Texas Sues Netflix While New Hampshire Moves to Protect Children’s Data

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The Texas Attorney General has sued Netflix for allegedly misrepresenting its data collection and advertising practices to subscribers, relying on consumer protection law rather than the state’s dedicated privacy statute. Meanwhile, New Hampshire is on the verge of banning the sale of children’s location and sensitive data entirely with no knowledge requirement, setting a stricter standard for treatment of users under 13 than federal law and most states currently demand.

Keep reading to learn more and discover my takeaways.

United states

Texas AG Sues Netflix for Deceptive Personal Data Collection

Texas Attorney General Paxton filed a lawsuit against Netflix alleging violations of the Texas Deceptive Trade Practices Act (DTPA) based on Netflix’s misrepresentations to consumers regarding its data collection practices. 

Specifically, the complaint alleges that Netflix misrepresented to paid subscribers that they would not be subject to data-driven advertising, misrepresented that children would not be subject to behavioral data collection, and misrepresented how it shares the user data it collects (by making disclosures with evasive generalities, rather than disclosing “who its identity partners are, how matching and enrichment works, what clean-room collaboration entails, which DSPs transact Netflix inventory, or why its reach metric is household-based”). The lawsuit seeks a jury trial, up to $10,000 per violation and injunctive relief.

TAKEAWAY

It’s important to note that the core theory of liability in this case is affirmative misrepresentation, not non-compliance with specific affirmative obligations. Although Texas has a comprehensive privacy law (the Texas Data Privacy and Security Act, or TDPSA), this action doesn’t include any claims under the TDPSA and instead relies solely on the DTPA. This may be partially due to the higher potential penalties permitted under the DTPA (the TDPSA only allows for fines up to $7,500 per violation) and the lack of a mandatory cure period under the DTPA (versus the 30-day period required under the TDPSA). However, the more notable takeaway is that, at least in this case, deception may be an easier, cleaner narrative than the uphill battle of fitting the case within the defined parameters of “sensitive data”, “sale” and “dark patterns” under the TDPSA. 

The Texas AG has brought enforcement actions under the TDPSA (for example, against Allstate/Arity, concerning the sale of precise geolocation data), but this case against Netflix isn’t the first time the Texas AG chose the DTPA over the TDPSA. When Texas sued General Motors for privacy violations, it similarly used the older DTPA, not the new TDPSA. California, on the other hand, used its comprehensive privacy law, the California Consumer Privacy Act (CCPA), to take action against GM regarding the same activity, enforcing the CCPA’s principles of purpose limitation and data minimization. The TDPSA doesn’t contain the same robust purpose-limitation framework though, so the Texas AG used the DTPA to fill in the gaps.The takeaway for businesses: compliance with state comprehensive privacy laws is not an airtight shield against liability. 

A company can have a technically compliant privacy notice, offer opt-out mechanisms, and satisfy every checkbox of comprehensive privacy laws, yet still face liability (potentially even higher liability, with no cure period) from regulators if its public representations about data practices do not match reality. To curb this risk, companies should run two parallel assessments: one mapping data practices against specific statutory obligations, and a second asking whether the totality of their consumer-facing representations (including privacy policies, marketing claims, product descriptions, and executive statements) accurately reflects what the company actually does with data. Although we often focus on the nuances of state comprehensive privacy laws, the latter is perhaps the more important assessment.     

NH Passes Bill Banning Sale of Certain Children’s Data, Regardless of Knowledge

New Hampshire sent HB 1460 to the governor for signature. If signed, this bill will amend New Hampshire’s existing data privacy law to explicitly prohibit the sale of “location and other sensitive data regarding children,” effective January 1, 2027.

TAKEAWAY

This is a one-line bill, but interpreting its application requires some careful reading. Under the existing law, a “child” has the same meaning as provided under the Children’s Online Privacy Protection Act (COPPA), which currently applies to children under age 13. The existing law defines “sensitive data” as [coloring added] “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.” 

The bill lacks a knowledge qualifier outside of the “known child” language in the definition of “sensitive data” and does not define “location” as a standalone term separate from the definition of “precise geolocation data”. Therefore, putting this together, the bill appears to prohibit the sale of: (a) the sensitive data categories in red above, regardless of knowledge; (b) children’s “location” (undefined), regardless of knowledge; and (c) personal data collected from a known child. The fiscal notes attached to the bill state, “By prohibiting the sale of children’s location and other sensitive data regardless of knowledge or consent, the bill may change investigative patterns for the Consumer Protection and Antitrust Bureau.” This confirms the intent not to apply a knowledge qualifier to (a) and (b) but does not necessarily confirm how the amendment applies to (c) or clarify how “location” should be interpreted. 

At the very least, businesses may need to decide whether to cease selling sensitive data in red categories altogether (in addition to personal data collected from known children) or implement measures, such as age verification, to ensure that no data in a given sale belongs to a child under 13. Although the law adopts COPPA’s definition of a “child,” this new amendment creates a stricter regime than COPPA, which only applies to services directed to children under age 13 and allows for parental consent. If “location” in the new amendment is interpreted more broadly than “precise geolocation data,” that could meaningfully expand the prohibition beyond what the existing sensitive data definition covers. Businesses that currently sell non-precise location data (for example, city-level or IP-inferred location) may therefore face uncertainty about whether that data falls within the new prohibition.   

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Colorado Passes Bill to Repeal and Replace Colorado AI Act
• Louisiana Legislature Passes Age Assurance Bill
• Texas AG Secures Settlement with LG Over ACR Data Collection
• Oklahoma AG Sues Temu Over Data Collection Without Consent
• Didomi releases a complimentary Forrester Report on privacy regulation and its impact on marketing
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.