Texas Sues Netflix Over Alleged Unauthorized Data Collection and Sharing

What happened

Texas Attorney General Ken Paxton filed a lawsuit against Netflix on Monday, alleging the streaming company collected and shared subscriber data with advertisers and data brokers without user consent, in violation of Texas privacy law. The lawsuit accuses Netflix of operating what it describes as a surveillance machinery while publicly asserting to users and investors that it does not collect or sell data.

The complaint alleges that Netflix collects approximately 5 petabytes of user behavior logs daily, tracking what users click, how long they watch, what they replay or skip, their location data derived from IP addresses, their device information, household network details, and application usage. This data is then merged with user demographics to build granular audience segments for hyper-targeted advertising, according to the lawsuit. Netflix allegedly shares this data with third-party advertisers, data brokers Experian and Acxiom, and ad tech platforms including Google Display and Video 360, allowing that data to be combined with information those third parties have independently collected.

The lawsuit cites internal contradictions between Netflix’s public statements and its engineering practices. During a 2020 earnings call, then-CEO Reed Hastings told investors the company does not collect anything and is not involved in advertising controversy. Meanwhile, the complaint references a 2016 conference presentation by a Netflix engineer describing the company as a logging company that occasionally streams movies. Netflix’s privacy policy was updated in 2024 following findings by Dutch regulators that the company failed to properly inform consumers about its data practices, but the lawsuit characterizes the updated policy as vague, deceptive, and incomplete.

The lawsuit also specifically alleges that Netflix aggressively collects behavioral data from children’s profiles despite marketing them to parents as a safe area for kids under 12. Texas is seeking fines, an injunction preventing the alleged practices, and a court order requiring Netflix to disable autoplay by default on children’s profiles.

Who is affected

Netflix subscribers in Texas are the primary affected population named in the lawsuit, though the data practices described extend to the company’s broader user base. Parents who created children’s profiles under the assumption they were protected from data collection face a specific category of potential harm given the allegations around kids’ behavioral data.

Why CISOs should care

The Netflix lawsuit is the latest in an accelerating pattern of state-level enforcement actions targeting data collection practices that exceed what users were told at the point of consent. Texas, California, and other states are actively pursuing cases where the gap between a company’s privacy policy representations and its actual data engineering is demonstrably large. For security and privacy leaders, the internal contradiction dynamic at the center of this case, where public statements to users and investors diverged sharply from engineering reality, is a governance risk that compliance programs need to actively audit against.

The children’s data angle also has direct implications for any organization operating platforms or services with minor users, where behavioral data collection practices are subject to heightened legal scrutiny under COPPA and equivalent state laws.

3 practical actions

Audit your organization’s data collection practices against what your privacy policy actually discloses: The Texas lawsuit centers on the gap between what Netflix told users and what it was actually doing. Conduct a structured comparison of your current data collection, processing, and sharing practices against the representations in your privacy policy and investor communications, and remediate discrepancies before they become regulatory exposure.

Review behavioral data collection on any platform features used by minors: The children’s profile allegations illustrate that marketing a product as child-safe while collecting behavioral data creates significant legal risk under state and federal children’s privacy laws. If your platform has features used by or marketed to minors, ensure data collection practices meet the higher consent and protection standards those users require.

Document data sharing relationships with third-party advertisers and data brokers comprehensively: The lawsuit specifically names the third parties receiving Netflix data. Maintain a current inventory of all data sharing arrangements, confirm that each is disclosed in your privacy policy, and verify that the purposes for which data is shared are consistent with the consent obtained from users at collection.