What Was Actually Stolen From You

The lawsuit calls it “routing, addressing, and signaling information.” Legal language for something much simpler: the record of who you are, where you live, and what you do online.

Picture a Tuesday night. You’re on the couch trying to decide whether a movie is worth watching. You open RottenTomatoes.com. You don’t log in. You don’t create an account. You don’t type your name anywhere. You are, as far as you can tell, completely anonymous. You’re just checking a score.

In the time it takes the page to load, Fandango’s server has already instructed your browser to silently contact Microsoft’s ad network, OpenX’s data brokerage, and PubMatic’s supply-side platform. None of this is visible. There is no notification. There is no consent pop-up that explains what is actually happening. Each of these three services immediately captures your IP address — which maps, with over 95% accuracy, to your physical household. They capture your device type, your browser version, your operating system. They install persistent tracking cookies that will follow you across the entire internet, not just this site.

Then the syncing begins. PubMatic passes your identifier to ID5 Technology, which claims it can “recognize roughly 1.5 billion users across 665 million households.” ID5 hands your data to TrueData, which holds retail transaction records, connected TV identifiers, and mobile IDs. PubMatic also syncs with Tapad, owned by Experian — the credit bureau that already knows your financial history, your address history, and likely your Social Security number. Tapad “crunches 150 billion data points” to link you to every device you own. Sovrn captures a hash of your email address and shares it onward. Microsoft syncs its UUID2 cookie with Magnite, which facilitates billions of advertising transactions monthly and claims reach to one billion internet users globally.

Your anonymous Tuesday night movie check is now a line item in at least eight commercial databases. You have been matched to your home. You have been matched to your devices. You have been matched to your email. You have been matched to your purchase history, your political beliefs, your income bracket, and anything else these companies have inferred or bought from other sources. The composite file built on you in those seconds will be auctioned to advertisers in real time. The winning bidder will pay Fandango more because of how complete your profile is.

You paid nothing for this. But something was taken from you: the right to decide who knows who you are. The ability to browse without being watched. The knowledge that what you read and what you search and what you watch is your own business. That is the ledger this lawsuit cannot fully price. The $5,000 statutory damage per violation is a floor, not a ceiling. What was lost goes deeper than any settlement will recover.

And understand who is most at risk when these profiles exist. The complaint documents that data broker profiles are used by federal agencies including ICE and the FBI — without warrants — to locate individuals. A gunman in Minnesota used data broker services to find the home addresses of a state representative and her husband, both of whom were killed. Following the 2025 Los Angeles protests, activists and legal experts warned that ICE could use location data harvested by exactly these kinds of tracking systems to identify and target demonstrators. The data Fandango helped collect on you is not sitting inert in a server. It is circulating. It is being sold. It is being used.

What The Documents Prove

These are direct quotes from the filed complaint and from the companies’ own published policies. Nothing here is paraphrased.

On What The Trackers Collect

“Through their respective Trackers, the Third Parties collect the Website’s users’ internet protocol (‘IP’) addresses and other device identifier information such as device type, browser type, and unique and persistent identifiers (‘Device Metadata’). The Third Parties’ Trackers also set a cookie that includes a unique user identifier, which the Trackers collect on subsequent visits, and which is used by the Third Parties to identify and deanonymize the user.”

— Class Action Complaint, ¶ 3

• This establishes that tracking is persistent across visits. It is not a one-time capture on the first visit. Every return trip to the site reactivates the tracking chain.
• The phrase “deanonymize the user” is the companies’ own operational goal, stated plainly in the complaint. The purpose of collecting this data is to remove the user’s anonymity.

On PubMatic’s Own Cookie Policy

“[KADUSERCOOKIE is] used to ‘uniquely identify each browser or device from which an individual user visits our partners’ websites.'”

— PubMatic Platform Cookie Policy, cited in Complaint ¶ 114

• PubMatic’s own published policy confirms the cookie’s purpose is individual identification, not aggregate analytics. The word “uniquely” is doing significant work here.
• The KADUSERCOOKIE is the specific identifier that then gets passed to ID5, Tapad/Experian, and Sovrn — meaning every downstream data broker is receiving an identifier that PubMatic itself describes as unique to you, personally.

On Sovrn Capturing Plaintiff’s Actual Email Address

“[T]he below screenshot shows that Sovrn has a unique identifier corresponding to Plaintiff’s e-mail address in various ‘hashed’ formats (md5, sha1, sha256), which [it] shares with each of the trackers it syncs with like PubMatic.”

— Class Action Complaint, ¶ 142

• The complaint includes a screenshot showing the SHA-256 hash captured by Sovrn, and then a second screenshot showing that entering the plaintiff’s actual email address into a SHA-256 encoder produces the exact same hash value. This is direct forensic proof that Sovrn captured and stored his email identity.
• The FTC has stated explicitly that “hashing isn’t ‘anonymous’ and can still be used to identify users.” Sovrn’s hashed-email-matching product is marketed as an additional revenue stream for publishers — meaning Fandango’s users’ emails are being monetized.

