Texas Sues Netflix: What the Data Sharing Lawsuit Means for CCPA Compliance and US Privacy Law

In a landmark case that underscores the growing teeth of US state privacy laws, Texas Attorney General Ken Paxton has filed a lawsuit against Netflix, accusing the streaming giant of operating a 'surveillance machinery' that collects and shares user data—including viewing habits, location, and device information—with advertisers and data brokers without proper consent. The lawsuit, which seeks fines, an injunction, and a ban on autoplay for children's profiles, is a wake-up call for every digital platform handling consumer data. This article explores the legal basis under the Texas Data Privacy and Security Act (TDPSA), compares it with California's CCPA/CPRA, and offers a practical compliance roadmap for companies navigating the patchwork of US privacy law.

What the Texas Lawsuit Alleges

According to the complaint, Netflix collected vast amounts of user data—viewing history, location, device identifiers, and even data from children's profiles—and shared it with third-party advertisers and data brokers such as Experian, Acxiom, and Google Display & Video 360 for hyper-targeted advertising. The lawsuit claims Netflix's leadership made misleading statements about data collection, including CEO Reed Hastings' 2020 comment that 'we don't collect anything,' while internal engineers described Netflix as a 'logging company.' Texas is seeking civil penalties, an injunction against these practices, and a ban on autoplay for kids' profiles. Netflix denies the allegations, stating it complies with privacy laws and has transparent practices.

CCPA Compliance vs Texas Data Privacy and Security Act: Key Differences

Both the California Consumer Privacy Act (CCPA), as amended by the CPRA, and the Texas Data Privacy and Security Act (TDPSA) grant consumers rights over their personal data, but they differ in scope and enforcement. Understanding these differences is critical for any company operating across state lines.

Scope and Applicability

CCPA/CPRA applies to for-profit businesses that collect California residents' data and meet one of: annual gross revenue over $25 million; buy, receive, or sell personal information of 100,000+ consumers or households; or derive 50%+ of annual revenue from selling or sharing personal information. TDPSA applies to entities that conduct business in Texas or produce products/services consumed by Texas residents, process or engage in the sale of personal data, and are not a small business as defined by the US Small Business Administration. Notably, TDPSA has a lower revenue threshold and no 100,000-consumer alternative, potentially capturing more mid-sized companies.

Consumer Rights

Both laws grant rights to access, correct, delete, and obtain a copy of personal data. However, CCPA/CPRA provides a private right of action for data breaches (for certain categories of unencrypted information), while TDPSA does not—enforcement is solely by the Texas Attorney General. TDPSA also explicitly includes 'sensitive data' (e.g., precise geolocation, racial/ethnic origin, health data) with stricter consent requirements, similar to CPRA's 'sensitive personal information' category.

Consent and Opt-Out

Under CCPA/CPRA, consumers have the right to opt out of the 'sale' or 'sharing' of their personal information for cross-context behavioral advertising. Businesses must provide a clear 'Do Not Sell or Share My Personal Information' link. TDPSA requires controllers to obtain consumer consent before processing sensitive data and to provide a clear opt-out for the 'sale' of personal data or processing for targeted advertising. Both require a 'global opt-out' mechanism (e.g., GPC signal) to be honored.

Data Minimization and Purpose Limitation

TDPSA explicitly requires data minimization—collecting only what is 'adequate, relevant, and reasonably necessary' for the disclosed purpose. CCPA/CPRA implies minimization through purpose limitation and the requirement to notify consumers at or before collection. The Netflix lawsuit highlights alleged failures in both: Texas claims Netflix collected more data than needed and used it for undisclosed advertising purposes, a violation of data minimization and purpose limitation principles.

Implications for Streaming Services and Digital Platforms

The Netflix case is a bellwether for the streaming industry and all digital platforms that rely on behavioral advertising. Key implications include:

• Heightened Enforcement Risk: State AGs are increasingly active. Texas alone has filed multiple privacy lawsuits, and other states (California, Connecticut, Oregon) are building enforcement teams.
• Children's Data Scrutiny: The lawsuit specifically calls out Netflix's tracking of children's profiles. Companies offering content for minors must implement robust consent mechanisms and limit data collection.
• Third-Party Data Sharing: Sharing data with advertisers and data brokers (like Experian, Acxiom) without proper notice and opt-out is a direct target. Contracts must include data processing agreements and restrictions on re-identification.
• Transparency and Public Statements: Misleading statements by executives can be used as evidence of intent. Companies must ensure public claims match actual data practices.

Compliance Checklist to Avoid a Similar Lawsuit

To mitigate risk under TDPSA, CCPA/CPRA, and other US privacy laws, organizations should implement the following steps:

1. Conduct a Comprehensive Data Mapping Exercise: Identify all personal data collected, its sources, purposes, and third-party recipients. This is foundational for compliance and should be updated regularly.
2. Implement Robust Consent and Opt-Out Mechanisms: Provide clear, conspicuous notices at or before data collection. Honor global opt-out signals (e.g., GPC) and maintain an accessible 'Do Not Sell or Share' link.
3. Perform Vendor Due Diligence: Review contracts with all data recipients (advertisers, analytics providers, data brokers). Ensure they have appropriate data processing agreements and are contractually prohibited from re-identifying or selling data.
4. Enforce Data Minimization: Collect only data necessary for the stated purpose. If you use data for advertising, ensure the collection is proportionate and disclosed.
5. Implement Age-Based Protections: For services likely accessed by children under 13 (or under 16 in some states), obtain verifiable parental consent and limit data collection per COPPA and state laws.
6. Establish a Privacy Governance Framework: Assign a privacy officer, conduct regular privacy impact assessments, and maintain records of processing activities.
7. Monitor Regulatory Changes: US privacy law is evolving rapidly. Multi-state compliance requires tracking new laws (e.g., Colorado CPA, Connecticut CTDPA, Oregon OCPA) and amendments to existing ones.

How AIGovHub Helps with Multi-State Privacy Compliance

Managing compliance across 15+ state privacy laws (and growing) is a daunting task. Platforms like AIGovHub provide a centralized solution for tracking regulatory requirements, conducting vendor risk assessments, and automating compliance workflows. Our interactive tools—like the Privacy Impact Assessment and Policy Mapper—help organizations map data flows, identify gaps, and generate reports for auditors and regulators. With AIGovHub, you can stay ahead of enforcement actions and build a defensible privacy program.

Key Takeaways

• The Texas AG lawsuit against Netflix alleges unauthorized data collection and sharing with advertisers, violating TDPSA's data minimization, consent, and transparency requirements.
• While TDPSA and CCPA/CPRA share many similarities, differences in applicability, enforcement, and specific obligations require companies to comply with the strictest standard across states.
• Streaming services and digital platforms must prioritize data mapping, vendor due diligence, and opt-out mechanisms to avoid similar litigation.
• Proactive compliance, including using multi-state privacy tools, reduces enforcement risk and builds consumer trust.

This content is for informational purposes only and does not constitute legal advice.