Intellectual Property & Technology

On May 11, 2026, the Office of the Texas Attorney General (AG) filed a 59-page petition in Collin County District Court against Netflix, Inc., alleging that the company spent years assuring consumers it was an ad-free, privacy-respecting alternative to Big Tech while quietly constructing one of the most sophisticated behavioral surveillance systems in the world. Netflix’s CEO told investors in 2019 they could “be confident” the company would never move into advertising. By 2022, Netflix had launched an ad-supported tier powered by the very data it swore it wasn’t collecting. Netflix generated approximately $39 billion in global revenue in 2024. Texas is seeking injunctive relief, civil penalties, and consumer redress.

The facts in the petition read like a textbook privacy case: mass collection of behavioral data, deceptive privacy disclosures, undisclosed surveillance of children, data sharing with brokers like Experian and Acxiom, and a product design philosophy explicitly aimed at keeping users glued to screens so Netflix could harvest more of their information. Netflix internally described itself as “a logging company that occasionally streams movies.” It was collecting 5 petabytes of user-behavior data per day.

Not a single privacy law was cited. The entire case rests on the Texas Deceptive Trade Practices Act (DTPA), a statute designed to police false and misleading commercial representations. Texas’s theory is simple: Netflix told consumers one thing and did another, and that gap is a deceptive trade practice. The legal framework has less to do with data rights and more to do with whether a company’s public statements were true.

This matters more than it might seem.

Over the past several years, the Consumer Protection Division of the Texas AG has evolved into something far closer to a mini-FTC than a traditional state enforcement group. It has pursued aggressive, high-profile actions against major technology companies using consumer protection theory rather than sector-specific regulation. That approach gives the office substantial flexibility. The DTPA does not require the AG to notify a company of its investigation before filing suit. There is no cure period. There is no pre-suit demand letter requirement. Texas files, and you respond.

Other state AG offices tend to announce investigations, issue civil investigative demands, and give companies an extended opportunity to negotiate before litigation begins. The Texas AG is increasingly comfortable skipping those steps entirely. The Netflix petition reflects that posture.

The window between “you are under investigation” and “you are being sued” has effectively closed in Texas. Companies operating under the assumption that an AG inquiry gives them time to remediate, update disclosures, and negotiate a settlement are operating under an outdated model. In Texas, the complaint doesn’t wait.

This makes proactive compliance the only viable strategy. If your consumer-facing representations about data practices diverge from what you actually do, that gap is already a DTPA problem. Waiting for a demand letter to fix it is not a workable plan.

Texas has already pursued major enforcement actions against many of the biggest companies in the world. The large-cap targets are running out. The enforcement logic that worked against Big Tech will work just as well against a mid-size SaaS company, a regional retailer, or any business that collects behavioral data and makes public representations about how it uses that data. The Netflix action is a signal, not a ceiling. The AG’s office will move down market. We recommend treating today’s compliance posture as if that day has already arrived.