You Went to Check a Movie Review. They Sold You to Advertisers.

The premise is simple and the betrayal is total. A person opens RottenTomatoes.com, one of the most visited entertainment websites in America, drawing nearly 38 million visits per month from U.S. users alone. They want to know whether a film is worth watching. Within milliseconds of that page loading, Fandango’s servers quietly install at least three surveillance trackers on the visitor’s browser. Those trackers immediately begin harvesting the visitor’s IP address, device type, browser fingerprint, and a persistent unique identifier. That data travels to Microsoft, OpenX, and PubMatic. Those companies pass it along to Magnite, ID5, Tapad, Experian, and Sovrn. Each entity adds whatever it already knows about the visitor from its own databases. The assembled profile, stripped of any anonymity, goes up for auction in a real-time bidding marketplace where companies like Nissan and UNICEF compete to reach the person who just wanted to find out if a sequel was any good.

This is the core allegation in a class action lawsuit filed January 6, 2026, in the United States District Court for the Northern District of California. Plaintiff Daniel Yee, a California resident, brings the case against Fandango Media, LLC on behalf of himself and potentially millions of fellow Californians who visited RottenTomatoes.com. The complaint runs 70 pages, includes screenshots of browser traffic showing exactly which data was captured and where it went, and grounds every allegation in the California Invasion of Privacy Act, a state law that carries $5,000 in statutory damages per violation.

The lawsuit arrives at a moment when the stakes around personal data have never been higher. 🏛️ Court documents show that Fandango has faced federal regulators before over its privacy practices. The pattern documented here is not accidental. It is a carefully constructed, highly profitable system designed to convert human attention into commercial inventory, one browser visit at a time.

Inside the Allegations: How the Tracking Machine Actually Works

When a visitor’s browser loads RottenTomatoes.com, Fandango’s server does more than deliver HTML and images. It delivers instructions to install three surveillance tools, called “trackers,” directly onto the visitor’s browser. The lawsuit identifies these as the ADNXS Tracker (operated by Microsoft), the OpenX Tracker (operated by OpenX Technologies, a registered California data broker), and the PubMatic Tracker (operated by PubMatic Inc., also a registered California data broker).

Each tracker immediately transmits the visitor’s IP address and device metadata back to its parent company. The complaint presents browser-traffic screenshots as evidence, showing, in technical detail, how Plaintiff Yee’s IP address traveled from his phone to Microsoft’s servers the moment he visited the site.

Why an IP Address Is Not “Anonymous”

The lawsuit spends considerable space explaining what an IP address actually reveals. A public IP address identifies the geographic location of a user with city- and zip-code level precision. It allows advertisers to target specific households, specific businesses, and, with help from data brokers, specific individuals. IP targeting services advertise accuracy rates above 95 percent, the complaint notes, making the collection of IP addresses one of the most potent forms of personal identification available in digital advertising.

California’s Consumer Privacy Act already classifies IP addresses as personal information, as does Europe’s GDPR. The Federal Trade Commission has explicitly stated that hashing or encoding an IP address does not make it anonymous. The complaint includes FTC documentation on this exact point, noting that “hashes aren’t ‘anonymous’ and can still be used to identify users.”

Cookie Syncing: The Web of Shared Surveillance

Each tracker also installs a persistent cookie, a small file that lives on the visitor’s browser and carries a unique identifier. These identifiers serve one critical function: they allow otherwise siloed companies to compare notes. When Microsoft’s ADNXS tracker syncs its UUID2 identifier with PubMatic’s KADUSERCOOKIE, both companies now know they are looking at the same human being. PubMatic then syncs with ID5 Technology, Tapad (owned by Experian), and Sovrn/Lijit. Each company contributes whatever personal data it has already compiled. The result is a single, unified, comprehensive profile of the visitor, assembled from dozens of sources, attached to a real name or household, and offered to advertisers through a live auction.

The complaint includes a screenshot showing that Sovrn even captured a hashed version of Plaintiff Yee’s email address, running it through MD5, SHA1, and SHA256 encoding and sharing all three versions with its syncing partners. Fandango’s role in this chain is the originating link: it invited all of these entities onto its website, gave them access to every visitor, and pocketed the revenue the arrangement generates.

The Legal Argument: Digital Wiretapping Without a Court Order

The complaint’s legal theory rests on the California Invasion of Privacy Act, a law enacted to prevent surveillance technologies from operating without authorization. CIPA Section 638.51(a) prohibits any person from installing or using a “pen register” without first obtaining a court order. Historically, pen registers were physical devices that law enforcement used to record the numbers dialed from a specific telephone line. Courts have consistently expanded this definition as technology evolved.

