New court filings detail technical evidence of affiliate commission theft and deliberate compliance circumvention
The legal battle against PayPal's Honey browser extension has escalated significantly with the filing of a Second Amended Consolidated Class Action Complaint that reveals disturbing new details about how the extension allegedly operated to systematically divert affiliate commissions from content creators.
Filed on January 22, 2026, in the United States District Court for the Northern District of California, the 101-page complaint presents extensive technical evidence, test purchase documentation, and internal communications that paint a comprehensive picture of what plaintiffs describe as deliberate “cookie stuffing” designed to steal commissions while evading detection.
At the heart of the complaint is a technical breakdown of how Honey allegedly operated. According to the filing, when consumers interacted with the Honey browser extension in any way, including simply clicking to dismiss its popup, the extension would surreptitiously open what plaintiffs call a “Secret Tab.”
This hidden tab, which appeared briefly before automatically closing, would redirect the consumer's browser to a purpose-built URL containing PayPal's own affiliate ID. The merchant's website would then register this as a second referral, overwriting the original affiliate marketer's tracking information with PayPal's credentials.
The complaint states that this behaviour constitutes “cookie stuffing,” a practice that is “routinely and specifically prohibited by contract” and that has previously “been found to constitute fraud” in legal proceedings.
What makes this particularly significant for the affiliate industry is that the mechanism allegedly functioned regardless of whether Honey actually provided any value to the consumer. The filing claims that even when the extension found no coupons, offered no cash back rewards, or when users simply dismissed the popup without engaging further, the commission diversion still occurred.
The complaint includes detailed documentation of controlled test purchases that allegedly prove the commission diversion mechanism. In one example involving Plaintiff Justin Tech Tips and Dell products, the filing walks through two parallel purchase scenarios.
In the first scenario, a buyer clicked Justin Tech Tips' affiliate link, navigated to Dell's website, and completed a purchase without engaging with Honey. The affiliate received his expected commission payment.
In the second scenario, everything remained identical except that the buyer engaged with the Honey extension to activate a potential “cash back” offer. According to the complaint, Honey “surreptitiously forced a redirect” to the same Dell checkout page, replacing “Justin Tech Tips LLC” with “PayPal Inc.” as the credited referrer. The affiliate received no commission for this sale despite being the one who actually drove the customer to the merchant's website.
Perhaps the most troubling allegations in the complaint concern PayPal's alleged system for detecting and evading compliance auditors. The filing describes four criteria that Honey allegedly used to determine whether to honour stand-down protocols or proceed with commission diversion.
The first criterion involves account age. According to the complaint, Honey would stand down if a consumer's account was fewer than 30 days old, recognising that auditors often create new accounts to conduct compliance tests.
The second criterion concerns a “points threshold” within Honey's rewards system. The filing alleges that Honey would stand down if users had fewer than 65,000 points, another indicator of relatively new accounts that might belong to testers rather than genuine consumers. Notably, the complaint states that this threshold was implemented after the December 2024 lawsuits were filed, and that previously “there was no points requirement at all for the vast majority of Merchants.”
The third criterion involved blacklisting certain merchant sites. The complaint notes that eBay, for example, had unique code that would “always stand down” regardless of other factors.
The fourth criterion is perhaps the most revealing. According to the filing, Honey checked whether users' browsers contained specific cookies associated with affiliate network technical tools. These cookies, labeled “CONTID”, “s_vi”, “_ga”, “networkGroup”, and “_gid”, are provided to those logged into the technical tools of affiliate networks like Commission Junction, Rakuten, Awin, and Swagbucks. If a user had such a cookie, indicating they were likely an industry professional rather than a regular consumer, Honey would stand down.
The complaint characterises these measures as showing that “PayPal is knowingly diverting and taking Affiliate Commissions after an Affiliate Marketer has referred a consumer to the Merchant, and attempting to evade detection and cover up its conduct when the user may be a tester, rather than an ordinary consumer.”
The filing includes references to internal emails between Rakuten and PayPal spanning from July 2020 through May 2025 that allegedly demonstrate repeated violations of stand-down protocols.
In July 2020, just months after PayPal acquired Honey, Rakuten allegedly alerted PayPal that the extension was violating stand-down protocols in multiple ways, particularly in cases involving prior offers from other affiliates. The complaint notes that this pattern continued for years, with PayPal providing various explanations while the violations persisted.
As recently as May 2025, Rakuten informed PayPal that Honey was still failing to stand down when users accepted offers from other publishers. Despite acknowledging the issue and claiming to be working on a solution, PayPal allegedly did not plan to deploy a fix until August 2025.
This documented pattern of repeated violations and delayed remediation forms a significant part of the plaintiffs' case that PayPal's conduct was deliberate rather than inadvertent.
The complaint names eleven plaintiffs representing a range of content creators across different niches. These include Justin Tech Tips (gaming technology), Gents Scents (men's fragrances), Angry Snowboarder (snowboarding equipment), Storm Productions operating as Madison Avenue Spy (fashion deals), Red Beard Studios operating as TheDenofTools (tools and DIY), and several others.