On Fandango’s Prior FTC Settlement (2014) and What It Promised

Defendant agreed to “not misrepresent in any manner, expressly or by implication, the extent to which respondent or its products or services maintain and protect the privacy, security, confidentiality, or integrity of any covered information.” ‘Covered information’ includes ‘a persistent identifier, such as a customer number held in a cookie, a static Internet Protocol (IP) address, a mobile device ID, or processor serial number.’

— FTC Settlement Order, In the Matter of Fandango, LLC, No. C 4481 (Aug. 13, 2014)

• Fandango’s 2014 FTC settlement explicitly names IP addresses, cookies, and persistent device identifiers as “covered information” the company was legally obligated to protect. The current lawsuit alleges that Fandango is doing the precise opposite: actively routing those identifiers to data brokers.
• This prior settlement is not just background context. It establishes that Fandango has been told, by federal regulators, that these specific data types require protection. The pattern of behavior — violate, settle, repeat — is now documented across more than a decade.

On Tapad and Experian’s Identity Resolution Scope

“Identity resolution matches fragmented identifiers to a single profile. This creates a unified, cross-channel view of a consumer that helps marketers understand a customer’s demographics, lifestyle, interests, and where and how they engage with your brand.”

— Experian Identity Resolution Solutions page, cited in Complaint ¶ 129

• Experian is describing, in its own marketing language, the complete erasure of anonymity. A “unified, cross-channel view” means every website you visit, every device you use, and every purchase you make is compiled into a single file under your name.
• Tapad achieves this by “crunching 150 billion data points” including cookies, cellphone IDs, Wi-Fi connections, website registrations, and browsing history. Fandango installed Tapad’s tracker on Rotten Tomatoes without telling anyone.

The Surveillance Network Behind A Movie Score

When you load Rotten Tomatoes, you are not contacting one company. You are contacting at least nine. Here is how the data flows from your browser to the auction floor.

The legal term for this entire architecture is a “pen register” network under CIPA. The plain-English term is a surveillance dragnet hidden inside a website you used to decide whether to watch a film.

The Three Core Trackers and What Each One Does

• The ADNXS Tracker (Microsoft/Xandr): Microsoft acquired this system when it purchased AT&T’s Xandr ad-tech business. It is simultaneously a demand-side and supply-side platform, meaning it manages both who bids for your data and who gets to buy it. It stores a UUID2 cookie in your browser and transmits your IP address to Microsoft every time the page loads. It then syncs that UUID2 with PubMatic and Magnite, passing your identifier downstream.
• The OpenX Tracker: OpenX is a registered California data broker operating a service called “OpenAudience.” It matches your visit data against its existing profile graph, segments you into audience categories, and makes you available to marketers. It stores a cookie labeled “i” in your browser and receives your IP address and Device Metadata on every visit to the site.
• The PubMatic Tracker: PubMatic is a registered California data broker and supply-side platform. Its KADUSERCOOKIE uniquely identifies you across every site in PubMatic’s network. It then acts as the hub for syncing your identity with ID5, Tapad/Experian, and Sovrn/Lijit, each of which adds another layer of profile data before your information goes to auction.

Who Gets Hurt Beyond The Plaintiff

Public Health and Safety

The data pipeline Fandango feeds is not a neutral advertising tool. The complaint documents specific, documented harms caused by the exact kind of data broker network it participates in.

• A gunman who assassinated a Minnesota state representative and her husband in 2025 “may have gotten their addresses or other personal details from online data broker services, according to court documents.” The complaint names this case directly. The same IP address-to-household matching used to target you with movie ads can be used to find where someone sleeps.
• Following the 2025 Los Angeles protests against ICE raids, California lawmakers and activists documented that ICE has access to location data sold by data brokers — the same category of companies Fandango installed on Rotten Tomatoes. Demonstrators’ movements and identities are a product that can be purchased from this market.
• Federal agencies including the FBI and ICE purchase data broker records without warrants, public disclosures, or robust oversight, using them for criminal investigations and deportations. Every visit to Rotten Tomatoes feeds a data ecosystem that these agencies can tap into commercially.
• The complaint cites a NATO Strategic Communications Centre of Excellence report documenting that data broker networks enable spam campaigns, phishing attacks, and manipulation of viewpoints — all downstream consequences of the same profiling infrastructure Fandango uses to monetize its users.

Economic Inequality

The data harvested from Rotten Tomatoes users does not stay in the advertising silo. Once your profile exists, it moves through a market with no rules about what it can be used for.

