Honey targeted minors in advertising while leaking business codes

PayPal's Honey browser extension systematically exploited small businesses by leaking private discount codes and deliberately targeted minors for data collection, according to a December 22, 2025 investigation released despite legal threats from PayPal's attorneys.

The investigation demonstrates that Honey added 146,000 online stores to its platform without their consent, representing over 80% of the stores supported by the extension. This practice created what researchers characterize as economic coercion, where businesses faced ongoing revenue losses unless they agreed to partnership terms with PayPal.

According to the investigation, Honey maintained a database of 181,000 online stores when data was collected in late 2024. Of those stores, only 35,000 had active affiliate partnerships with Honey, leaving 146,000 stores operating on the platform without formal agreements. The extension consistently referred to stores as "participating" despite the majority never consenting to inclusion.

How Honey added stores without permission

The mechanism by which Honey populated its database reveals a fundamental deception in how the extension operated. For years, users and businesses alike assumed that Honey only appeared on websites that had explicitly partnered with the company. The investigation revealed this assumption to be false.

When examining how Honey functioned across different websites, researchers noticed an anomaly. In most cases, clicking "apply coupons" triggered Honey to open a discrete tab in the browser's top left corner, injecting a simulated referral click to claim credit for the sale. However, on certain stores, Honey would fail to load this affiliate link despite still offering coupon codes.

"At first, I thought it might be a bug, but quickly ruled that out after noticing the same anomaly on multiple websites," according to the investigation. The pattern became clear when examining Shopify's community forum, where a store owner complained that "Honey was leaking their coupon codes without their permission."

The investigator reached out to several business owners who confirmed they never authorized Honey's presence on their platforms. One business owner explained: "Honey takes the codes that people use on our website, the discount codes, and makes them public to everybody who's using Honey."

Another described the discovery process: "I hadn't heard about Honey before and I was just hanging out on the couch with my girlfriend and she made some comment about oh this app Honey that basically gives you all these coupon codes and I think she asked if we were on it. I said no and then she checked out our website and said oh you actually are on it and it's giving this 15 or 20% discount code."

The business owner continued: "That's when I found out about it and I was pretty shocked because I didn't know how long it had been going on for. Yeah, it cost us thousands and I haven't even looked into how far back it went, but I know we just ended the code right away."

To understand the full scale, researchers created an automated program that crawled through Honey's massive database, scraping data for all 181,000 stores. This revealed that Honey supported 35,000 stores with affiliate links and an additional 146,000 stores without affiliate links. The company "conveniently left out the teeny-weeny fact that they dragged an additional 146,000 stores onto their platform, presumably without consent," according to the investigation.

The question emerged: if Honey supported 181,000 stores, why advertise only 30,000? "Clearly, Honey decided that keeping this little secret to themselves outweighed the benefits of advertising it," the investigation concluded.

How Honey captured private coupon codes

The technical mechanism for capturing coupon codes proved more insidious than initially understood. Honey's system captured codes at the moment users entered them, before requesting permission to share.

"The moment you type in a coupon code, Honey immediately sends that coupon code directly to their servers and then they ask for your consent," according to the investigation. Source code extracted from Honey's iOS application confirmed this sequence.

A live demonstration showed the process: "Watch what Honey does in the background as I enter in this coupon. Honey realizes that it doesn't have this code yet and asks for my consent to share it. But look at this. Before I've clicked anything, Honey has already sent that coupon code to their server, including the details of how much money that coupon saved me, all without my consent."

The investigation noted that "Honey might argue that if you click don't share, they never actually use those coupons. And maybe they don't. Maybe those codes just sit in their database doing nothing. We can't say for certain."

However, Honey's privacy policy explicitly states that the company collects "coupons, promo codes, and deals you found." The policy language allows data collection without user consent, despite the permission prompt displayed in the interface.

This technical design explains how private codes leak. Newsletter signup incentives offering 10% discounts become available to all Honey users, eliminating the incentive for customers to provide email addresses. VIP codes for high-value customers lose their exclusivity. Military veteran and first responder appreciation discounts become publicly accessible. Employee discount codes intended for staff and their families appear on Honey's platform.