Each plaintiff details their relationships with multiple merchants, many of whom also partner with PayPal, establishing the direct conflict at the heart of the case. The complaint includes a statistical analysis using Monte Carlo simulation methodology to demonstrate that, given the widespread installation of Honey on consumer browsers and the volume of affiliate transactions processed by each plaintiff, it is “statistically impossible” that none of them had commissions diverted.
For context, the filing notes that by 2020, Honey stated it had approximately 17 million monthly active users and more than ten thousand merchant partners. The complaint alleges Honey has since lost roughly 8 million users following the December 2024 revelations.
The complaint advances seven distinct causes of action. The first is violation of the Computer Fraud and Abuse Act (CFAA), alleging that PayPal accessed protected computers without authorisation or in excess of authorisation to further a fraudulent scheme. The complaint argues that any implied consent consumers gave when installing the extension was invalid because PayPal concealed its true activities.
The second claim is unjust enrichment, arguing that PayPal received benefits (affiliate commissions) that rightfully belonged to the plaintiffs, and that it would be inequitable for PayPal to retain these amounts.
The third and fourth claims are intentional interference with prospective economic advantage and intentional interference with contractual relations respectively. These claims assert that PayPal knowingly disrupted the business relationships between affiliate marketers and merchants.
The fifth claim invokes California's Comprehensive Computer Data Access & Fraud Act, the state-level equivalent of the CFAA, alleging knowing unauthorised access and alteration of computer data.
The sixth claim alleges violation of California's Unfair Competition Law, characterising PayPal's conduct as both “unlawful” (because it violates other statutes) and “unfair” (because it violates public policy and harms competition).
The seventh claim, brought on behalf of Washington state plaintiffs, alleges violation of the Washington Consumer Protection Act.
The complaint provides extensive background on how affiliate marketing attribution works and why PayPal's alleged conduct violates industry norms. It explains that last-click attribution is the predominant model in affiliate marketing, where the affiliate marketer who most recently referred a consumer to a merchant's website receives credit for any resulting purchase.
Critically, the complaint distinguishes between a legitimate “last click” (an affiliate marketer's link that directs a consumer to a merchant's website) and PayPal's alleged artificial simulation of such a click. The filing argues that using hidden redirects to fabricate the appearance of a referral where none occurred is the functional definition of cookie stuffing, regardless of whether it achieves “last click” technical status.
The complaint quotes extensively from affiliate program terms that explicitly prohibit such conduct. For example, the Staples affiliate agreement prohibits “engaging in cookie stuffing” and states that “using redirects to bounce a click off of a domain from which the click did not originate in order to give the appearance that it came from that domain is prohibited.”
The filing documents the broader industry response to the controversy. Google updated its Chrome Web Store policies in March 2025 to explicitly require that extensions only include affiliate links when providing “a direct and transparent user benefit” and that affiliate relationships be fully disclosed before installation.
Microsoft discontinued its coupon feature in May 2025 amid similar lawsuits against its Shopping extension.
Most significantly for affiliate program managers, Rakuten Advertising became the first major network to remove PayPal Honey as a publisher from its global network, representing the first network-level accountability measure taken by a major affiliate tracking platform in response to the controversy.
The lawsuit seeks monetary damages including the value of diverted affiliate commissions, equitable relief including disgorgement of PayPal's profits from the alleged scheme, injunctive relief to prevent ongoing violations, and attorneys' fees.
Earlier procedural victories have already shaped the litigation landscape. In November 2025, Federal Judge Beth Labson Freeman denied PayPal's motion to force the class action into arbitration, ruling that PayPal's user agreements for individual account holders do not extend to broader business disputes about Honey's affiliate marketing practices.
However, a separate ruling dismissed claims from a different group of plaintiffs who failed to adequately demonstrate specific contractual entitlements to the commissions they claimed were diverted. This second amended complaint appears designed to address those deficiencies by providing more detailed documentation of each plaintiff's contractual relationships and the specific mechanisms of harm.
The technical details revealed in this complaint should prompt immediate action from affiliate program managers. The filing's description of Honey's detection evasion system suggests that standard compliance testing methodologies may be insufficient to detect problematic browser extension behaviour.
Programs should review their browser extension partnerships with fresh scrutiny. The complaint's allegations that Honey maintained configuration files with specific thresholds for when to respect stand-down protocols suggests that technical audits need to account for the possibility that extensions may behave differently depending on who is testing them.
The documented pattern of Rakuten's communications with PayPal over five years also raises questions about what responsibility networks bear for policing publisher practices when they have evidence of violations but limited remediation occurs.
More broadly, this case underscores the vulnerability of last-click attribution models to technological exploitation. Affiliate program managers may need to consider multi-touch attribution approaches, server-side tracking, or other mechanisms that are more resistant to the type of manipulation alleged in this complaint.
The affiliate marketing industry has always operated on trust between brands, affiliates, and the networks that connect them. The detailed allegations in this filing suggest that trust requires verification, and that the technical sophistication of potential bad actors demands equally sophisticated monitoring and enforcement.
This case is In Re PayPal Honey Browser Extension Litigation, Case No. 5:24-cv-9470-BLF, United States District Court for the Northern District of California, San Jose Division.