2012-2013 PRIVACY & DATA PROTECTION ANNUAL REPORT 17