One marketing podcast discussed the mechanism: "What happens is if I have Honey, for example, and I'm one of your best customers at your e-commerce store and you decide you're going to do a promotion for your VIP customers, maybe it's a flash sale, and you send me a special code. I go to your website, I legitimately have that code from you. I type it into the promo code field at checkout. Because I have Honey in my browser, it is able to scrape that code then and give it to everybody who uses it."

The podcast continued: "We've seen codes like military hero 30 clearly intended for a veteran. And then in another case, even worse, in another case, my CEO found a men's apparel brand where they had a $75 off coupon code, but they didn't set a minimum order value. And so people were able to get unlimited merchandise for free as long as they kept their order value at $75 or under."

Why businesses couldn't remove themselves

The distinction carries material consequences for online retailers. Chip Malt, CEO of Made In Cookware, described discovering that Honey had leaked a private employee discount code intended for a small group. When he requested removal from the platform, Honey declined unless he agreed to a partnership arrangement.

Email correspondence reviewed in the investigation shows the pattern clearly. Malt wrote to Honey: "Hi, I am the CEO of Made In Cookware. Please remove us from your app. You've scraped a private friends and family code from our checkout and put it on the platform for others to use. We've lost a bunch of revenue."

Four days later, Honey responded: "Hi, Chip. Thanks for reaching out. Honey supports over 40,000 stores online, and we always prioritize protecting the Honey experience for users by supporting available stores and displaying available codes. We can absolutely remove the code in question in order to protect the Honey experience for our users. We typically do not remove codes unless we have a working relationship."

The investigation characterized this response: "Right off the bat, they're basically saying, 'We won't compromise the experience for our users unless you pay us.' Classy."

Honey's email continued: "We'd love to discuss how we can work more closely and partner with your brand."

Malt replied the same day: "We don't offer affiliate deals to coupon sites. We'd like to be removed from your site and extension completely."

Honey brought in their global partnerships manager, Kelly Roodec, who explained that the leaked code was added through user-generated functionality. She "completely ignores his request to be removed from the platform, only offering to remove the leaked employee discount," according to the investigation.

Malt responded: "A friends and family code was listed on your site. That was an internal code meant for a small group of people that was never published anywhere. Our whole site can't be removed from your app."

Honey confirmed removing the employee discount a week later but "again completely ignores Chip's request to be removed from Honey." When Malt pushed for an answer, "they ignore his email completely."

A month later, Honey leaked another private discount code. Malt wrote: "Hi, please remove from your app. That is a private code behind a private employee perk login. This should never be public. I don't understand how you feel taking a private employee perk and making that public to the world is helping our business."

Honey responded by suggesting Malt's employees might be responsible for sharing the code, despite evidence showing Honey's system captured codes directly from checkout forms. Honey then suggested that "Chip creates single-use codes for each and every employee, essentially making it his responsibility to fix a problem they created in the first place."

Two months later, another private code leaked. Malt again asked to be completely removed. This time, Honey finally addressed the question directly: "We proudly host a consistent shopping experience for all Honey shoppers who rely on our shopping tools. Therefore, we cannot disable Honey for individual stores and never have."

The claim proved false. Andrew from True Texture Supply shared his email exchange with Honey, dealing with the same employee, Kelly Roodec. "While Honey attempted the same sales pitch with Andrew, they did eventually remove his store from the platform," according to the investigation.

Roodec confirmed the removal of Andrew's store just one month before assuring Malt that "Honey had never removed a store before." The investigation concluded: "Once again, we've caught Honey in yet another calculated and deliberate lie. And make no mistake, it was deliberate because this employee, Kelly, confirmed the removal of Andrew's store just one month before assuring Chip that Honey had never removed a store before."

The selective enforcement pattern becomes clear: "Honey clearly has the capability to remove stores. They just choose to enforce that decision selectively. Keep in mind, Honey knows exactly how many of their users are visiting a given store and how much they are spending. So, I'd speculate that this selective enforcement comes entirely down to which stores Honey believes will make them the most money."