The lawsuit argues that each of Fandango’s three trackers qualifies as a pen register under California law because each captures “routing, addressing, or signaling information” from visitors’ browsers, specifically IP addresses, device metadata, and unique user IDs. Multiple federal district court decisions cited in the complaint, including cases involving Fandom, the Los Angeles Times, and CNN, have applied this same logic to find that web trackers are pen registers under CIPA.

The key requirement CIPA imposes is prior consent or a court order. Fandango obtained neither. The complaint is explicit: tracking begins the instant the page loads, before any consent mechanism could even appear. “Their initial visit to the Website is automatically tracked and linked to Defendant’s dossier of Plaintiff’s and the Class Members’ browsing activity and personal information before any consent is even possible.”

Regulatory Capture and Loopholes: Why This Was Allowed to Happen

This is not the first time Fandango has faced accountability for privacy failures. In August 2014, the Federal Trade Commission sued Fandango for disabling SSL certificate verification on its mobile apps, a security protocol designed to protect sensitive personal data. The FTC alleged that Fandango’s decision left consumer credit card numbers and Social Security numbers exposed to interception by third parties.

Fandango settled that case, agreeing to implement comprehensive security programs and to refrain from misrepresenting its privacy and security practices. That settlement explicitly defined “covered information” to include IP addresses, persistent identifiers, geolocation data, and authentication credentials. More than a decade later, the company stands accused of monetizing several of those exact data types, apparently concluding that the FTC settlement’s requirements did not extend to its web-based advertising infrastructure.

The ad-tech industry grew rapidly in a regulatory vacuum. Federal privacy law in the United States remains far weaker than European equivalents. In that vacuum, practices that would require explicit user authorization under GDPR became standard features of American commercial websites. Companies like Fandango adopted the architecture not because regulators permitted it, but because no regulator effectively prohibited it, and the revenue incentive was overwhelming.

Profit-Maximization at All Costs: The Business Logic of Selling Your Identity

Why would a movie ticketing company and entertainment platform build this kind of surveillance infrastructure? The answer is straightforward: money. Fandango earns advertising revenue proportional to how precisely advertisers can target its users. The more a user can be identified and profiled, the more an advertiser will pay to reach them. Installing data broker trackers on every visitor’s browser is, from this perspective, simply a revenue optimization strategy.

The real-time bidding system makes the economics tangible. The complaint includes a screenshot showing that when Plaintiff Yee visited RottenTomatoes.com in November 2025, OpenX received competing bids from UNICEF and Nissan to display an advertisement to him based on his profile. The winning price was approximately $1.83 per thousand impressions. Multiply that across 37.9 million monthly visitors, each generating multiple auction events per visit, and the advertising revenue that flows back to Fandango becomes substantial.

Every additional data broker in the network amplifies this dynamic. When Microsoft’s ADNXS tracker syncs with PubMatic, and PubMatic syncs with Experian’s Tapad identity graph, the profile attached to each Fandango visitor grows richer. Experian’s identity graph, per the complaint, encompasses more than 250 million individuals, 126 million households, one trillion device signals, and 490 million mobile ad identifiers. A visitor who arrived only to read a movie review leaves with their browsing history, household demographics, offline purchase behaviors, device fingerprint, and hashed email address all attached to an advertiser-facing profile. Fandango profits from every dimension of that enrichment.

The Information Economy: How Data Brokers Turned Attention Into a Commodity

The complaint describes in detail what data brokers actually do with the information they receive. They do not simply record it. They aggregate it, model it, infer from it, and sell it in pre-packaged audience segments. PubMatic, for instance, sells what it calls a “Ramadan Auction Package” that targets consumers identified through browsing behavior, location data near places of worship, and demographic information suggesting observance of the holiday. The complaint offers this as a concrete illustration of how granular, sensitive, and intimate the profiling actually becomes.

ID5 Technology, another entity that syncs with Fandango’s installed trackers, recently acquired TrueData, a company whose identity graph connects individuals to their digital devices by incorporating retail transaction data, connected TV identifiers, hashed emails, mobile IDs, and other probabilistic identifiers. After the acquisition, ID5 claims the ability to recognize approximately 1.5 billion users across 665 million households. This is the company receiving data from every person who visits RottenTomatoes.com.

A NATO analysis of data broker practices, cited in the complaint, identifies the concrete harms these practices enable: unwanted and manipulative advertising, spam and phishing attacks, and the deprivation of users’ right to control who acquires their personal information. A Duke University Cyber Policy Program report documented that data brokers openly advertise data packages covering political preferences, religious affiliations, sexual orientation, immigration status, and real-time GPS location. Federal agencies including the FBI and Immigration and Customs Enforcement purchase data from these brokers without warrants or meaningful oversight.

