Honey, the data hoarder—request a copy of your data now!

In our investigation on Honey, we have shown that the browser extension collects their users’ data on a large scale. Regardless of whether an account has been registered or not, the add-on diligently logs page views on plenty of websites and sends them to the company behind the extension, Honey Science LLC, a US-based company that was bought by PayPal.

Photo of a lot of bees rushing to a drop of sugar water, above that the text: “Honey, the data hoarder—request your data now”

What should I do?

Did you use Honey and maybe weren’t aware of this data hoarding? Or do you simply want to know what Honey has saved about you? The GDPR grants you a number of rights regarding your personal data, including the right to request a free copy of all data a company has collected about you, the right of data access. In this post, we’ll explain how you can use this right with Honey.

And if you feel Honey violated your rights after inspecting the data they have stored on you and you want to file a complaint with the data protection authorities, we’ll explain how that works at the end of the article.

How can I request my data?

We have already prepared the necessary request that you can use to demand a copy of your data from Honey Science LLC. The exact steps you need to take depend on whether you have used Honey with or without an account. We have prepared a form that generates the request email for both cases.

Afterwards, you can send this email using your own email program or webmailer. This way, everything you type into this page stays locally on your device. That means, we will never see your data.

Honey has a month to answer your request after you sent the email. They can extend that deadline by another two months if they have good reasons, but they have to tell you that within the first month. If you decide that Honey shouldn’t keep your data after receiving their response, you can additionally use your right to be forgotten and make a request to demand the immediate deletion of your data. You can use our generator for that.

Used Honey with an account?

If you’ve used Honey with an account, you only have to enter your name, email and “Honey Gold” balance and you can already send your request via email—free of charge of course.

You can view your Honey Gold balance here.

Here would have been a tool to quickly generate a GDPR request. It only runs on your computer and is therefore completely written in JavaScript. If you want to use it, please enable JavaScript in your browser. If it still doesn't work after that, send us an email at dev@datenanfragen.de.

Used Honey without an account?

You’ve used Honey without creating an account? They have still collected your history data. To request it, you have to identify yourself with two IDs that Honey has assigned to you.

Find your two IDs

Finding the two IDs (userId and deviceId) is unfortunately a little complicated, so we’ve compiled a guide with screenshots that explains the process in detail.

We have to look into the so-called “local storage” of the Honey extension. That is a place in your browser where pages and extensions can save data. You might have heard of cookies, local storage is similar.

The process for accessing Honey’s local storage is different from browser to browser. We’ll show you how it works for both Firefox and Chrome:

🦊 Firefox

Type about:debugging into the address bar and hit Enter. You are taken to an internal Firefox page.

“This Firefox” on the “about:debugging” page is framed in red.

Click on “This Firefox”.

Back Next

A list of installed Firefox extensions on the “about:debugging” page. “Inspect” next to Honey is framed in red.

Click the “Inspect” button next to Honey. A new page called “Toolbox” opens.

Back Next

Honey’s toolbox tab is open. “Storage”, “Local Storage” and the deviceId and userId are highlighted.

Pick the tab “Storage”, then “Local Storage” on the left and finally the element that appears below, starting with moz-extension://. Now you can read and copy the deviceId and userId from the table on the right.

Back

Chrome

Type chrome://extensions into the address bar and hit Enter. You are taken to an internal Chrome page.

The “Developer mode” switch in the upper-right corner is turned on and highlighted in red.

Enable the developer mode using the switch in the upper-right corner.

Back Next

A list of installed Chrome extensions on the “chrome://extensions” page. “background page” next to Honey is framed in red.

Click on “background page” next to Honey. A new window called “DevTools” opens.

Back Next

Honey’s DevTools are opened, “Application”, “Local Storage” and the deviceId and userId are highlighted.

Click on the “Application” tab in the new “DevTools” window. You might have to resize the window to see the button. Click on “Local Storage” on the left and on the now shown element that starts with chrome-extension://. Now you can see and copy the deviceId and userId from the table on the right.

Back

Enter your name, email, and both IDs into the form below and you are ready to send your data request!

How can I file a complaint about this?

The GDPR also gives you the right to file a complaint against a company with the supervisory authorities if you believe they have violated your data protection rights. Filing a complaint is free and you can of course also do that for Honey.

A complaint can be filed informally, you don’t have to adhere to any specific guidelines. If you want to complain about Honey, your complaint should describe, if applicable, that you requested your data from Honey and that you think, after you’ve read their response, that they have violated your privacy rights. You should illustrate that with examples from Honey’s data export.
We have prepared a template that you can use as a guide.

Modify it according to your situation: Fill in the curly brackets, and check if the parts in [square brackets] are applicable to your situation (remove them otherwise). And don’t forgot to attach all referenced documents. You can (and should) of course also change any other aspects of the template to better suit your situation where necessary.

Complaint template (click here to expand)

To Whom It May Concern:

I am hereby lodging a complaint according to Article 77 GDPR against the following controller: Honey Science LLC 963 E. 4th Street Los Angeles, CA 90013 USA

I am a user of the Honey browser extension (https://www.joinhoney.com), which is run by Honey Science LLC (hereinafter: “Honey”; details taken from: https://www.joinhoney.com/privacy). [I have created an account with Honey and signed into the browser extension with that.] [I have used the browser extension without creating an account.]

On enter the date of your access request here, I sent an access request according to Art. 15 GDPR to privacy@joinhoney.com (the privacy contact listed in the privacy policy: https://www.joinhoney.com/privacy).

