Texas Attorney General Ken Paxton this week sued Netflix, Inc. in Collin County district court, alleging that the streaming company spent years secretly collecting billions of behavioral data points from its subscribers - including children - and sharing that data with commercial data brokers and advertising technology companies, all while publicly promising it would never do so.

The lawsuit, filed on May 11, 2026, brings five counts against Netflix under the Texas Deceptive Trade Practices Act (DTPA). The state is seeking civil penalties of up to $10,000 per violation, disgorgement of assets, permanent injunctions, and a court order requiring Netflix to disable its autoplay feature by default on children's profiles.

A company built on contradicted promises

The petition, which runs to 59 pages, builds its case on a documented record of statements Netflix made at the highest levels of the company between 2015 and 2022. Those statements, according to the filing, created a clear expectation among consumers that paying for Netflix was a way to escape the behavioral surveillance practices of advertising-driven platforms.

In 2015, Netflix CEO Reed Hastings publicly declared "no advertising coming onto Netflix. Period." In a January 2016 shareholder letter, Hastings confirmed the business model was "not dependent on advertising or affiliate fees." During a January 2018 earnings call, he told the public that not having advertising "is a core differentiator" and described it as "what our brand is about."

The contrast messaging went further. According to the petition, Hastings in a 2019 interview stated that Netflix does not "have any advertising, so we don't sell any data" and added: "We don't import any data, so we're completely secure, isolated." The following year he reiterated: "We buy no data. We don't sell any data. We are a complete, isolated data island."

Netflix VP of Product Development Todd Yellin reinforced that positioning in a 2016 interview. According to the petition, Yellin described companies like Google and Facebook as "serving two masters - you're serving the consumer and you're serving the advertiser" and framed that divided loyalty as a conflict. At Netflix, Yellin explained, "we have one purpose for this data and that's to make each individual member's experience better. There are no advertisers. We're only subscription."

These were not offhand remarks. They appeared in shareholder communications, earnings calls, product design, and everyday user interactions - a consistent, multi-year campaign to position Netflix as different from the rest of the industry.

The surveillance infrastructure

Behind those promises, the petition alleges, Netflix was constructing a data-collection system of considerable scale. The filing cites statements Netflix engineers made at industry conferences and in company blog posts - material that, according to the state, was candid with a technical audience in a way it never was with ordinary subscribers.

In a 2013 blog post on Netflix's engineering blog, according to the petition, the company described its goal for interface applications on "Smart TVs, tablets, game consoles" to "not only deliver a delightful user experience but also collect as many user events as possible." A Netflix engineer presenting at an AWS conference in 2015 described the company internally as "really a logging company... a logging company that occasionally streams movies. And this is true."

What the company logged was granular. The petition details the categories of behavioral data collected: the day and time a user watched content; their location; the device in use; what they searched and how many times; whether and when they paused, rewound, rewatched or fast-forwarded; screenshots of the moment they paused a show; content abandonment times; how they browsed and scrolled; whether they finished a series and how long it took; and how they rated content.

By 2015, according to the petition, Netflix was ingesting more than 550 billion events per day, reaching peaks of 8.5 million events and 21 gigabytes per second. One petabyte - the daily data volume Netflix was processing - is equal to hundreds of thousands of high-definition movies. The company built its own internal pipeline for this data, which it called Suro, developed in 2014. Suro is an open-source, distributed system designed to collect, aggregate, and dispatch high-volume application events and log data.

That infrastructure has grown since. The petition states that Netflix currently collects roughly 5 petabytes of user-behavior logs per day, processes over 10 million events per second, and feeds those signals into more than 40,000 internal microservices. A venture capital firm CEO cited in the petition, described as a Netflix client, disclosed publicly that Netflix collects 160,000 unique data points every 30 seconds as content plays.

The data, according to the petition, trains proprietary AI and builds what Netflix describes internally as profiles "far more detailed than the personas created through conventional marketing." Netflix scrolling behavior alone - the direction and speed of navigation - is treated as "valuable information," according to its own engineering documentation cited in the filing.

