Texas Says Netflix Built a 'Surveillance Machinery.' The Numbers Back It Up.

Netflix collects 5 petabytes of behavioral data every day. Texas says that makes it a surveillance company pretending to be a streaming service.

TL;DR: On May 11, Texas Attorney General Ken Paxton sued Netflix under the Texas Deceptive Trade Practices Act, alleging the company operates a "surveillance machinery" that collects 5 petabytes of behavioral data every single day. The lawsuit says Netflix shares that data with brokers Experian and Acxiom and ad platforms including Google Display & Video 360 and The Trade Desk. It also accuses Netflix of tracking children's profiles — marketed as a "safe area" — with the same granular logging used across the rest of the platform. Netflix calls the suit "lacking merit." But the complaint quotes a Netflix engineer from 2016 describing the company as "a logging company that occasionally streams movies." That quote aged like milk.

5 Petabytes a Day. Every Day.

To understand what Netflix knows about you, start with the scale.

According to the Texas complaint, Netflix collects roughly 5 petabytes of user-behavior logs every day [1]. That's 5 million gigabytes. Every 24 hours. The system processes more than 10 million events per second across 40,000+ internal "microservices" [2].

What's in those logs? Everything. Every play, pause, rewind, fast-forward, and skip. Every search query. How long you hover over a thumbnail before clicking. How long you watch before quitting. What time of day you watch. What device you're on. Your IP-derived location. Your household network configuration [1][3].

Netflix doesn't just know what you watched. It knows how you watched it. It knows you hesitated on that true crime documentary at 11 PM on a Tuesday, watched 14 minutes, backed out, browsed for six minutes, then came back to it. It knows your kid replayed the same scene four times. It knows which trailer made you click and which one made you scroll past.

A Netflix engineer said the quiet part out loud at a 2016 conference: Netflix is "a logging company that occasionally streams movies" [1][3]. Six years before that conference, CEO Reed Hastings told investors "we don't collect anything" [1]. One of those statements was a lie. The other was a confession.

Where Your Data Actually Goes

Here's the part Netflix definitely doesn't mention during the "Are you still watching?" prompt.

The Texas complaint alleges Netflix shares user data with commercial data brokers Experian and Acxiom, and with ad-tech platforms including Google Display & Video 360 and The Trade Desk [1][2]. These aren't small players. Experian maintains consumer profiles on 235 million Americans. Acxiom claims data on 2.5 billion consumers worldwide.

When Netflix hands your viewing data to Experian, that data gets merged with everything else Experian already knows about you — your credit score, your purchase history, your address history, your income bracket. When it goes to Acxiom, it gets combined with data from thousands of other sources. When it hits Google DV360, it feeds the ad exchange that follows you across the internet [1].

Netflix sold itself as the anti-surveillance streaming service. Pay your monthly fee, skip the ads, avoid the tracking. That was the deal. Texas AG Ken Paxton put it plainly: "Netflix sold subscriptions as an escape from Big Tech surveillance: pay monthly, avoid tracking. Texans trusted that bargain. Netflix broke it" [2].

Then Netflix launched its ad-supported tier in November 2022. The data pipeline was already built. The brokers were already connected. All Netflix had to do was flip the switch.

The Kids Aren't Safe Either

Netflix markets its children's profiles as a "safe area" for kids 12 and under. No mature content. No targeted ads. Safe.

According to the Texas complaint, that "safe area" runs on the same telemetry and logging infrastructure as the rest of the platform [1][3]. Netflix tracks what children click, how long they watch, what they replay, what they skip, and how they navigate. The same granular behavioral logging that feeds the adult recommendation engine runs underneath the cartoon thumbnails.

The lawsuit alleges Netflix uses autoplay features designed to keep children watching — "a continuous stream of content intended to keep users, including children, watching for extended periods of time" [2]. Texas is seeking a court order to ban autoplay as the default setting on children's profiles [1].

Netflix's defense? They "take our members' privacy seriously" and have "industry-leading parental controls" [2]. But parental controls manage what kids watch. They don't control what Netflix records while kids are watching. That's the distinction Netflix would rather you not think about.

