New England Patriots just got sued for allegedly spying on its fans.

You Thought You Were Watching the Patriots. They Were Watching You.

Anthony Serra of Uxbridge, Massachusetts downloaded the New England Patriots app in 2019 to watch team videos. He never created an account. He never signed any terms. He never consented to anything. What he did not know is that the moment he pressed play, the Patriots app began transmitting a detailed profile of his behavior to corporate third parties — including his exact location on Earth, the specific video he was watching, and a persistent advertising ID that functions as a digital fingerprint across every app on his phone.

The complaint, filed on February 1, 2024, lays out a system that is strikingly deliberate. The Patriots did not accidentally leak data through a bug or a security breach. The team actively integrated two third-party data systems into its app: Google’s Anvato platform and Rover Labs’ API, a sports-industry analytics tool whose entire business model is helping sports franchises “engage and monetize” their fanbases using harvested behavioral data.

This is the surveillance economy in a jersey. The Patriots marketed the app as a way for fans to stay close to the team. The app served that purpose while simultaneously running a parallel operation: converting fan loyalty into location data, watch histories, and behavioral profiles worth real money on the digital advertising market.

The Federal Law They Allegedly Broke

The Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, was passed in 1988 after a reporter obtained and published the video rental history of a Supreme Court nominee. Congress decided, with bipartisan agreement, that what you watch is private. The law prohibits any video service provider from knowingly disclosing “personally identifiable information” about what a consumer watches to any third party without their consent.

The Patriots’ app delivers prerecorded and live video content to consumers. Under the VPPA, that makes the franchise a “video tape service provider” subject to the law’s protections. The statute imposes statutory damages of $2,500 per violation. With over one million affected users alleged in the complaint, the potential liability before settlement was staggering.

Two Corporations Got Your Data. Here Is Exactly How.

Google’s Anvato: Your Location, Auctioned in Real Time

Google acquired Anvato in 2016 to build out its cloud video services. The Patriots embedded Anvato’s API directly into the app. Every time a fan opened a video, the app transmitted the specific video link to Google through Anvato, allowing Google to log exactly what content that user consumed. Simultaneously, the app sent the user’s geolocation — not a general area, but precise GPS coordinates with more than three decimal places of accuracy, meaning the system could place you within forty feet of your actual location.

Anvato’s “Dynamic Server-Side Ad Insertion” feature then used that data in real time. When a commercial break arrived in your video, Anvato transmitted your location and advertising ID to an ad server, which immediately ran an auction. Advertisers bid against each other for the right to show you a specific ad, informed by exactly where you were standing. This is categorically different from the way television advertising has worked for decades, where a single ad is purchased for a broad region and every viewer in that region sees the same thing.

The complaint references a former Anvato executive describing the system’s precision directly: advertisers can target a viewer “even down to the user,” including when “someone is within a couple hundred yards or meters of a coffee shop.” The Patriots fan watching a highlight reel in his living room in Uxbridge had no idea his couch’s GPS coordinates were being sold to the highest bidder while the video buffered.

Your Android ID: A Permanent Cross-App Tracking Number

For users on Android devices, the app also transmitted an Android Advertising ID (AAID). This is not a temporary session cookie that clears when you close the app. An AAID is a persistent identifier that follows a user across every app on their phone, allowing data brokers and advertisers to build a unified profile of everything that person does across their entire mobile life. The complaint cites experts who describe the AAID as a mechanism that enables third parties to generate inferences about a person’s “political or religious affiliations, sexuality, and media preferences.”

Combined with precise geolocation, a watch history, and the video content titles, the data package the Patriots transmitted to Google constituted a detailed, trackable portrait of real human beings — people who just wanted to watch football.

Rover Labs: The Sports Industry’s Data Broker

Rover Labs Inc. builds data analytics and digital marketing tools specifically for sports franchises. Its client list includes NFL teams, National Hockey League teams, and national Olympic teams. The company’s entire sales pitch is helping franchises “engage and monetize” their fanbases using behavioral data. The Patriots embedded Rover’s API, Rover.io, into the app alongside Anvato.

