Google was fined nearly $400 million because it kept tracking people's locations even after they turned location tracking off. The same location system powers your Chromecast. Even now, Google admits it can still figure out where you are through your internet connection even with location turned off. Google was fined $170 million for illegally tracking children on YouTube and using their data to sell ads. The Chromecast uses the same Google account system. Children watching content on Google TV can still have their viewing habits, voice commands, and app usage collected, with only Family Link as a control — the same type of tracking approach that got Google fined on YouTube.
What they claim: Google's privacy policy states it collects data to "provide, maintain, and improve" services and to provide "personalized content." The company's commitment to privacy states: "We are committed to keeping your data private and safe."
What we found: FTC fined Google $170M (2019) for violating COPPA on YouTube by collecting children's data (persistent identifiers, cookies, IP addresses) without parental consent and using it for behavioral advertising, earning ~$50M from the practice. Chromecast with Google TV uses the same Google Account system. Google can collect location, voice, activity data, and app usage from children under 13 via Family Link. No age-gating or children's profile protections exist on the Google TV platform beyond Family Link.
What they claim: Chromecast firmware includes a voice remote with built-in microphone for Google Assistant. Google states: "Google Assistant is designed to wait in standby mode until it detects an activation, like when it hears 'Hey Google.'"
What we found: Three critical CVEs (CVE-2023-48424, CVE-2023-48425, CVE-2023-6181, all CVSS 9.8) allow persistent bootloader-level code execution while the device reports itself as secure. Security researchers noted that with device control, an attacker could remotely activate the voice remote's Bluetooth microphone. The exploit chain requires only brief physical access, enabling supply-chain attacks on used/refurbished devices. The device falsely reports secure status after compromise.
What they claim: Chromecast is marketed and sold as a streaming dongle — a device for watching TV. Google's product page describes it as a way to "stream entertainment to your TV."
What we found: The Google Home companion app requests CAMERA, RECORD_AUDIO, CALL_PHONE, GET_ACCOUNTS, and MANAGE_ACCOUNTS permissions. A streaming dongle has no camera, and the CALL_PHONE permission allows the app to make phone calls without user interaction. QUERY_ALL_PACKAGES lets the app see every app installed on your phone. These 35 permissions far exceed what is needed to set up and control a TV streaming device.
What they claim: Google's Chromecast privacy page states device sends performance information, usage stats, and crash reports — framing data collection as diagnostic and performance-focused.
What we found: Firmware analysis reveals 10 hardcoded Google endpoints including firebaselogging-pa.googleapis.com (analytics), play.googleapis.com, and accounts.google.com. The device runs a full Android TV OS with Google Play Store, not just a casting receiver. Google collects "apps and domains you cast," watchlist, watch activity, streaming services, app interactions, and all apps installed on the device. This is comprehensive behavioral surveillance, not just diagnostics.
What they claim: Google's privacy policy states it may "use publicly available information to help train Google's AI models." The policy describes data use for improving services.
What we found: Mozilla's Privacy Not Included review flagged that Google's updated policy allows using data to train AI models like Bard/Gemini. Combined with Google TV's collection of viewing habits, voice queries, and app usage from 150+ million Google TV devices globally, this creates a massive training dataset derived from living room behavior. Users consented to a streaming device, not to contributing their viewing and voice data to AI training.
What they claim: Google describes Chromecast data sharing with third parties as limited to "a unique identifier for your Chromecast device" sent to app operators "for purposes of digital rights management."
What we found: Mozilla's review found Google allows "specific partners to collect information from your browser or device for advertising purposes using their own cookies." The Google Home app includes Google Firebase Analytics tracker. Google's own disclosure admits collecting data for "Advertising or marketing for TV devices only" and sharing with third-party partners. This goes far beyond the DRM identifier described in the casting-specific privacy page.
What they claim: Google Home app requests QUERY_ALL_PACKAGES permission, which allows the app to enumerate every application installed on the user's phone.
What we found: The Chromecast firmware connects to firebaselogging-pa.googleapis.com for analytics and Google collects "app interactions" and "apps installed on your device" from the TV side. Combined with the companion app's ability to see all phone apps, Google gains visibility into application usage across both the user's phone and their TV — two different devices providing a comprehensive view of the user's digital life.
What they claim: Google states that OTA firmware updates maintain device security. The December 2023 security bulletin patched three critical vulnerabilities with anti-rollback protection.
What we found: OTA firmware updates are delivered by Google with no user opt-out — update checks themselves include device telemetry sent to update.googleapis.com. Users cannot choose when or whether to update. While the December 2023 patch fixed critical CVEs, the mandatory update mechanism means Google maintains persistent remote control over the device's software, and every update check is also a data collection event.
What they claim: Google privacy policy states: "You can control Google's collection of crash reports and usage data through a device setting." Google also states location tracking can be turned off in settings.
What we found: FTC/state AG $391.5M settlement (2022) found Google continued tracking users' locations even after they disabled location tracking. Google used dark patterns to pressure users into re-enabling tracking. Google's own support page admits: "When Google TV's Location setting is off and the internet is connected, Google or third parties may still get your general location through your Internet Protocol (IP) address."
What they claim: Google privacy policy states crash reports and diagnostics collection is optional and controlled through a device setting. Policy says: "Crash reports and diagnostics data collection is optional."
What we found: The Google Home app (required for Chromecast setup) requests RECORD_AUDIO, CAMERA, ACCESS_FINE_LOCATION, and CALL_PHONE permissions — none of which are needed for a streaming dongle. The diagnostics setting is enabled by default, meaning users must actively opt out rather than opt in, contradicting the spirit of "optional" collection.