Texas sues Netflix over 'bait-and-switch' data harvesting and sharing with advertisers

The State of Texas filed suit against Netflix, Inc. on May 11, 2026 alleging that the streaming platform promised users a private, ad-free experience while secretly building a behavioral surveillance infrastructure that fed data to advertising intermediaries and data brokers.

• Texas alleges Netflix logged over 550 billion user events per day as early as 2015, despite public statements that it had "zero interest" in advertising
• Netflix allegedly shared highly granular data (including 160,000 unique data points per 30 seconds of viewing) with commercial data brokers like Experian and Acxiom and programmatic DSPs including Google, Amazon, Yahoo, and The Trade Desk
• The complaint alleges five counts of violating the Texas Deceptive Trade Practices-Consumer Protection Act (DTPA), covering false promises about ad-free subscriptions, children's data, third-party data sharing, and deceptive dark patterns

What is this case about?

The Texas Attorney General alleges that Netflix marketed itself for years as a safe alternative to the data-hungry advertising model of other tech platforms.

CEO Reed Hastings and other executives repeatedly told the public and investors that the company did not collect behavioral data and had no interest in advertising.

According to the complaint, the opposite was happening internally. Netflix was logging enormous volumes of viewing behavior and sharing it with advertising partners. 

When Netflix launched its ad-supported tier in 2022, it assured users that children's profiles would remain segregated from interest-based advertising. Texas alleges that was also false: Children were subject to the same telemetry and behavioral logging as adult users.

How did the data reach advertisers?

Netflix allegedly opened its user data to data brokers for "enrichment" and connected with demand-side platforms for programmatic ad buying. 

Advertisers could match their own customer lists against Netflix's audience using hashed identifiers through services like LiveRamp. This enabled cross-device and cross-household identity stitching, linking a viewer's Netflix behavior to their broader online profile.

The complaint also alleges Netflix used "clean rooms" to merge user identities with advertiser data, targeting ads based on intimate behavioral categories such as "life stages" and personal interests. None of these deep integrations was adequately disclosed in privacy policies.

What about children and dark patterns?

Texas dedicates two of its five counts to children's data and addictive design. 

Netflix allegedly pushed parents to create "kids profiles" by marketing them as safe spaces, while subjecting those profiles to the same data collection pipeline used for adults.

The complaint also targets the autoplay feature, which was enabled by default on all accounts, including children's profiles. 

Texas characterizes autoplay as a dark pattern engineered to bypass conscious decision-making and maximize the time users spend on the platform, thereby increasing the volume of monetizable behavioral data collected.

What are the potential penalties?

Texas seeks civil penalties of up to $10,000 per violation of the DTPA, with an additional $250,000 per violation where the affected consumer is 65 or older. The state also seeks disgorgement of assets and injunctive relief.

What can privacy teams learn from this case?

The core compliance questions here are related to data lineage and consent: If your platform collects behavioral signals, where do they go? And is that data only shared with proper consent? 

Netflix's alleged problem was the disclosed promises about how data was used did not match what the system actually did. 

Teams should be able to trace every data element from collection through to every downstream recipient, including enrichment partners, DSPs, and clean room integrations. If the documented data flows do not match the architecture, that gap is a liability.

Privado AI's agentic privacy platform maps data flows end-to-end, helping teams verify that what their systems actually do matches what their privacy policies and public commitments say.