Network traffic analysis of the Patriots app revealed that Rover received the unique device ID and the specific title of every video a user watched — for example, “Bill Belichick 1/2: ‘It’s A One Game Season For Us.'” Until some point in late September or early October of 2023, Rover also received each user’s precise geolocation with more than six digits of accuracy for latitude and seven digits for longitude — sufficient to identify a person’s exact GPS position. That level of precision can distinguish which room of a building you are in.

The Non-Financial Ledger: What You Lost That No Settlement Can Return

Anthony Serra never signed up for anything. He downloaded a free app to watch football content, chose the “MAYBE LATER” option when asked to create an account, and was never shown a privacy policy. The complaint confirms that users who selected that option were not presented with the app’s Terms of Use or Privacy Policy at all. The Patriots built a two-tier system: users who created accounts were still never shown a disclosure about third-party video sharing, and users who skipped sign-up were shown nothing whatsoever. Either way, you were tracked. The choice about how much the team surveilled you was never yours to make.

The location tracking enabled by Rover was not an accident or a default setting that nobody turned off. Rover’s own developer documentation makes explicit that geolocation tracking is not active by default and must be “purposefully enabled” through specific, affirmative steps during app development. A developer must install a dedicated Location module, configure location authorization prompts, and set up when the application transmits location data. The Patriots’ development team made each of those choices. They chose to install the module. They chose to configure the prompts. They chose to flip the switch that sent your GPS coordinates — with altitude included — to a sports data broker. This was engineering work. It required decisions. Those decisions were made without your knowledge.

Consider what the data package actually contains. A unique device ID that permanently identifies your phone. The precise video title you watched — not “sports content” but the specific clip, down to the episode label. Your exact GPS coordinates, accurate enough to identify which floor of a building you were on. And your Android Advertising ID, which a university professor cited in the complaint describes as the key to cross-correlating your “online persona with your offline persona.” All of it assembled, transmitted, and auctioned in the time it takes a pre-roll ad to load. The Patriots were not just your team. They were one of your data suppliers.

The privacy violation here carries a particular kind of sting because of who is doing it. Sports fandom is one of the last genuinely communal experiences in modern life. People invest real emotion, real identity, and real time into their teams. The Patriots app was positioned as a tool for deepening that connection — a way to watch more, know more, feel more engaged. Instead, every act of engagement became a data harvest. The fan scrolling through highlight clips at midnight, the kid watching press conferences before a playoff game, the retiree catching up on an interview — all of them were being profiled and monetized without consent, by the very franchise they trusted enough to install on their phones.

Legal Receipts: What the Complaint Actually Says

“Unbeknownst to Plaintiff and Class members, Defendant intentionally and knowingly discloses their data — including which videos they watch, their precise geolocation, and advertising IDs — to third parties, thereby violating the VPPA by disseminating the personally identifiable information of consumers who use the App.” — Class Action Complaint, Paragraph 6, Serra v. New England Patriots LLC

“Really precise, longitudinal geolocation information is absolutely impossible to anonymize. D.N.A. is probably the only thing that’s harder to anonymize than precise geolocation information.” — Law professor and privacy researcher, Georgetown University Law Center, as cited in the complaint, Paragraph 34

“Geolocation tracking is not active by default and therefore must be purposefully enabled.” Further: a developer “must set up location authorization prompts and set up when the application transmits the user’s location so that it integrates with Rover’s Campaigns and Proximity functions.” — Rover Developer Documentation, as cited in the complaint, Paragraphs 56–58

“Our platform tracks who watched your videos, and how they have engaged with them. We statistically cluster the audience viewing habits and recommend how they need to be retargeted.” — Anvato’s OnTarget Monetization marketing materials, as cited in the complaint, Paragraph 46

“An AAID is the passport for aggregating all of the data about a user in one place.” Additionally: companies can use AAID data to “generate inferences about an individual’s identity, preferences, and affiliations, such as their political or religious affiliations, sexuality, and media preferences.” — Industry sources cited in the complaint, Paragraphs 39–40

Societal Impact Mapping: Who Else Gets Hurt When This Goes Unchecked

The Rich Get Richer. The Fan Gets Profiled.