Impact on affiliate marketing and podcasts

The coupon code leakage created cascading problems for businesses using discount codes to track marketing effectiveness. One business owner explained: "So, we usually use discount codes as a way to track when influencers or partners are sending traffic to us so that we can identify the sale was attributed to that influencer and pay them a commission."

Another described the discovery: "I think we saw one code started to get used like way more and we were like, 'Wow, we're paying this influencer so much. They're doing so well.' And I was a little bit suspicious."

A third business owner explained the broader problem: "A lot of times discount codes are the only way for you to understand if a YouTuber that you love and would love to partner with is actually driving incremental value to your business. Those codes would immediately get picked up by Honey and then they'd be used hundreds of thousands of times and you'd be like, 'All right, like not only does that negatively impact our business, it was for that audience, but we have no idea which podcaster we should continue to support.'"

The podcast attribution problem became particularly severe. When brands advertise on podcasts, affiliate links aren't practical since listeners might be driving, running, or doing laundry. Instead, brands provide podcasters with unique coupon codes, earning commissions each time listeners use those codes at checkout.

Honey would capture these codes and distribute them to millions of users, breaking the attribution chain. Brands faced paying undeserved commissions to influencers whose codes got leaked while simultaneously losing the ability to measure which partnerships actually worked.

Chip Malt explained the consequence: "I mean, we basically pulled all out of the podcast realm because there is really no way to figure out how to attribute any successes or failures. We basically can't do that anymore because as soon as a code becomes used by one person, it's suddenly used by everybody."

The investigation noted: "This is a nightmare situation for everyone involved. But not all businesses are affected equally. Honey's actions are especially devastating for small businesses that lack the resources of larger brands."

Malt summarized the impact on small businesses: "When you're in the early stages of building a business, you're in the stage of will this company work? Is there product market fit. How do I scale this thing? Can the economics work? Right? And so all the things we talked about these discount codes and the kind of removal of attribution and killing margin like those really affect the early stages of a company. From everything from where do I put the next dollar in to make sure I can survive down to you're taking 10 15 20% of my sales without me wanting it."

He continued: "And we have digital marketing costs, we have shipping costs, we have all these stacks of costs that not only are getting more inflated over time, like FedEx has been raising their rates over time. Warehousing costs have gone up, COGS have gone up as you know through inflation for the last four or five years, right? Like all the cost structures have been going up and to have someone just stealing and compressing the actual revenue you want like puts small businesses in a real squeeze."

Malt concluded: "It's just really disappointing and like it doesn't even work because at the end of the day like you need to make the numbers work and if Honey is going to steal 10% of your revenue all the time. You're going to have to raise prices at the end of the day to make up for that, right? And so it's not only not effective, but it makes it worse for the consumer, it compresses for the small business owner any margin because it's just like a really awful business model."

The investigation characterized the practice as economic extortion: "Imagine one day deciding to start your own business. You've saved up all this money and invested it all into this one big idea. You're taking on a huge risk and as you navigate the daily struggles of running a business, a bad actor sneaks into your store without you ever noticing. They quietly start collecting coupons from your customers and start handing them out at your checkout counter. Then one day, you notice a customer with a voucher that was clearly never intended for them, and you have absolutely no idea how they got it. But when you eventually catch the culprit and demand that they leave your store, they refuse and there's nothing you can do about it. Knowing this, the bad actor leverages the harm they manufactured by strongarming you into signing a partnership deal where the only way to stop the damage they created is by paying them."

Why PayPal acquired Honey for $4 billion

The business model starts making sense when understanding what PayPal actually purchased. According to the investigation: "It really makes you wonder why on earth would a Fortune 500 company like PayPal sink $4 billion into buying this company. Sure, Honey was making some sweet affiliate revenue. But still, that's a lot of money."

To put the price in perspective: "The platform you're watching this on, YouTube, was acquired for just $1.6 billion. Combine that with the acquisitions of Instagram and Twitch, and it still equates to less than what PayPal paid for Honey, a coupon browser extension."

The answer lies in the data: "Honey brought more to the table for PayPal than its ability to turn out mountains of cash. They also had 17 million users worth of data. And as it turns out, lots of it."

