LG says you can choose whether your TV watches what you watch. But to use your smart TV's features at all, you must agree to everything — there's no real choice. Meanwhile, the companion app comes loaded with 14 advertising trackers and requests access to your contacts, camera, microphone, and location, far beyond what a TV remote app needs. LG says they carefully ask permission before collecting your viewing data. But Texas's Attorney General is suing them, saying they capture screenshots of your TV every half-second and sell that data to advertisers — without properly telling you or getting real consent.
What they claim: LG privacy policy states ACR data collection requires user opt-in via Live Plus settings, with claims of a "double opt-in" process before data collection begins.
What we found: LG ThinQ companion app (com.lgeha.nuts) requests 39 permissions including ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, CAMERA, RECORD_AUDIO, READ_CONTACTS, WRITE_CONTACTS, READ_PHONE_STATE, and GET_ACCOUNTS. The app embeds 14 third-party trackers including Google AdMob, Facebook Analytics, Salesforce Marketing Cloud, and Treasure Data — all advertising and data monetization platforms. LG requires acceptance of ALL user agreements (viewing information, voice assistant, cross-device advertising) to use any smart TV features, making opt-in effectively mandatory.
What they claim: LG's privacy policy describes viewing data collection as limited to ACR technology on the TV itself.
What we found: The LG ThinQ companion app requests ACCESS_BACKGROUND_LOCATION and ACCESS_FINE_LOCATION permissions, enabling persistent location tracking even when the app is not in use. Combined with RECORD_AUDIO (microphone access), CAMERA access, and READ_PHONE_STATE (device identifiers), the app creates a surveillance capability on the user's phone separate from the TV. The 14 trackers — particularly mParticle, Treasure Data, and Adobe Experience Cloud — are cross-device data platforms designed to link user identity across devices.
What they claim: webOS firmware includes hardcoded connections to us.lgtvsdp.com, lgsmartad.com, alphonso.tv and other LG advertising and data infrastructure endpoints.
What we found: Texas AG lawsuit confirms ACR technology captures screen content as frequently as every 500ms and transmits to LG servers. The firmware's hardcoded advertising endpoints (lgsmartad.com, alphonso.tv) show this data pipeline is built into the TV's operating system — not an optional add-on. LG invested USD 0 million for a controlling stake in Alphonso, rebranding it as LG Ad Solutions, creating a vertically integrated surveillance-to-advertising pipeline from TV hardware to ad marketplace.
What they claim: LG C3 OLED TV includes microphone support for voice control via ThinQ AI, Alexa, and Google Assistant integration.
What we found: The ThinQ companion app requests RECORD_AUDIO permission for voice control, but this is combined with ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, CAMERA, and 14 embedded trackers. Voice data combined with location tracking, camera access, and advertising trackers creates a comprehensive behavioral profile. The Braze tracker (marketing automation) and mParticle (customer data platform) are designed to unify user data across touchpoints — linking what you say to your TV with your location and phone activity.
What they claim: LG markets the C3 OLED as a premium entertainment device with AI-powered picture and sound processing.
What we found: The Alpha 9 Gen 6 AI processor handles not only picture and sound optimization but also runs the webOS platform that includes ACR surveillance. The same processor that enhances your viewing experience also captures and identifies what you're watching. Hardcoded endpoints show data flows to aic-ngfts.lge.com (analytics), lgsmartad.com (advertising), and alphonso.tv (ACR data processing). The AI marketing focuses on entertainment benefits while omitting that the same AI infrastructure enables content surveillance.
What they claim: LG Ad Solutions claims to use a "double opt-in" process and give consumers "enhanced notice" before ACR data collection, with an "easy-to-use opt-out choice."
What we found: Texas Attorney General lawsuit (filed December 15, 2025) alleges LG Smart TVs capture screenshots of the display as frequently as every 500 milliseconds using ACR technology, transmitting viewing data to LG servers and LG Ad Solutions for sale to advertisers and data brokers without meaningful consumer consent. Texas alleges LG failed to adequately disclose these data collection capabilities. LG is one of five TV manufacturers sued under the Texas Deceptive Trade Practices Act.
What they claim: LG ThinQ app is positioned as a smart home control hub for managing LG devices remotely.
What we found: The app requests READ_CONTACTS and WRITE_CONTACTS permissions, allowing it to read and modify the user's phone contacts. It also requests GET_ACCOUNTS and AUTHENTICATE_ACCOUNTS to access device accounts. These permissions are not necessary for TV remote control or smart home management. Combined with 14 embedded trackers (including Facebook Analytics, Salesforce Marketing Cloud, and Treasure Data), this creates a comprehensive data collection profile that extends far beyond device management. The firmware reveals hardcoded endpoints to lgsmartad.com and alphonso.tv — LG's advertising infrastructure.
What they claim: LG ThinQ app is categorized as a smart home management application on Google Play Store.
What we found: Common Sense Media gave the LG ThinQ app a "Warning" privacy rating, finding that data may be sold and used for targeted advertising. The app's 14 trackers include Google AdMob (advertising), Facebook Analytics (cross-platform tracking), Salesforce Marketing Cloud (marketing automation), and Treasure Data (customer data platform). The app requests AD_ID and ACCESS_ADSERVICES_ATTRIBUTION permissions — explicitly advertising-related capabilities that have no smart home management purpose. AltBeacon tracker enables physical proximity tracking via Bluetooth beacons.
What they claim: LG markets webOS as a secure, premium smart TV platform with regular security updates and AI-powered features for an enhanced viewing experience.
What we found: Bitdefender researchers discovered four critical CVEs (CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-6320) allowing complete device takeover: authentication bypass to create privileged accounts without PIN or user interaction, privilege escalation to root, OS command injection, and authenticated command injection. Over 91,000 LG Smart TVs were found exposed to the internet and vulnerable. The vulnerability chain affects webOS 4.9.7 through 7.3.1-43, meaning years of TVs shipped with these flaws.
What they claim: LG Smart TV firmware enables Wi-Fi and Bluetooth connectivity for streaming and peripheral connections.
What we found: The FCC-certified Wi-Fi module (BEJWN8522D1) provides the network connectivity that enables ACR data exfiltration. CVE-2023-6317 through CVE-2023-6320 demonstrate that the network stack is insufficiently secured — authentication bypass and command injection vulnerabilities allowed root access on 91,000+ exposed TVs. Security research shows the vulnerabilities existed across 4 webOS generations (4.9.7 through 7.3.1-43), indicating systemic security neglect. LG took from November 2023 to March 2024 to patch after disclosure.