This Is the System Working as Intended

The ad-tech ecosystem described in this complaint did not develop through corruption or criminality. It developed through rational responses to financial incentives. Publishers like Fandango receive more revenue when users are more identifiable. Data brokers become more valuable when they hold more data. Advertising platforms win more bids when they know more about each user. Every actor in the chain behaves exactly as economic incentives predict. The result is a surveillance infrastructure of extraordinary scale and intimacy, built without any individual user’s knowledge, consent, or meaningful ability to opt out. 🔍

When clearing cookies fails as a defense because trackers immediately respawn and sync to reconstruct the same profile, when “anonymous” hashed emails remain traceable to specific individuals, and when bidding systems distribute personal data to dozens of companies simultaneously even when they lose the auction, the ordinary person has no practical recourse within the current commercial internet.

The complaint highlights the FTC’s own warning that real-time bidding sends consumer data to dozens of bidders simultaneously, with “few (if any) technical controls” ensuring losing bidders do not retain that data for future use. The agency that settled with Fandango in 2014 has publicly identified the real-time bidding system as a structural privacy threat, yet the system continues to operate at billions of transactions per day.

The Real-World Danger of Comprehensive Profiling

The lawsuit does not treat privacy violations as abstract legal injuries. It points to what comprehensive profiling makes possible when that data leaves the commercial advertising context. In June 2025, court documents suggested that the gunman who assassinated a Minnesota state representative may have obtained the official’s home address from online data broker services. In the same period, California activists and lawmakers raised concerns that the Trump administration could leverage commercially assembled location data to identify and track immigration protesters.

Data that Fandango hands to its advertising partners today may reach law enforcement agencies, political operatives, hostile foreign governments, or violent individuals through the same commercial data broker ecosystem the complaint describes. The connections between the commercial data economy and these downstream harms are not speculative. They appear in court records and government documents cited in the complaint itself.

Machine learning algorithms that make “predictive” inferences from this data also raise discrimination concerns. The complaint notes findings from the Duke research showing that data-driven targeting tools risk driving up costs for insurance, housing, and essential goods for minority groups by feeding discriminatory patterns into algorithmic decision-making systems.

Legal Minimalism: Compliance as Branding

Fandango’s 2014 settlement with the FTC required the company to establish comprehensive security programs and to refrain from misrepresenting its privacy protections. The company agreed to those terms and apparently treated them as a defined boundary around specific practices rather than as an expression of a genuine commitment to user privacy. The surveillance infrastructure operating on RottenTomatoes.com today sits, in Fandango’s apparent legal interpretation, outside those settled requirements.

This is a recognizable pattern in corporate accountability. Companies comply with the specific terms of consent decrees while continuing to develop new methods of extracting value from consumer data that fall outside the decree’s explicit language. Regulators write rules that address the abuses visible at the time of enforcement. Companies adapt. The cycle of violation, settlement, and renewed violation continues, with each iteration more technically sophisticated than the last.

The ad-tech industry has also developed its own vocabulary for sanitizing these practices. Data brokers prefer to call themselves “identity graph providers.” Surveillance tools present themselves as “identity resolution services” and “supply-side platforms.” Real-time auctions of consumer data are marketed as “programmatic advertising.” This language launders the underlying reality: companies are profiting from the systematic dismantling of consumer anonymity without permission.

Corporate Accountability Fails the Public: The $5,000 Question

CIPA provides $5,000 in statutory damages per violation. If the class is certified and Fandango is found liable, the aggregate damages across millions of California visitors could reach into the billions of dollars. That figure sounds like accountability. In practice, corporate privacy settlements frequently reduce headline figures dramatically, apply them to future compliance obligations rather than compensating actual victims, and produce injunctive relief that companies treat as permission to continue monetizing data through slightly modified technical arrangements.

Fandango’s 2014 FTC settlement did not come with monetary penalties. It produced promises of better security practices. Those promises did not prevent Fandango from building one of the more comprehensive user-surveillance systems documented in recent California litigation. The class action mechanism, with its potential for massive aggregate liability, represents the most credible financial deterrent available to consumers under current law. Whether courts apply it with sufficient force to change corporate behavior remains the central question this case raises.

Global Parallels: America Is the Exception, Not the Standard

The practices Fandango stands accused of would face substantially stricter legal constraints in other jurisdictions. Under Europe’s General Data Protection Regulation, IP addresses are classified as personal data, and collecting or processing them requires a specific lawful basis, which typically means explicit user consent. European regulators have levied substantial fines against companies for GDPR violations involving programmatic advertising and real-time bidding systems structurally identical to the one described in this complaint.