Data collection extended far beyond coupon codes. According to research conducted by German nonprofit Data Request, Honey tracked browsing activity across every website it classified as an online store, collecting timestamps, device identifiers, operating system details, geolocation data, and complete URLs.

Analysis of one user's data from February through May 2020 showed Honey collected over 2,000 pages of web activity. From just 27 page views, researchers could determine specific details: "On February 13th at 2:57 p.m., Benny viewed an iFixit guide on how to swap the DVD lens on a Nintendo Wii. They could see that Benny checked an AliExpress order 13 times, his order ID fully visible, including the fact he opened a dispute for the order. They could see he had a Microsoft family plan and that he added a new family member to his Office 365 account. Honey also knew that Benny looked for an Airbnb in Berlin for two adults from the 4th to the 5th of March."

The investigation continued: "And apparently Benny had issues with his iPhone because he viewed an Apple support page on how to reset his passcode. On March 23rd at around 5:00 p.m., Benny watched a documentary called Scanning the Pyramids on Curiosity Stream, a service he subscribed to just an hour earlier through YouTuber Tom Scott's affiliate link. And apparently Benny's a gamer because he redeemed a game on Steam with the serial code 5HGP6."

The scope proved massive: "All that information could be inferred from just 27 page views. But in total, Honey collected over 2,000 pages of web activity between just February and May of 2020. Meaning what I just read to you represents only 1% of the total data Honey collected within a 3-month window. That is insane."

PayPal acquired Honey for $4 billion in 2020. The transaction positioned PayPal to leverage cross-merchant shopping data for advertising purposes. Honey's 2015 pitch deck to investors explicitly identified "personalized offers to consumers based on cross-sight comparison shopping data" as a core component of their business strategy.

The pitch deck stated that "Honey's unique data allows us to predict what each user is about to buy, when they intend to purchase, and how much they are willing to pay." The data collected included "user behavioral data, stores visited, products viewed," and purchase history.

Former Honey executives confirmed the data value proposition in interviews conducted after PayPal's acquisition. Daniel Pilington, former senior manager of partnerships, discussed the benefits for merchants: "You know, one of the metrics that we assess very frequently for merchants that work with Honey is, you know, cross shopping. So, you know, how many other stores is a user visiting as well as the store in question? You know, are they going to six stores? Are they going to seven stores? Are they going to 10 stores before they make a decision on where to purchase?"

Another former senior partnerships manager explained: "So, like one of the things we have insight into at Honey because we're a browser extension and we can see our shoppers and how they shop is that shoppers love to cross-site comparison shop. You know, we're really kind of following the shopper where they go and we're with them every step of the way. We have all sorts of tools to make those consumers stickier to those direct to consumer brands."

A former PayPal executive discussing the data benefits stated: "We've got a full suite of solutions across our consumer platforms that help drive new customers that help drive loyalty, that help drive conversion, and ultimately sales lift and we have a lot of analytics and a lot of data, a lot of shopper data obviously, and that's something that we can unlock on behalf of our partners."

The investigation concluded: "You've got to hand it to Honey. They've truly mastered the art of selling bullshit narratives to users. They promised privacy, insisting, 'Hey, we never sell or share your data.' But to their merchants, they literally bragged about how much of your data they had and how it could be leveraged to provide them with valuable insights into your shopping habits. It's genuinely astounding."

Data collection was part of Honey's strategy from the beginning. The 2015 pitch deck shows "data collection was top of mind from the very beginning, but they were already actively collecting it and pitching that data to investors as a valuable asset."

The investigation noted: "For years, Honey framed data collection as minimal and purely in service of saving users money. Well, it appears they were full of shit."

PayPal launched its advertising platform in April 2025, expanding to shoppable Storefront Ads in June 2025. The advertising products leverage transaction data from PayPal, Venmo, and Honey to deliver targeted campaigns across publisher websites and connected TV environments.

The investigation concluded: "PayPal didn't spend billions of dollars for a simple coupon extension. They were buying a window into your life as a consumer."

How Honey targeted minors despite privacy policy

The targeting of minors represents particularly severe regulatory exposure for PayPal. Honey's privacy policy states that the company "created Honey for the exclusive use of adults 18 and older" and claims not to "knowingly collect or solicit personal information from children."

