← Payment Apps
F

PayPal

Fail
PayPal Holdings · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: PayPal Holdings

⚠️ The bottom line

PayPal bought coupon browser extension Honey for $4 billion in 2020 and turned it into a surveillance tool installed on 20 million browsers. YouTuber MegaLag discovered in December 2024 that every time you clicked "Apply Coupon," Honey silently replaced the content creator's affiliate tracking cookie with its own — stealing commission from creators like Sam Denby of Wendover Productions, who filed a class action. Honey tracked browsing across every website, not just shopping sites. After the exposé, 8 million users uninstalled it and Rakuten kicked Honey off its affiliate network in January 2026. In October 2022, PayPal quietly updated its terms to let it reach into your account and take $2,500 every time you posted something PayPal — at its "sole discretion" — considered "misinformation." Not a court, not a regulator. PayPal. Its own former president David Marcus publicly said "this goes against everything I believe in." PayPal claimed the entire policy was published "in error" — despite the Wayback Machine showing it was live for 11 days. A payment processor tried to become a speech arbiter with the power to drain your bank account.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
6Contradictions
2Critical
4High
0Medium
5Sources
Findings by concern
Spying 3/4 HIGH 1 finding
⚠️ criticalpolicy claims vs app permissions
PayPal bought coupon browser extension Honey for $4 billion in 2020 and turned it into a surveillance tool installed on 20 million browsers. YouTuber MegaLag discovered in December 2024 that every time you clicked "Apply Coupon," Honey silently replaced the content creator's affiliate tracking cookie with its own — stealing commission from creators like Sam Denby of Wendover Productions, who filed a class action. Honey tracked browsing across every website, not just shopping sites. After the exposé, 8 million users uninstalled it and Rakuten kicked Honey off its affiliate network in January 2026.

What they claim: PayPal's privacy policy states it collects data to provide and improve services and protect users.

What we found: PayPal's Honey browser extension tracked all browsing activity across every website. In December 2024, YouTuber MegaLag exposed that Honey performed cookie stuffing — silently replacing content creators' affiliate cookies with its own, stealing commission revenue. The scheme generated an estimated $1.4 billion in revenue for PayPal. Honey lost 8 million of its 20 million users after the exposé. In January 2026, Rakuten Advertising removed Honey from its affiliate network.

Data Sharing 2/4 MODERATE 1 finding
⚡ highpolicy claims vs policy claims
PayPal's privacy policy describes "limited" data sharing, but the fine print reveals over 600 third-party partners receiving your data. In October 2024, PayPal went further — silently enabling "Personalised Shopping" on every account, sharing your purchase history, browsing data, and financial information with retail stores. Users weren't asked; they had to discover the pre-ticked box and manually opt out. A company that knows every purchase you've made, every person you've paid, and your bank details decided to start selling that profile to shops — and turned it on before telling anyone.

What they claim: PayPal's privacy policy describes limited, purposeful data sharing with third-party partners.

What we found: PayPal shares data with over 600 third parties. In October 2024, PayPal enabled a new data-sharing setting by default called Personalised Shopping that shares purchase history, browsing data, and financial information with participating stores. Users were not asked; they had to discover the pre-ticked box and manually opt out.

Security 2/4 MODERATE 1 finding
⚡ highpolicy claims vs regulatory findings
PayPal promises "appropriate technical measures" to protect your data, but its engineers skipped security reviews on a tax form system update because they classified it wrong. Result: 35,000 customers had their Social Security numbers exposed to credential-stuffing attackers. In January 2025, New York's financial regulator fined PayPal $2 million and revealed the company hadn't even implemented mandatory multi-factor authentication — the most basic security measure available. A company handling $1.36 trillion in payment volume per year couldn't be bothered to turn on two-factor auth.

What they claim: PayPal implements appropriate technical and organisational measures to protect personal data.

What we found: In January 2025, New York DFS fined PayPal $2 million after discovering its Form 1099-K system exposed Social Security numbers, names, and dates of birth for 35,000 customers. PayPal's engineering team classified a system update incorrectly, bypassing risk assessments and penetration testing. PayPal had not implemented mandatory multi-factor authentication.

Honesty 4/4 EXTREME 3 findings
⚠️ criticalpolicy claims vs policy claims
In October 2022, PayPal quietly updated its terms to let it reach into your account and take $2,500 every time you posted something PayPal — at its "sole discretion" — considered "misinformation." Not a court, not a regulator. PayPal. Its own former president David Marcus publicly said "this goes against everything I believe in." PayPal claimed the entire policy was published "in error" — despite the Wayback Machine showing it was live for 11 days. A payment processor tried to become a speech arbiter with the power to drain your bank account.

What they claim: PayPal's Acceptable Use Policy says it protects user funds from unauthorized deductions.

What we found: In October 2022, PayPal published an updated AUP allowing it to deduct $2,500 per infraction from user accounts for posting "misinformation" — with what counts as misinformation determined at PayPal's sole discretion. PayPal's own former president David Marcus publicly condemned the policy. PayPal reversed it within days, claiming it was published "in error," but the Wayback Machine confirmed it was live for 11 days.

⚡ highpolicy claims vs app permissions
Venmo, owned by PayPal, made every transaction public by default and gave users no way to hide their friends list. In May 2021, BuzzFeed News found President Biden's "secret" Venmo account in under 10 minutes and mapped his entire social network — senior White House officials, family, Secret Service contacts. The EFF documented therapists with patient lists exposed, women stalked by ex-boyfriends tracking transactions, and journalists with confidential sources burned. PayPal had been warned since 2019 but did nothing until the leader of the free world got doxxed on their platform.

What they claim: Venmo (owned by PayPal) states users have control over their privacy settings.

What we found: Venmo set all transactions to public by default, with no option to hide friends lists. In May 2021, BuzzFeed News found President Joe Biden's secret Venmo account in under 10 minutes, mapping his entire social network including senior White House officials. The EFF documented therapists with exposed patient lists, women stalked by ex-boyfriends, and journalists with burned sources. Venmo only added the option to hide friends lists after the Biden incident.

⚡ highpolicy claims vs regulatory findings
PayPal says it holds funds "to protect against fraud," but thousands of small business owners have had their entire operating capital frozen for up to 180 days with no explanation and no human to talk to. The Consumer Financial Protection Bureau has received thousands of complaints from sellers with clean records — yet PayPal locked their money and responded only with automated messages. Small businesses have gone bankrupt waiting six months for PayPal to release funds it had no legal basis to hold. PayPal acts as a bank when convenient but avoids bank regulations when it's not.

What they claim: PayPal states it processes refunds and holds funds only to protect against fraud.

What we found: PayPal routinely holds seller funds for up to 180 days without explanation, even for established sellers with clean records. Multiple class action lawsuits and thousands of CFPB complaints document PayPal freezing accounts containing thousands of dollars with no fraud detected and no appeal process. Small businesses have been bankrupted waiting for PayPal to release operating capital.

Sources