• The Duke Sanford Cyber Policy Program found that data brokers openly sell data categorizing individuals by race, ethnicity, income level, political beliefs, sexual orientation, and immigration status. This is the same data ecosystem Fandango feeds. A user who checks Rotten Tomatoes from a low-income zip code is generating data that can be used against them in insurance pricing, lending decisions, and hiring.
• The complaint directly quotes research showing that discriminatory algorithms trained on data broker profiles can be used to “exclude certain groups, such as those who are identified as people with disabilities or those who are identified as Black or Latino, from seeing advertisements.” Fandango’s tracker network builds the input data for these systems.
• Machine learning prediction tools built on these profiles carry documented bias risks that disproportionately increase the cost of goods and services — including insurance, housing, and credit — for minority groups. Feeding user data into this system at scale amplifies these harms.
• Tapad (owned by Experian) integrates “offline consumer data” including purchase behaviors and lifestyle information with the online identifiers captured by Fandango’s trackers. Experian’s identity graph spans over 250 million individuals and 126 million households. A visit to check a movie score contributes to a financial surveillance infrastructure that affects loan rates, credit approvals, and insurance premiums.
• ID5 Technology acquired TrueData specifically to combine online tracking data with “retail transaction information, IP addresses, connected TV identifiers, hashed emails, mobile IDs and other probabilistic IDs.” The goal, stated explicitly, is to “recognize roughly 1.5 billion users across 665 million households.” Fandango’s 37.88 million monthly visitors are inputs to this system.

The Dollar Equation Behind Your Privacy

CIPA § 637.2 sets the statutory penalty at $5,000 per violation. Every single visit to RottenTomatoes.com by every California user is a potential violation. The math is straightforward and staggering.

Who To Watch. What To Do.

This lawsuit was filed January 6, 2026. It is in its earliest stages. The entities responsible for this network are known. The regulatory bodies with authority over them are active. Here is the accountability landscape.

Defendant and Parent Companies

• Fandango Media, LLC: Virginia LLC, headquartered in Universal City, California. Named defendant. This is who your lawsuit money comes from.
• NBCUniversal: Co-owner of Fandango. Parent company with the legal and financial resources to have stopped this at any point. It chose not to.
• Warner Bros. Discovery: Co-owner of Fandango. Same analysis applies.

Regulatory Watchlist

• Federal Trade Commission (FTC): Already settled with Fandango once in 2014. Has explicit authority over data broker abuses and has published guidance stating that hashed data is not anonymous. The repeat violation pattern documented here is exactly the kind of case the FTC’s consumer protection division was built for.
• California Attorney General (OAG): Maintains the data broker registry that OpenX, PubMatic, Magnite, ID5, Tapad, Experian, and Sovrn are all registered with. Has enforcement authority under the California Consumer Privacy Act and the California Invasion of Privacy Act. This investigation sits entirely within its jurisdiction.
• California Privacy Protection Agency (CPPA): The dedicated state agency created under the California Privacy Rights Act. Has authority to audit and penalize companies that violate CCPA. IP addresses are personal information under California law. The conduct described in this complaint is directly within scope.
• U.S. Department of Justice (DOJ): The complaint documents that government agencies including the FBI have purchased data from broker networks without warrants. There is a live civil liberties question about whether federal law enforcement’s use of commercially purchased surveillance data requires constitutional scrutiny.
• Congress / Senate Commerce Committee: The absence of a federal data broker regulation law is what makes this complaint necessary. Comprehensive federal privacy legislation with private right of action would change the calculus for every company running this playbook.

What You Can Do Right Now

• Opt out of California data brokers directly: OpenX, PubMatic, Magnite, ID5, Tapad, Experian, and Sovrn are all registered with the California Attorney General’s data broker registry at oag.ca.gov/data-broker. California residents have the right under CCPA to request deletion of their data from each of these entities individually. It is tedious. Do it anyway.
• Use a browser with tracker blocking enabled: Firefox with uBlock Origin or Brave browser blocks most of the cookie syncing infrastructure described in this complaint. The trackers only work if your browser lets them load. Don’t let them load.
• File a complaint with the FTC: reportfraud.ftc.gov. Cite Fandango’s 2014 settlement, Case No. C 4481, and the conduct described in Case 4:26-cv-00141. Volume of complaints influences enforcement priority.
• File a complaint with the California Attorney General: oag.ca.gov/contact/consumer-complaint-against-business-or-individual. California residents who visited RottenTomatoes.com are the direct victims described in this complaint. Your complaint is evidence.
• Support digital rights organizations doing this work: The Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC), and the Center for Democracy and Technology (CDT) are actively litigating and legislating against data broker surveillance. Financial support and public membership in these organizations funds the infrastructure that fights these cases.
• Talk to your neighbors about what this means in practice: The Minnesota assassination. The ICE threat to LA protesters. The insurance and lending discrimination risks. These are not abstract. They affect the people around you. The surveillance economy profits from your silence and your isolation. Breaking both of those is free.