PayPal’s Honey browser extension is facing legal challenges after investigative journalist MegaLag uncovered deceptive practices that allegedly harmed consumers, content creators, and small businesses. The reporting has led to more than 20 class action lawsuits and pushed Google to revise its browser extension policies.
The investigation began when MegaLag noticed inconsistencies in how Honey operated across different websites. While Honey claimed to work with 30,000 participating stores, internal data showed the extension was active on more than 180,000 websites. About 146,000 of those stores were added without consent or notification.
Small business owners described significant losses after Honey scraped private discount codes and distributed them to millions of users. These were not public promotions but targeted codes created for specific purposes, including newsletter signups, loyalty programs, military discounts, and employee benefits. Once those codes were exposed, businesses lost revenue and the ability to control their marketing strategies.
Chip Malt, CEO of Maiden Cookware, shared email exchanges showing that Honey refused to remove his store despite repeated requests. After employee-only discount codes were leaked multiple times, Honey representatives suggested the business become a paying partner to resolve the issue. Similar accounts appeared across multiple companies, with Honey maintaining access until partnership agreements were accepted.
The investigation also revealed extensive data collection. Although Honey publicly stated it did not sell user data, the extension tracked browsing activity across all visited websites. A German nonprofit, Data Request, obtained user records through GDPR requests that showed thousands of pages detailing shopping behavior, purchase history, and browsing activity. This data was highlighted as part of Honey’s value when PayPal acquired the company for $4 billion in 2019.
Honey’s marketing practices involving minors also drew scrutiny. Despite stating in its privacy policy that the service was intended for users 18 and older, Honey sponsored content aimed at children. Its partnership with MrBeast generated more than 3 billion views, including an advertisement encouraging kids to install Honey on every household computer. The company also sponsored Minecraft and Roblox content and worked with a 14-year-old influencer, raising concerns about compliance with child data protection laws.
After MegaLag’s reporting, Honey lost more than 6 million users. Google updated its extension policies to limit commission hijacking, and multiple class action lawsuits now accuse PayPal and Honey of wiretapping, computer hacking, unfair competition, consumer fraud, and tortious interference.
The investigation expanded beyond Honey, identifying similar behavior by other coupon extensions such as Karma, Capital One Shopping, and Microsoft’s Edge browser. In response, the journalist released a browser extension called Cookie Guard, designed to alert users when affiliate cookies are loaded without their awareness.
The reporting highlights gaps in oversight within the browser extension and affiliate marketing ecosystem. With financial incentives tied to transaction volume, enforcement mechanisms appear weak, allowing questionable practices to persist.