The Attorney General of Texas, Ken Paxton, has filed lawsuits against five leading smart TV manufacturers — Sony, Samsung, LG, Hisense and TCL — alleging that their televisions used Automated Content Recognition (ACR) to collect detailed viewing data from users without clear, informed consent. The cases highlight growing concerns around smart TV privacy, covert tracking and the cybersecurity implications of large-scale behavioral data collection in the home.
Allegations Against Smart TV Vendors: Continuous Tracking of Viewing Habits
According to the complaints filed in Texas courts, smart TVs from the named vendors allegedly captured miniature “screenshots” of the display as frequently as every 500 milliseconds. These snapshots were processed by ACR technology, enabling near real-time identification of what content was being watched and transmitting those insights back to the manufacturers’ servers.
The lawsuits claim that this granular viewing data was then monetized by being shared or sold to advertising and analytics partners for precise targeted advertising. Regulators argue that users were not given a meaningful choice, and that consent dialogs were either misleading, buried in complex menus, or bundled with unrelated features, which can conflict with modern privacy and consumer-protection standards.
Special Focus on Chinese Manufacturers and Cross-Border Data Risks
The complaints pay particular attention to Chinese manufacturers Hisense and TCL. The Texas Attorney General’s office points to China’s national security laws, which can, in principle, compel companies under Chinese jurisdiction to provide access to data upon government request. In the context of smart TV privacy, this raises concerns about cross-border transfer of sensitive viewing data and the potential for state access to the media consumption habits of U.S. residents.
How Automated Content Recognition Works on Smart TVs
Automated Content Recognition (ACR) can be described as a “Shazam for video.” The smart TV periodically creates tiny image thumbnails or extracts short audio fingerprints from whatever is on the screen. These are converted into unique digital signatures and compared against a large reference database of TV channels, movies, streaming content, advertisements and games.
Importantly, ACR does not only monitor broadcast and cable TV. It can also track content from external sources connected via HDMI, including streaming sticks, Blu-ray/DVD players, game consoles and laptops. A 2024 academic study by researchers from University College London, the University of California at Davis and Universidad Carlos III de Madrid showed that certain smart TV models — including sets from Samsung and LG — continued to collect ACR data even when the device was used purely as an external monitor.
Regulatory Precedent: The Vizio Smart TV Tracking Case
This is not the first time smart TV data collection has drawn regulatory scrutiny in the United States. In 2017, Vizio agreed to pay $2.2 million to settle charges brought by the U.S. Federal Trade Commission (FTC) and the New Jersey Attorney General. Regulators found that, starting in 2014, Vizio had enabled a feature called “Smart Interactivity” on more than 11 million TVs without adequately informing consumers.
The feature silently recorded what people watched — including over-the-air broadcasts, cable channels, DVDs and popular streaming services — and paired this information with demographic data such as gender, age, income level and education. The resulting profiles were used for highly targeted advertising, illustrating how a household television can become a powerful behavioral analytics platform.
Cybersecurity and Privacy Risks of ACR Tracking
On the surface, ACR may appear to be just another advertising tool. From a cybersecurity and privacy perspective, however, it represents systematic collection of highly sensitive behavioral data. Viewing patterns can reveal political affiliation, religious beliefs, health conditions, children’s interests and broader family dynamics — all categories considered sensitive under many data protection frameworks.
If these datasets are insufficiently protected, transmitted without robust encryption, or shared with poorly vetted partners, they can increase the risk of phishing, fraud and targeted social engineering. In jurisdictions where state access to corporate data is more expansive, there is an added risk that such information could be leveraged for surveillance or influence operations.
Practical Steps to Protect Smart TV Privacy
Most modern smart TVs include at least basic privacy controls. Security professionals commonly recommend that users:
1. Disable ACR and ad personalization where possible. During initial setup, carefully read on-screen prompts and opt out of ACR, ad personalization, “viewing information services,” and “improved recommendations” whenever available.
2. Regularly review privacy and marketing settings. Periodically check the Privacy, Advertising or Marketing sections of your TV’s settings menu, as firmware updates can introduce new options or re-enable tracking by default.
3. Segment network access. Where feasible, connect smart TVs to a separate guest Wi‑Fi network or restrict outbound connections using your router’s firewall features. Some users prefer using external streaming devices and limiting the TV’s own internet access.
4. Keep firmware updated — but review terms. Install security updates to reduce vulnerability risks, while carefully reviewing any revised terms of service or privacy policies that accompany major firmware upgrades.
Ongoing investigations such as the Texas lawsuits underscore that smart TVs are no longer passive displays but active nodes in the global data economy. Understanding how Automated Content Recognition works, reviewing default settings and making deliberate privacy choices significantly strengthens the overall cybersecurity posture of the home. Users who treat their TV like any other connected device — to be hardened, monitored and configured — will be better positioned to maintain control over their data in an increasingly surveilled digital environment.