Children's profiles and what the state calls a deception by omission

A substantial part of the lawsuit concerns children. Netflix has long marketed its kids profiles as "a safe area" for users aged 12 and under. During account setup, the platform steers parents toward creating kids profiles, describing itself as "Great for kids." From at least 2022 onward, Netflix has stated in its Help Center that "no behavioral advertising" occurs on kids profiles - and, the petition notes, uses that claim to withhold the behavioral-ads opt-out option from those profiles entirely.

The state argues this framing is a deception by omission. Netflix may not show targeted ads to children, but according to the petition, it collects the same behavioral telemetry from children's viewing activity that it collects from adults - play, pause, rewind, search queries, device signals, location data, abandonment timestamps. Parents are never told this. The company's assurance that it does not engage in "behavioral advertising" on kids profiles does not address behavioral data collection, and parents reading those disclosures would not understand the distinction.

"Netflix's child surveillance is hidden behind a smokescreen about interest-based advertising," the petition states. The company, according to the filing, "insists in its Help Center that 'no behavioral advertising' occurs on kids profiles and, using that claim, simply withholds the behavioral-ads opt-out entirely. But Netflix's disclosure is misleading because behavioral ads don't happen without behavioral data - and collecting that data is exactly what parents are concerned about."

According to the petition, Netflix VP Max Schmeiser has described the company's telemetry and logging systems as designed for "generating rich insights" - systems the filing says apply equally to children's accounts.

Autoplay features on kids profiles compound the concern. The petition describes autoplay as a dark pattern - a design feature engineered to eliminate natural stopping cues and maximize continuous viewing. Netflix's autoplay has been enabled by default on all profiles, including kids profiles, and the option to disable preview autoplay was not even available until 2020. Researchers cited in the petition link autoplay to increased viewing time and reduced user autonomy, with particular effects on minors whose prefrontal cortex - the region responsible for impulse control - is still developing.

The pivot to advertising and what followed

The financial context is significant. According to the petition, Netflix's annual revenue climbed from roughly $15 billion in 2018 to over $50 billion by 2026, while paid memberships nearly tripled from approximately 130 million to over 300 million. In 2022, Netflix launched an ad-supported subscription tier - completing the pivot its executives had publicly dismissed for years.

What followed that pivot is detailed in the petition's most technically specific section. Netflix partnered with LiveRampto allow advertisers to match their first-party customer lists against Netflix's audience data. It opened third-party data access to Experian and Acxiom - commercial data brokers with no inherent connection to streaming entertainment. Netflix also built a clean-room infrastructure, enabling advertisers and the platform to collaborate on data matching, audience planning, and measurement in what Netflix describes as a "private, secure environment."

The programmatic pipes opened up further. In May 2024, Netflix expanded programmatic buying through Google's Display & Video 360 and The Trade DeskYahoo DSP was added as the fourth global programmatic partner in June 2025By September 2025, Netflix added Amazon DSP, giving buyers direct programmatic access to Netflix inventory. Netflix's Q3 2025 results showed advertising revenue reaching $11.5 billion, with the company recording its strongest advertising quarter to date.

The petition is direct about what these partnerships mean. Programmatic DSPs are not simple ad delivery tools - they are identity and measurement hubs that link audiences across connected TV, apps, and the web. Netflix, the state argues, does not just show ads. It routes subscribers' viewing-based identity signals into the central infrastructure of digital advertising. "This architecture is built to join data from all corners of the internet," the petition states. "It allows Netflix and its partners to compare notes on you - to join and enrich their data to better target you with ads."

For advertisers, Netflix now offers targeting across more than 100 interests in over 17 categories, including life stages and what the company describes as "viewing behaviors tied to consumer brand perceptions." Netflix also changed its audience measurement methodology to Monthly Active Viewers, a household-level metric derived from first-party research - a detail it discloses to advertisers but does not explain in its consumer-facing privacy policy, according to the petition.

The Dutch DPA finding and the privacy disclosure record

The Texas lawsuit is not the first regulatory proceeding to find shortcomings in Netflix's privacy disclosures. In December 2024, the Dutch Data Protection Authority imposed a 4.75 million euro fine on Netflix for failing to adequately inform customers about how their personal data was processed during the 2018-2020 period. The Dutch DPA determined that Netflix's responses to user data access requests often directed users to general privacy policies rather than providing specific information.