California, with CIPA and the California Consumer Privacy Act, represents the strongest American counterpart to European privacy law. The rest of the United States currently has no federal equivalent. American commercial websites routinely operate surveillance infrastructure that would be illegal in France, Germany, or Canada. The domestic ad-tech industry has spent years lobbying against federal privacy legislation that would impose national standards comparable to California’s.

Pathways for Reform: What Would Actually Protect People

The litigation points toward several structural changes that would genuinely alter the incentives driving this behavior. Federal privacy legislation establishing a strong national baseline, comparable to GDPR, would eliminate the regulatory arbitrage that currently allows companies to build surveillance systems targeting American users that they could not legally deploy in European markets. Meaningful limits on real-time bidding data distribution, addressing the FTC’s own finding that losing bidders receive and retain user data with minimal technical controls, would reduce the surveillance radius of each commercial transaction. Prohibition on selling data broker profiles to government agencies without warrants would close one of the most consequential pathways from commercial surveillance to state power.

At the individual level, browser-level tools that block third-party trackers, including privacy-focused browsers and extensions, currently provide the most effective practical defense. The complaint’s evidence demonstrates that clearing cookies provides only temporary relief, as trackers respawn on the next page load. Persistent tracker-blocking, combined with DNS-level filtering of known data broker domains, represents the most robust consumer-available countermeasure against the specific practices described here.

The case also illustrates why data broker registration requirements, currently existing in California and a small number of other states, need enforcement mechanisms with real teeth. OpenX, PubMatic, Magnite, ID5, Tapad, Experian, and Sovrn are all registered California data brokers. Registration acknowledged their status without preventing the conduct alleged here. Registration without consequential enforcement is paperwork, not protection.

Conclusion: The Human Cost of Treating People as Inventory

Daniel Yee opened RottenTomatoes.com to check a Tomatometer score. He left as a packaged commodity, his identity stitched together from browser fingerprints, IP geolocation, hashed email addresses, and inferred demographics, then auctioned to the highest bidder before the page finished loading. He did not consent. He was not informed. He had no practical ability to prevent it. And he was one of 37.9 million monthly visitors to that single website.

The lawsuit he filed is not simply a demand for $5,000 per violation. It is an argument that privacy remains a right rather than a luxury, that the ordinary act of reading a movie review should not constitute entry into a surveillance marketplace, and that companies which have already settled with the FTC over privacy violations and then continued developing new forms of the same conduct should face consequences proportionate to the scale of the harm they cause.

Fandango is owned by NBCUniversal and Warner Bros. Discovery, two of the most powerful media conglomerates in the world. Its partners in this advertising ecosystem include Microsoft, Experian, and companies that claim the ability to recognize 1.5 billion individuals globally. The resources required to maintain and defend this system vastly exceed anything available to the individuals whose identities it commodifies. That asymmetry is what makes enforcement through litigation, however imperfect, worth pursuing. The alternative is a commercial internet in which attention is universally treated as permission and anonymity becomes something only the powerful can afford. 🔒

Frivolous or Serious? A Direct Assessment of This Lawsuit’s Merits

This lawsuit is serious. The factual record, as presented in the complaint, is unusually strong. The plaintiff’s legal team presents browser traffic screenshots showing, in technical detail, the specific data transmitted from the plaintiff’s device to Microsoft, OpenX, and PubMatic. They document cookie-syncing activity connecting those trackers to Magnite, ID5, Tapad, Experian, and Sovrn. They confirm the capture of the plaintiff’s hashed email address by cross-referencing a SHA256 hash against the plaintiff’s actual address. This is not speculation; it is logged network traffic.

The legal theory rests on a California statute with a clear text, pen register prohibition applying to internet trackers, and a body of recent case law from the same federal district that has already found similar trackers to qualify as pen registers. Courts in the Northern District of California decided cases involving Fandom, Inc., the Los Angeles Times, and CNN using the same statutory framework, reaching the same conclusion about tracker classification.

Fandango’s most likely defenses, that the conduct falls outside CIPA’s scope, that consent was somehow implied by visitors’ use of the website, or that the trackers do not qualify as pen registers under California law, face substantial precedential headwinds. The company’s prior FTC settlement, which explicitly addressed IP addresses and persistent identifiers as “covered information,” strengthens the plaintiffs’ position by documenting corporate awareness of privacy obligations in this precise domain.

The class certification question represents a meaningful legal hurdle, as it does in all mass privacy litigation. But the common factual core, the same trackers operated by the same companies on the same website affecting all California visitors identically, presents a strong case for certification. This lawsuit warrants serious attention from Fandango, its corporate parents, and from other commercial websites operating equivalent advertising infrastructure.