Honey provided me with my data on enter the date of Honey’s reply here. I was sent, among other files, a “PageViews.csv” file, which lists pages I have visited with my browser. In total, it has enter number of lines in the file here lines. As this file contains a lot of private data about me, as I am going to argue in the following, I have not attached it but will only quote parts of it. [Should you need the file for the investigation, I am however willing to provide it.]

Here are some example of lines from “PageViews.csv”:

list a few lines from the file here

Each entry contains at least the following information:

* timestamp of when I visited the respective site
* multiple unique IDs identifying myself, my session, and my device
* details about my browser
* geolocation data, probably inferred from my IP address
* the full URL of the respective page

Honey's privacy policy (https://www.joinhoney.com/privacy) says (under “What data we collect and why”):

> “Honey does not track your search engine history, emails, or your browsing on any site that is not a retail website (a site where you can shop and make a purchase). When you are on a pre-approved retail site, to help you save money, Honey will collect information about that site that lets us know which coupons and promos to find for you. […]
> Shopping and Usage Data.
> On retail sites, Honey collects the name of the retailer, page views, and in some cases, product information that allows us to track price changes and update our product catalog. […]
> […]
> What data we do not collect
> We collect information that we believe can help us save our users time and money. This does not include, and we do not collect, any information from your search engine history, emails, or from websites that are not retail sites.”

However, contrary to those statements, Honey does indeed collect data from non-“retail sites”, including for example [login pages, blog posts, order information pages, help/support pages, video streaming sites, and forums]. In my “PageViews.csv” file, they for example collected the following non-retails page visits:

list a few URLs from the file that are not from shopping sites here

According to the privacy policy (https://www.joinhoney.com/privacy), Honey wants to base this processing on Art. 6(1)(a) or (f) GDPR (“When you consent to our use of your data for a specific purpose.”, “When Honey has a legitimate interest in using that data in the normal ways you'd expect, like ensuring Honey's products run properly, improving and creating new products, historical analytics research, promoting Honey, and protecting our legal rights.”).

As far as the processing is supposedly based on Art. 6(1)(a) GDPR, I deny the existence of “freely given, specific, informed and unambiguous” (Art. 4(11) GDPR) consent by me. [I have never consent to Honey's data processing.] [After the installation of the browser extension, Honey displayed the following notice: “We’re committed to your privacy. It’s always been our mission to find you the best deals. We only collect data when you’re on shopping sites. That way, we can find you relevant coupons, share accurate pricing trends, and continue to make shopping better for our community. You can read our founders’ commitment to privacy here (https://www.joinhoney.com/privacy). You can always come back and adjust your settings at any time”. When registering for an account, I had to check “I have read and agree to the Honey Terms of Service (https://www.joinhoney.com/terms) and Privacy Policy (https://www.joinhoney.com/privacy). I understand that to continue, PayPal will share name and email address with Honey.” Thus, any supposed consent was based on incorrect statements by Honey right from the beginning (as I explained, Honey does collect data on non-shopping pages). In addition, it was not possible to complete the registration without checking the checkbox. It was thus not possible to deny consent. And finally, I was only allowed to consent to the privacy policy as a whole instead of to discrete purposes. As a result, despite Honey forcing me to click the checkbox, no valid consent came to be (cf. “Guidelines 05/2020 on consent under Regulation 2016/679” by the EDPB: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf).]

As far as the processing is supposedly based on Art. 6(1)(f) GDPR, I deny the existence of a legitimate interest by Honey that overrides my interests or fundamental rights and freedoms. Here, one has to distinguish between data on shopping sites and data on other sites. For the latter, a legitimate interest cannot possibly be assumed. This data has no relation to the Honey browser extension and it definitely wasn't forseeable for me that Honey would collect this data. [When I saw Honey's reply to my access request, I was genuinely shocked at how comprehensively and deliberately they had collected my browser history data.] For data on shopping sites, Honey might have a legitimate interest. But even here, it is questionably whether the processing is proportionate and reasonable given the vast amount of data collected and the fact that it is stored without a time limit (“Honey only [sic] retains information about you as long as you keep using Honey”, from: https://www.joinhoney.com/privacy).

I thus have to assume that Honey processed my data without a valid legal basis. That is why I am lodging this complaint with you. Please check this practice by the controller and, if necessary, to prohibit Honey from this unlawful processing. I would also ask you to consider imposing a fine. [You may pass on my data to the controller for the purpose of processing the complaint]. I have attached my described correspondence with Honey to this complaint.

If you need any more details, please feel free to contact me. You can reach me enter your contact details here.

Thanks in advance for your help.

Yours sincerely,
enter your name here

You can use this tool to find the authority responsible for you and their contact details:

Here would have been a tool to quickly find the supervisory authority responsible for you. It only runs on your computer and is therefore completely written in JavaScript. If you want to use it, please enable JavaScript in your browser. If it still doesn't work after that, send us an email at dev@datenanfragen.de.

The responsible authority will check your complaint and if they determine a misconduct on Honey’s side, they can instruct them to cease that activity or even impose a fine.

Be prepared for this process to take a while. The authorities need will need time to process your complaint, especially if the company is in another country.

Updates:

We have made the following changes to this article since the initial publication:

February 26, 2022: Restructured article and added a complaint template and reference to it.

written by Malte Wessels and Benjamin Altpeter
on 2020-11-02 at 14:43, last edited: 2022-02-26 at 19:55
licensed under: Creative Commons Attribution 4.0 International License

Photo adapted after: “Busy bees” by Boba Jaglicic (Unsplash license)