The Texas petition incorporates that finding directly. The state argues that the transparency failures identified in the Netherlands reflect the same pattern Texans experienced across the full timeline of Netflix's data practices - selective candor with engineers and advertisers, systematic vagueness with subscribers.

The petition traces the evolution of Netflix's privacy disclosures year by year. Through approximately January 2020, privacy policies used vague categories such as "information you provide," "information we collect automatically," and "information from partners" without specifics. Netflix did not disclose until 2020 that it collects data from other devices on a user's home Wi-Fi network.

A 2022 privacy update acknowledged the ad-supported tier and introduced high-level advertising terms, but according to the petition, omitted the scope of first-party behavioral logging and the identity of third parties receiving that data. It was not until April 2024 - following the Dutch investigation - that Netflix's privacy policy named specific event types such as "playback events (play, pause)," "app clicks," "text input," and "time and duration." Even then, the petition argues, the disclosures failed to explain who receives the data, how identity matching works, what happens in clean rooms, or how household-level projections are used.

By April 2025, Netflix's privacy statement decoupled ad-related data processing from the ad-supported subscription tier, a change the petition describes as implying - without stating openly - that behavioral data from all subscribers, not only ad-tier subscribers, feeds the company's advertising systems.

The action is brought under Section 17.47 of the Texas Deceptive Trade Practices-Consumer Protection Act. Netflix is incorporated in Delaware with its principal place of business in Los Gatos, California, but is registered to conduct business in Texas as a foreign for-profit corporation. The petition notes Netflix maintains a physical presence in Texas through Netflix House Dallas, a 107,000-square-foot entertainment venue at Galleria Dallas, which employs approximately 300 people. Netflix also maintains physical server hardware in Texas through its "Open Connect" content delivery network, placing servers directly with internet service providers in Texas facilities.

The petition estimates Netflix earns approximately $1.5 billion or more in annual revenue from Texas, based on Texas's proportionate share of U.S. subscribers and Netflix's reported $39 billion in global revenue for 2024.

The state seeks five categories of relief: civil penalties of up to $10,000 per violation; disgorgement of assets; a requirement to purge all data deceptively collected from Texas consumers; an injunction barring Netflix from collecting or sharing user data without clear disclosure and express consent; an order disabling autoplay by default on kids profiles; and a prohibition on clean-room data collaboration involving Texas consumers without adequate disclosure. The state also demands that Netflix not use consumer data for targeted advertising directed at Texans without obtaining users' express, informed consent in advance.

The case is filed in Collin County, Texas, where the petition states all or a substantial part of the events giving rise to the claims occurred. A jury trial is demanded.

Why this matters for the marketing community

For the marketing and advertising technology industry, the Texas lawsuit arrives at a moment when the infrastructure it describes is commercially central. Netflix's Q1 2026 results showed revenue of $12.25 billion, with the advertising business on course to reach approximately $3 billion annually. The platform now has over 4,000 active advertisers. Programmatic buyers access Netflix inventory through The Trade Desk, Google DV360, Yahoo DSP, Amazon DSP, Magnite, and Microsoft.

The petition specifically names Google Display & Video 360 and The Trade Desk as platforms through which Netflix has opened programmatic access to its inventory - platforms that are central to the media buying operations of most large advertisers. Google's integration of affinity audiences for Netflix campaigns via DV360 is among the specific integrations now potentially touched by the legal proceedings.

The lawsuit also raises questions about first-party data matching practices that have become standard across the CTV industry. The Texas petition's description of LiveRamp-based identity matching and clean-room data collaboration is not specific to Netflix - these are industry-wide mechanisms. A finding that such practices violate state consumer protection law when not adequately disclosed to subscribers could carry implications beyond this single case.

The state enforcement record in Texas has precedent. Texas secured a $1.375 billion settlement from Google in October 2025 for allegations of unlawful location tracking and biometric data collection - the highest recovery obtained by any state attorney general for privacy law enforcement against Google. The scale of potential civil penalties in a per-violation DTPA action against Netflix, depending on how violations are counted, could be significant given the number of Texas subscribers involved.

