Texas's Netflix Suit Lists LiveRamp, DV360, and Amazon DSP by Name
Texas Attorney General Ken Paxton filed a 59-page petition against Netflix on May 11, 2026, naming LiveRamp, Google DV360, The Trade Desk, Magnite, Yahoo DSP, and Amazon DSP as the programmatic partners Netflix allegedly fed unconsented behavioral data into. The state is seeking $10,000 per violation under the Texas Deceptive Trade Practices Act, plus a court order disabling autoplay by default on children's profiles. Any CTV buyer activating audiences through those platforms is now sitting on top of named exhibits.
Most of the press coverage led with the autoplay-as-dark-pattern angle, because it makes a cleaner headline and the press release from Paxton's office teed it up that way. That's fine if you're a parent. If you're someone buying CTV inventory, the more interesting read is the second half of the petition, where the state lists exactly which adtech vendors Netflix activated, in what order, and starting when.
The petition names every pipe, not just the platform
The filing walks through Netflix's programmatic stack like a timeline. DV360, Trade Desk, and Magnite opened up in May 2024. Yahoo DSP joined in June 2025. Amazon DSP came online in September 2025. LiveRamp is named as the first-party customer list matcher across the whole thing. The petition also references over 4,000 active advertisers on Netflix's ad tier and "targeting across more than 100 interests in over 17 categories."
You don't usually see a state AG bother to list every DSP and identity vendor in a petition unless it's setting up something downstream. This reads less like a single-defendant suit and more like a discovery roadmap. Any buyer who shipped a LiveRamp audience to Netflix, or built a DV360 deal on Netflix inventory targeting Texas households, just had the configuration of that activation become potentially responsive to a state subpoena.
I think most CTV buyers are still treating this as a Netflix problem. From what I've seen, the petitions that name vendor names rarely stay narrow for long. Netflix's ad business is on pace for $3B annually, and the petition cites that number directly. The state is not pretending this is a small case.
$10,000 per violation is the boring number
The DTPA caps civil penalties at $10,000 per violation, and the press coverage keeps quoting that figure. It's the wrong number to anchor on. The bigger one is in the same filing: Netflix collects, per a venture capitalist quoted in the petition who was apparently briefed by Netflix as a client, 160,000 unique data points every 30 seconds as content plays. Netflix's daily processing volume is described as roughly 5 petabytes of user-behavior logs.
You can do the arithmetic on what "per violation" looks like if even a sliver of those events is counted as a separate deceptive act. Texas does not have to win on that math. They just have to make it the bar Netflix is settling against. The state's prior privacy work is the relevant precedent here: in October 2025, Texas settled a privacy and biometric case with Google for $1.375 billion, the largest state-AG privacy recovery against Google to date. The template is set and the state has shown what it considers a fair number.
The COPPA-shaped overhang under the DTPA frame
Texas filed under the DTPA, not under COPPA, and a lot of the legal commentary I've read treated that as a weakness. I'd read it the other way. The DTPA gets the state into Collin County district court with a friendly venue and a five-count complaint. The COPPA-style facts (behavioral profiles built from kids' profiles, autoplay engineered to extend sessions, data shared with brokers like Experian and Acxiom) sit underneath as the press hook and the political cover.
The risk that travels back to advertisers is the same either way. If a CTV audience you activated through DV360 was modeled on segments that included data from kids' profiles, the buyer-side exposure does not turn on whether Texas wins a federal COPPA argument. It turns on whether the audience activation itself was a deceptive act under state consumer protection law. That's a much harder fact pattern to win on a motion to dismiss than a pure COPPA fight, which is probably why the state framed it this way.
Anyway. The Dutch DPA already fined Netflix 4.75 million euros in 2024 on related disclosure facts, which means the state didn't have to invent the underlying story. They just have to be Texas in 2026, with a $1.375B Google check on the wall.
What CTV buyers should pull this week
Three concrete things, all doable in an afternoon if your data team is responsive.
First, pull a list of every LiveRamp distribution you sent to Netflix in the last twelve months. The DTPA's lookback runs longer than that, but twelve months is the practical window most of these audiences were refreshed in. For each one, find the consent capture mechanism on the source list. If the consent flow doesn't explicitly cover CTV activation through a Netflix-linked DSP, flag that audience. Some of them will be fine. Some will not.
Second, audit your DV360 and Amazon DSP deal IDs that include Netflix inventory and check the targeting layers. If any of them include household-graph or device-graph segments that could intersect a children's profile (and most household graphs implicitly do, because they don't distinguish profiles within a household), make a decision about whether to keep them on. A reasonable defensive move is to add a profile-exclusion layer or shift to contextual-only on Netflix inventory until the case clears its first procedural hurdle.
Third, document the decision. Not for the agency, for the brand-side legal team that will eventually ask. The thing that turns a state AG inquiry from a procurement nuisance into a real problem is the absence of any contemporaneous record showing the buyer thought about the issue. A one-page memo with what you audited, what you found, and what you changed is roughly the minimum bar.
None of this is a heavy lift. The lift is getting it onto someone's quarter when nobody is reading the petition.
The state AG layer is the new ad-tech regulator
This is at least the second state-level privacy action this month with adtech vendors at the center of the fact pattern. The earlier complaint, over third-party pixel data transfers on a major AI platform, followed a similar template: a company publicly promising privacy, quietly running third-party adtech tags, then getting it back as a deception count. The Texas Netflix complaint follows the same template, with a tighter list of named vendors and a longer rap sheet of public statements to use as deception evidence. The pattern lines up with what European DPAs were doing two years ago, and US state AGs are now catching up on the playbook. Recent Netflix-specific moves like the May 18 Amazon DSP integration on Netflix UK shopper data make the named-vendor structure of the petition feel less like a fishing expedition and more like a map.
I think we're at the point where state AGs have noticed something the FTC never quite committed to: adtech vendor names are leverage. Naming LiveRamp, DV360, Trade Desk, Magnite, Yahoo DSP, and Amazon DSP by name in a petition does two things that a generic "third-party advertising partners" reference does not. It gives the press a list to call for comment, and it gives every other state AG a ready-made list of subpoena targets. Both of those compound.
If you're a CMO setting a 2026 privacy posture, the operating assumption should not be "the FTC will eventually publish rules." It should be "at least one of my five biggest media partners is going to get named in a state-AG petition this year, and my brand will be one or two layers down in the discovery." That changes how you write the contracts, how you build audience activation flows, and how much you care about consent capture on inputs. Not radically. Just enough.
Personally, I wouldn't wait for a second Texas suit to figure out which audit your CTV media plan can survive.
