Roku lets you turn off the feature that watches what is on your screen, but even after you turn it off, the TV still sends information about which apps you use, how long you watch, and other data to Roku servers. The off switch does not actually stop all tracking. Roku says it would get parental permission before collecting children's data, but two state attorneys general found Roku was secretly collecting children's location, viewing habits, and voice recordings and selling this data to advertisers — all without telling parents or getting their consent.
What they claim: Roku privacy policy states: "In the unlikely event that Roku has actual knowledge that a user is under the age of 13, it will either follow the same policy...or obtain verifiable parental consent."
What we found: Michigan AG (April 2025) and Florida AG (October 2025) both sued Roku alleging the company secretly collected children's personal information — including precise location data, IP addresses, viewing histories, voice recordings — and shared it with advertisers and data brokers without COPPA-required parental consent. Florida's suit is the first under the Florida Digital Bill of Rights. Roku failed to implement age verification or obtain any parental consent.
What they claim: Roku privacy policy does not disclose that ACR technology captures content from HDMI inputs (external devices like game consoles, cable boxes, DVD players) — not just Roku streaming content.
What we found: Roku OS ACR technology captures screenshots of ALL on-screen content including from HDMI inputs. When a user connects a PlayStation, cable box, or DVD player via HDMI, Roku captures and fingerprints what is displayed. This cross-device surveillance means Roku tracks viewing habits of devices that have no relationship with Roku. Consumer Reports and Mozilla both documented this behavior. The privacy policy refers to "what you watch or access" but does not clearly state this includes content from other manufacturers' devices connected via HDMI.
What they claim: Roku privacy policy describes collection of "information about your interactions with the Roku Services" and viewing activities. The policy does not prominently disclose that the companion app requests CAMERA, RECORD_AUDIO, and ACCESS_COARSE_LOCATION permissions.
What we found: The Roku companion app (com.roku.remote v13.5.0) requests 28 permissions including CAMERA, RECORD_AUDIO, ACCESS_COARSE_LOCATION, WRITE_SETTINGS, and WRITE_EXTERNAL_STORAGE. It contains 3 trackers including Google AdMob (advertising), Google Firebase Analytics, and Google CrashLytics. The app also requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and ACCESS_ADSERVICES_TOPICS — a comprehensive advertising surveillance toolkit built into a TV remote app.
What they claim: The Roku companion app requests DETECT_SCREEN_RECORDING permission, suggesting concern about user privacy from third-party screen capture.
What we found: While the companion app requests DETECT_SCREEN_RECORDING (ostensibly to protect against unauthorized recording), the Roku TV firmware itself performs continuous screen capture via ACR on all inputs including HDMI. Roku protects itself from being recorded while simultaneously recording everything the user watches across all connected devices.
What they claim: Roku advertises its platform as a content streaming service focused on entertainment.
What we found: The Roku companion app contains ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and ACCESS_ADSERVICES_TOPICS permissions — a full Google Ad Services integration. Combined with Google AdMob tracker, the app functions as an advertising data collection platform that also happens to control a TV. Roku's own advertising privacy page acknowledges data sharing "may be considered a sale of personal information under relevant law."
What they claim: Roku privacy policy states users can limit data collection through privacy settings and offers a Do Not Share/Sell opt-out.
What we found: Roku's advertising privacy page (advertising.roku.com/info/ccpa) confirms that opting out only means "ads will be less relevant to you" — data collection continues. The opt-out applies only to the specific browser, not across the Roku ecosystem. Firmware shows 6 hardcoded logging endpoints that receive device telemetry regardless of user privacy choices. Even after opting out of ACR, Roku continues to collect channel usage data. The privacy controls create an illusion of choice while core data collection remains unchanged.
What they claim: Roku privacy policy states it collects data from "data providers (such as advertising companies, data brokers, and social media platforms)" to combine with directly collected data.
What we found: Roku not only collects viewing data directly but actively purchases additional personal data from third-party data brokers and social media platforms to build more comprehensive user profiles. This combined dataset is then shared with Roku's advertising partners through the OneView ad platform. The Michigan and Florida AG lawsuits allege this data includes children's information shared without COPPA consent. Roku's advertising business — which generated the majority of its revenue — depends on this data aggregation pipeline.
What they claim: Roku privacy policy states it employs "industry-standard methods of securing electronic databases of personal information."
What we found: CVE-2018-11314: Roku OS before 8.1 had an External Control API vulnerability allowing unauthorized access via DNS Rebind attacks — any website could remotely control a Roku device and exfiltrate information. Mozilla's Privacy Not Included review noted Roku "appears to lack a dedicated contact for disclosing security vulnerabilities" and has a "lack of an established vulnerability management system." The claim of "industry-standard" security is contradicted by the absence of basic security infrastructure like a vulnerability disclosure program.
What they claim: Roku privacy policy states ACR (Smart TV Experience) can be disabled by unchecking "Use Info from TV Inputs" in Settings > Privacy > Smart TV Experience.
What we found: Firmware analysis shows Roku OS sends telemetry to multiple hardcoded logging endpoints (cooper.logs.roku.com, giga.logs.roku.com, scribe.logs.roku.com) regardless of ACR opt-out. Disabling ACR only stops content fingerprinting but channel usage data, app usage patterns, and device telemetry continue to be transmitted. The ACR opt-out gives users a false sense of privacy control.
What they claim: Roku's dispute resolution terms (updated March 2024) require mandatory arbitration for all disputes.
What we found: In March 2024, Roku pushed a terms-of-service update that physically disabled TVs and streaming devices until users agreed to new mandatory arbitration terms. Users who declined could not use their purchased hardware. The only opt-out was mailing a physical letter within 30 days to Roku's San Jose office. Consumer Reports documented that the TV menu was completely inaccessible without clicking "agree." This is unprecedented — a company bricking consumer hardware to force acceptance of legal terms that strip the right to sue.