The proceedings are at the petition stage. Netflix has not yet responded publicly to the lawsuit.

Timeline

  • April 1, 2016 - Netflix VP of Product Development Todd Yellin, speaking at a Big Think event, describes the company's data approach and contrasts it with advertising-driven platforms like Google and Facebook, framing dual service of consumer and advertiser as a "conflict."
  • 2016 - Netflix engineer Peter Bakas presents at AWS re:Invent, describing the company internally as "a logging company that occasionally streams movies," and disclosing that Netflix handles data streams of up to 8 million events per second.
  • July 2019 - Netflix CEO Reed Hastings, in a shareholder letter, assures investors and the public that any suggestion Netflix might move into selling advertising "is false."
  • January 2020 - On a Q4 2019 earnings call, Hastings states: "We don't collect anything. We're really focused on just making our members happy, and we're not tied up with all that controversy around advertising."
  • January 2019 - Privacy advocacy group noyb files complaints about Netflix data practices with Austrian and Dutch data protection authorities. (Source: Dutch DPA investigation, cited in Netflix fine coverage)
  • November 2022 - Netflix launches its ad-supported subscription tier, beginning its formal entry into digital advertising.
  • May 2024 - Netflix opens ad inventory to The Trade Desk, Google DV360, and Magnite as programmatic partners.
  • December 18, 2024 - The Dutch Data Protection Authority imposes a 4.75 million euro fine on Netflix for failing to properly inform customers about data processing during 2018-2020. (PPC Land coverage)
  • June 16, 2025 - Netflix adds Yahoo DSP as its fourth global programmatic advertising partner.
  • September 10, 2025 - Netflix announces programmatic buying partnership with Amazon DSP.
  • October 2025 - Netflix reports Q3 2025 revenue of $11.51 billion, with advertising recording its strongest quarterly performance to date.
  • October 31, 2025 - Texas AG Ken Paxton secures $1.375 billion settlement from Google for privacy violations - the largest such recovery by a single state attorney general.
  • April 16, 2026 - Netflix reports Q1 2026 revenue of $12.25 billion; advertising revenue on track to roughly double year over year to approximately $3 billion.
  • May 11, 2026 - Texas Attorney General Ken Paxton files suit against Netflix in Collin County district court, alleging violations of the Texas Deceptive Trade Practices Act related to undisclosed behavioral data collection, data sharing with ad tech companies, misleading representations about children's profiles, and addictive platform design.

Summary

Who: Texas Attorney General Ken Paxton, on behalf of the State of Texas, filed suit against Netflix, Inc. (a Delaware corporation headquartered in Los Gatos, California).

What: The lawsuit alleges that Netflix violated the Texas Deceptive Trade Practices Act by secretly building a large-scale behavioral surveillance infrastructure while publicly promising it would not collect or share user data for advertising purposes. Specific allegations include: misrepresenting that paid subscriptions shield users from data-driven advertising; collecting behavioral data from children on kids profiles while claiming such profiles are safe from tracking; sharing user data with data brokers (Experian, Acxiom) and ad tech platforms (Google DV360, The Trade Desk, LiveRamp) without adequate disclosure; and using dark patterns including autoplay to addict users to the platform and extend viewing sessions to maximize data collection.

When: The petition was filed on May 11, 2026. The underlying conduct spans from approximately 2015 - when Netflix executives began making explicit anti-advertising statements - through 2026.

Where: The case was filed in Collin County, Texas, where Netflix conducts business and where the state alleges the relevant consumer transactions occurred. Netflix maintains physical infrastructure in Texas including Netflix House Dallas, a 107,000-square-foot venue in Galleria Dallas, and content delivery servers placed with Texas internet service providers.

Why: The state argues that Netflix built subscriber trust and a subscriber base of millions of Texans by positioning itself as an advertising-free alternative to data-driven platforms, then systematically constructed the very surveillance and advertising infrastructure it had publicly condemned. The Texas DTPA authorizes civil penalties of up to $10,000 per violation and injunctive relief. The state argues proceedings are in the public interest given the number of Texas consumers affected, including children.

Share this article
The link has been copied!