The investigation revealed the contradiction: "You see, now there's just one problem with that." The video then showed MrBeast saying: "I have a challenge for all of you. Go to every computer in your house, your mom's, your dad's, your sister, your brother's computer, and install Honey."

The investigation noted: "Not only did Honey and PayPal knowingly collect data from minors, but they intentionally targeted them in their advertising."

MrBeast, whose audience demographic analysis shows substantial viewership among users under 18, received Honey sponsorship for content that accumulated over 3 billion views. "According to my data, Mr. Beast sponsorships represent over one-third of Honey's total sponsored views on YouTube," the investigation stated.

The targeting extended beyond MrBeast: "But it wasn't just Mr. Beast. Honey sponsored many channels whose content was, in my opinion, clearly targeted at minors. They sponsored Minecraft channels, Roblox channels, cartoon channels."

Honey even sponsored 14-year-old creator Desiree Machado, who stated in her video: "Guys, I'm only 14." The investigation noted: "Hilariously, one of her videos that Honey sponsored is appropriately titled Back to School. Honey even ran her sponsored segment as a paid advert on YouTube."

The MrBeast advertisement proved particularly problematic: "Of all the evidence, this has got to be the single worst example of Honey intentionally targeting minors." The ad told children to install the extension "on every computer in your house, your mom's, your dad's, your sister, your brother's computer." The investigation characterized this as "literally encouraging kids to install a browser extension that tracks and collects data onto every computer in their household, including those belonging to their siblings. That is fucking insane."

Former Honey president Joanne Bradford openly discussed the youth targeting strategy: "We launched it with gamers playing YouTube on their desktop and a little gamer called Mr. Beast. So, we were his first advertiser and we did a deal with him. His collective ads, I think, have been seen. You know, I'm going to say billions, three plus close to four billion times. Every kid in America knows what Honey is. Every kid in America was telling their moms and their dads they needed to download, you know, Honey in order to save money."

The investigation noted: "They weren't just telling their moms and dads to install Honey, they were installing it themselves." One user commented: "My 5-year-old brother installed Honey on his computer. Wow. Kids start saving money earlier and earlier these days."

Honey co-founder Ryan Hudson discussed leveraging influencer credibility: "We learned how to work with influencers in particular on YouTube to lean into the credibility that they have with their audiences, the ability to speak the language of their audience. And it's been incredible for us. And so we've done if you watch YouTube or you have kids that watch YouTube, they have seen they have seen if you watch Mr. Beast, it's a lot of honey. A lot of honey."

The investigation concluded: "This was no accident. Honey's leadership knew what they were doing and they knew it worked well. That Mr. Beast ad alone has 118 million paid ad views, the highest of any Honey ad on YouTube, which strongly suggests it was also their best performer. Honey likely invested millions into this ad alone. Honestly, it's genuinely shocking they've gotten away with it for so long."

The Children's Online Privacy Protection Act prohibits collection of personal information from children under 13 without verifiable parental consent. Multiple jurisdictions maintain strict regulations regarding minor data collection, often requiring explicit parental authorization before processing information from underage users.

Legal and industry consequences

PayPal issued a cease and desist letter to the investigator hours before the December 22 publication: "A few hours ago, PayPal's lawyer sent me a cease and desist letter and requested Patreon take down my video under a copyright infringement claim. I consider this a direct attack against my fundamental rights as an independent journalist."

The letter claimed copyright infringement over code excerpts from Honey's iOS application. The investigator removed the disputed segments: "Nevertheless, I have removed sections of the video containing said code, not because I believe PayPal are correct, but because I know they will have YouTube take this video down. It was only a small segment of the video. Therefore, I have made this decision quickly under duress and to proceed with this publication as quickly as possible."

The investigator concluded: "If PayPal thought this would stop me, they were sorely mistaken."

The investigation triggered over 20 class action lawsuits against PayPal, alleging wiretapping, computer hacking, unfair competition, consumer fraud, tortious interference, and unjust enrichment. Wendover Productions LLC and Businessing LLC filed lead plaintiff claims on December 29, 2024, in the United States District Court for the Northern District of California, seeking damages exceeding $5 million.