The Privacy Policy They Wrote to Hide All This

In December 2024, the Dutch Data Protection Authority fined Netflix €4.75 million for violating GDPR — specifically for failing to properly inform customers about its data collection practices [4]. The regulator found Netflix's privacy policy didn't adequately disclose the purposes and legal basis for processing personal data, or the safeguards for transferring data to third countries.

Netflix updated its privacy policy afterward. Texas says the update is still "vague, deceptive and incomplete" [1].

The complaint calls Netflix's privacy policy "feeble" — a document designed to create the appearance of transparency while obscuring the actual scope of collection [1]. Before the 2024 update, Netflix didn't even disclose that it collected playback events, app clicks, and text input as behavioral data [2]. Those are things it had been collecting for years.

This is how it works in practice: Netflix tells you it collects data to "improve your experience." It doesn't tell you it collects 5 petabytes a day, shares it with Experian and Acxiom, and pipes it into Google's ad exchange. The privacy policy is technically there. The truth is functionally hidden.

Netflix Isn't Alone — But the Scale Is

Texas is using the Deceptive Trade Practices Act, the same legal framework state AGs are deploying against tech companies nationwide. The strategy: you told consumers one thing, you did another, that's deception [1].

It fits the pattern. Disney got hit with the largest CCPA fine for fake opt-out mechanisms. California's been investigating surveillance pricing. Colorado banned surveillance pricing outright. Connecticut's SB-4 targets data brokers.

But Netflix's scale is something else. Five petabytes daily. 10 million events per second. 40,000 microservices. This isn't a company that happens to collect some data. This is a data collection company that happens to stream video. The 2016 engineer wasn't joking. He was describing the actual business model.

Texas is seeking civil penalties of up to $10,000 per violation, a court order to destroy illegally obtained data, and a ban on the collection and sharing practices described in the complaint [1][3]. Given the scale of the data collection, the per-violation math gets very large very fast.

What You Can Do Right Now

  • Review your Netflix privacy settings. Go to Account > Privacy and Data Settings. Turn off everything you can. Netflix buries these settings, but they exist
  • Disable autoplay. Account > Profile & Parental Controls > select profile > Playback Settings > uncheck "Autoplay next episode." Do this for every profile, especially children's profiles
  • Download your data. Account > Privacy and Data Settings > Download Your Personal Information. See what Netflix actually has on you. The file size alone will tell you something
  • Consider your kids' profiles. Netflix's "safe area" isn't safe from Netflix's own logging. If your children use Netflix, understand that every click, replay, and skip is being tracked and stored
  • Use a VPN. It won't stop Netflix from tracking your viewing behavior, but it prevents IP-based location logging — one less data point in the profile
  • File a complaint. If you're in Texas, you can file a consumer complaint with the Texas AG's office. Other states may follow — your complaint establishes a record

The Bottom Line

Netflix built one of the most sophisticated behavioral surveillance systems on the planet. It collects 5 petabytes of data on you every day. It shares that data with brokers who merge it with everything else they know about you. It does this to children. And it told you it was just trying to recommend better movies.

Texas called it a "surveillance machinery." The Netflix engineer called it a "logging company." Netflix calls it "lacking merit." Your viewing data is already at Experian.

References

  1. The Record — "Texas sues Netflix over alleged data practices that create 'surveillance machinery' without user consent" (May 2026)
  2. Variety — "Netflix Sued by Texas Attorney General, Who Alleges Service Is 'Spying' on Users" (May 2026)
  3. CBS Texas — "Texas AG Ken Paxton sues Netflix, claims streaming giant spied on children and illegally collected data" (May 2026)
  4. Data Privacy Manager — "Netflix Fined €4.75 Million for Data Privacy Violations by Dutch DPA" (December 2024)
  5. The Hill — "Texas AG Ken Paxton sues Netflix over alleged user data sales" (May 2026)
  6. Security Boulevard — "Texas Sues Netflix Over Alleged Unauthorized Data Collection and Sharing" (May 2026)

Published: May 14, 2026