The economic structure of this surveillance is not neutral. Rover’s entire product offering is built on turning fan loyalty into a commercial asset that teams can monetize. The complaint describes Rover’s pitch to franchises as the ability to “engage and monetize” fanbases through personalized targeting based on “geographic location, device type, seat section.” The people being monetized — the fans — receive none of that revenue. They receive ads.

Google’s Anvato operates on a real-time auction model for advertising. The Patriots fan’s location and behavioral data are submitted to an ad server, where advertisers compete against each other for access to that specific individual. The winning bid goes to Google and, through the revenue-sharing model, back to the Patriots. The fan, whose physical location and media consumption habits generated the entire value of that transaction, receives nothing except a targeted advertisement they did not ask for and cannot opt out of.

The class action covers over one million people. These are predominantly working-class and middle-class sports fans who paid for their phones, paid for their data plans, and downloaded a free app expecting entertainment. They had no way to know the app was running a parallel commercial operation using their bodies’ GPS coordinates as inventory. The settlement of $2.16 million ($2.16 million, roughly equivalent to what the Patriots’ starting quarterback earns in about four days of work) divided across a million-plus class members produces a recovery so small per person it rounds to nothing. The team, meanwhile, generated advertising revenue and behavioral analytics data throughout the entire period of the alleged violations.

When Your Location Is Someone Else’s Product, Everyone Is Exposed

The complaint cites expert analysis making clear that precise geolocation data cannot be anonymized. Georgetown Law professor Julie Cohen’s research, quoted in the complaint, establishes that GPS-accurate location histories are among the hardest categories of data to de-identify — harder than almost any other personal data except DNA. This means the information the Patriots transmitted to Google and Rover about over a million fans does not become safe once it leaves the app. It remains permanently linkable to real individuals.

Location data at the precision transmitted here — accurate to within forty feet via Anvato, and to centimeter-scale resolution via Rover’s six-to-seven decimal GPS coordinates — can reveal where a person sleeps, what medical facilities they visit, what religious institutions they attend, who they spend time with, and what their daily movement patterns look like. The complaint explicitly raises the risk that AAID data cross-correlated with location histories enables third parties to infer “political or religious affiliations, sexuality, and media preferences.” These are not abstract concerns. For many people, exposure of this information creates real-world safety risks, including from employers, governments, stalkers, and bad actors who purchase data on secondary markets.

The fans who used the Patriots app never assessed these risks, because they were never told the risks existed. The app’s onboarding flow — as described in the complaint — gave users who skipped sign-in no privacy disclosure at all. Users who did create accounts were never shown a disclosure “that Defendant will share users’ video-viewing histories with third parties.” The exposure was total and undisclosed.

The “Cost of a Life” Metric

What Now? The Watchlist and the Way Forward

Corporate Roles to Watch

• New England Patriots LLC — the franchise that embedded the surveillance systems and made every technical decision to enable location tracking
• Kraft Sports Productions LLC — listed as the app’s seller in the Apple App Store; the corporate entity with direct distribution responsibility
• Google (Anvato) — the data recipient that collected location, device IDs, and video histories and ran real-time ad auctions against users
• Rover Labs Inc. — the sports-industry data broker that received precise GPS coordinates and watch histories from the app

Regulatory Bodies With Authority Here

• Federal Trade Commission (FTC) — primary regulator of unfair or deceptive commercial data practices; has jurisdiction over undisclosed data sharing
• Department of Justice (DOJ) — federal law enforcement with VPPA enforcement authority
• State Attorneys General — several states have passed their own consumer privacy statutes; Massachusetts AG has direct jurisdiction over a Foxborough-based franchise
• Congress — the VPPA was passed in 1988; the law has not been significantly updated to address mobile app surveillance; legislative reform is overdue

You do not have to wait for a regulator to fix this. Delete apps you do not actively need. On Android, reset your Advertising ID in Settings under Privacy. On iPhone, enable “Limit Ad Tracking” and deny location access to all apps that do not require it for core functionality. Find your local digital rights organization — groups like the Electronic Frontier Foundation, Fight for the Future, and your state-level ACLU chapter actively push for stronger app privacy laws and need public pressure to make them happen. The settlement closed this case but left the surveillance infrastructure intact. The systems that tracked Patriots fans are still running in apps across every industry. Organized pressure on legislatures and regulators is the only force that has historically forced those systems to change.