PayPal's Honey Acquisition: The $4 Billion Trojan Horse in Your Browser

In November 2019, PayPal announced its acquisition of Honey Science Corporation for $4 billion in cash—the largest acquisition in the company's history. Honey, a browser extension that automatically finds and applies coupon codes at checkout, had built a user base of over 17 million active monthly users who trusted it to save them money while shopping online. What most of those users did not fully appreciate was the scope of what they had installed. Honey's browser extension operates with some of the broadest permissions available in the Chrome and Firefox extension ecosystems: it can read and modify data on every website the user visits. For PayPal, this capability represented something far more valuable than coupon codes.

The acquisition transformed PayPal from a company that saw your transactions into a company that could see everything leading up to those transactions—every product page browsed, every price compared, every shopping cart abandoned. Combined with PayPal's existing transaction data and Venmo's social payment graph, Honey's browsing data completes a consumer surveillance trifecta that few companies outside of Google and Amazon can match.

The Permissions Problem

Browser extensions operate under a permission system that most users accept without scrutiny. When a user installs Honey, the browser displays a prompt stating that the extension can "read and change all your data on all websites." This permission—the broadest available for browser extensions—is technically necessary for Honey to function, since it needs to detect shopping sites and inject coupon codes at checkout. But the same permission allows Honey to observe browsing activity on non-shopping sites as well. Security researcher Sam Jadali documented in a 2024 analysis that Honey's extension communicates with PayPal servers on a range of non-commerce websites, transmitting page URLs and metadata. Honey's privacy policy confirms that it collects "information about the websites you visit" but characterizes this as necessary for product improvement and personalization.

How does your site score?

Run a free scan and get actionable improvement prompts in 30 seconds.

Affiliate Commission Hijacking

Beyond browsing surveillance, Honey has faced sustained criticism for a practice known as affiliate code injection. When a user arrives at a shopping site through a content creator's or publisher's affiliate link, Honey can override that affiliate tracking code with its own at checkout. This means the creator who referred the sale receives no commission, while Honey—and by extension PayPal—captures the affiliate revenue instead. Content creators on YouTube, blogs, and social media have documented cases where Honey's extension replaced their affiliate codes, costing them significant income. A 2024 investigation by technology journalist MegaLag estimated that Honey's affiliate override system redirects tens of millions of dollars annually in affiliate commissions. Honey has stated that its system "finds the best available coupon and does not intentionally override affiliate links," but the technical evidence contradicts this claim.

PayPal has integrated Honey's data and technology into its broader ecosystem, including PayPal's checkout recommendations and advertising products. The company's privacy policy, updated after the acquisition, permits data sharing between PayPal, Venmo, Honey, and other PayPal subsidiaries. For the 17 million users who installed a browser extension to save a few dollars on online purchases, the true cost may be measured in the comprehensive profile of their digital lives that now sits in PayPal's servers. PayPal told OPV that "Honey's data practices are transparent and clearly disclosed" and that the company "does not sell user data." Privacy advocates note that in the modern data economy, selling data is unnecessary when you can use it to power a trillion-dollar advertising and payments ecosystem.