Honey lost over 6 million users following the initial December 2024 investigation, dropping from over 20 million Chrome users to 14 million by July 2025. Google implemented policy changes blocking extensions from claiming undeserved commissions through last-click attribution manipulation.

Federal Judge Beth Labson Freeman denied PayPal's motion to force the class action into arbitration on November 7, 2025. The court ruled that PayPal's user agreements for individual account holders do not extend to broader business disputes about Honey's affiliate marketing practices.

Additional lawsuits have targeted other coupon and cashback extensions employing similar tactics. The investigation revealed: "There are now hundreds of coupon and cashback extensions. And while I haven't investigated all of them to the same extent that I have with Honey, many of them engage in similar behavior, especially when it comes to poaching affiliate commissions."

The investigation characterized these extensions broadly: "In my opinion, these extensions are nothing but leeches. They are parasites in the world of e-commerce."

Microsoft Edge's native coupon features were documented replacing affiliate cookies when users clicked coupon suggestions. Opera browser would inject affiliate links when users clicked autocomplete suggestions. Extensions from Capital One, Rakuten, and Retail Me Not faced similar allegations.

The investigation identified systematic failures by affiliate networks to enforce existing industry codes of conduct. Networks including Awin, Commission Junction, Impact, and Rakuten Advertising collectively agreed over a decade ago to prohibit many behaviors documented in the investigation.

The investigation explained the enforcement problem: "So why aren't these networks enforcing their own bloody rules? Well, for every sale made in affiliate marketing, these networks also get a slice of the pie. They generally charge between 20 and 30% of each and every commission paid."

The incentive structure creates conflicts: "The more money that flows through these extensions the more the networks get paid. So when these networks enforce rules resulting in a loss of income for the extensions they too take a hit. Enforcing their own rules basically means shooting themselves in the foot. That kind of incentive structure doesn't just fail to prevent fraud, it practically invites it."

The investigation identified 15,000 stores that had previously partnered with Honey but terminated those relationships. This represents 43% of Honey's claimed partnered store count, suggesting substantial dissatisfaction with the value proposition offered to merchants.

Timeline

• 2015: Honey's pitch deck to investors identifies cross-merchant shopping data collection as core business model
• 2020: PayPal acquires Honey for $4 billion
• December 22, 2024: Initial investigation reveals Honey's affiliate commission diversion practices
• December 29, 2024: Content creators file class action lawsuit against PayPal and Honey in Northern District of California
• April 2025: PayPal launches Offsite Ads platform leveraging transaction data for targeted advertising
• June 2025: PayPal debuts Storefront Ads enabling direct purchases within publisher content
• July 2025: Honey drops to 14 million Chrome users, losing over 6 million users since December 2024 investigation
• November 7, 2025: Federal court denies PayPal's arbitration motion, allowing class action to proceed in federal court
• December 22, 2025: Second investigation reveals targeting of minors and small business exploitation

Summary

Who: PayPal's Honey browser extension, small online businesses, content creators, minor users, and digital marketing professionals affected by the extension's practices.

What: Honey added 146,000 online stores to its platform without consent, systematically leaked private discount codes including employee and influencer affiliate codes, collected extensive browsing data from users including minors, and sponsored content explicitly targeting children despite privacy policy claims restricting service to adults 18 and older.

When: Practices occurred throughout Honey's operation before and after PayPal's 2020 acquisition, with investigations published December 22, 2024 and December 22, 2025. New COPPA regulations taking effect in 2025 heighten regulatory scrutiny of children's data collection.

Where: Operations affected online retailers and users globally, with legal proceedings in the United States District Court for the Northern District of California. PayPal maintains headquarters in San Jose, California.

Why: The practices enabled Honey to build a database of 181,000 stores while collecting cross-merchant shopping data valuable for PayPal's advertising business, which launched in 2025 leveraging transaction insights for targeted campaigns. The $4 billion acquisition price reflected the strategic value of this data infrastructure beyond simple coupon functionality.