Roku sells you a cheap streaming stick, but the real product is you. The device watches everything you watch — every show, every ad, every DVD — second by second, and sells that information to advertisers. This is Roku's primary business model, generating over $1.4 billion in advertising revenue, but the marketing focuses entirely on entertainment features. Roku has built a sophisticated system to track your viewing habits and link all your devices for advertising purposes, but an independent security review found they don't even have basic security measures in place. They can track what you watch second by second, but they couldn't prevent hackers from accessing over half a million accounts.
What they claim: Roku's advertising page describes ACR as helping marketers "optimize campaigns" and providing "granular measurement." Roku markets the Streaming Stick 4K as a device to "stream what you love" with emphasis on entertainment features like 4K, Dolby Vision, and HDR10+.
What we found: Roku's own ACR documentation states it can "understand on a second-by-second basis what content viewers watched on linear TV, what ads they saw, and how much of an ad they viewed." The privacy policy confirms ACR tracks viewing across ALL inputs — streaming, cable, broadcast, and even DVDs. Roku won an Emmy for developing this surveillance technology at scale. Platform revenue (primarily advertising) exceeded $1.4 billion in 2022, dwarfing hardware revenue — the device is sold at or below cost to maximize the ad-targeting installed base.
What they claim: The Roku app (com.roku.remote) is marketed as a remote control companion app for Roku streaming devices, allowing users to control their TV and browse content.
What we found: The app requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, ACCESS_ADSERVICES_TOPICS, AD_ID, and AD_SERVICES_CONFIG — five separate advertising identifier permissions. It also requests DETECT_SCREEN_RECORDING (to detect if the user is recording their screen) and RECORD_AUDIO (microphone access). The app embeds Google AdMob (an ad network), Google Firebase Analytics, and Google CrashLytics. A remote control app should not need five ad-tracking permissions, screen recording detection, or an embedded ad network.
What they claim: Roku's privacy policy describes its data collection practices as applying to all users of "Roku Services" including Roku players, TV models, and apps. The policy does not include specific protections for children's data or describe a mechanism for obtaining verifiable parental consent.
What we found: Michigan AG filed a COPPA lawsuit (April 2025) alleging Roku collects children's names, device IDs, locations, voice recordings, IP addresses, and browsing histories without parental consent, then shares this data with third-party advertisers. Florida filed the first-ever enforcement action under its Digital Bill of Rights (October 2025) with penalties up to $150,000 per violation involving known children. Two state attorneys general independently concluded Roku violates children's privacy.
What they claim: Roku markets the Streaming Stick 4K as an entertainment device: "Stream what you love" with 4K, Dolby Vision, and HDR10+. The product page focuses entirely on streaming quality and content access.
What we found: The device firmware contains hardcoded endpoints including analytics.roku.com, advertising.roku.com, scribe.roku.com (event logging), cooper.roku.com (ad serving), and logs.roku.com. Of nine known endpoints, at least four are dedicated to advertising, analytics, and data collection — not content delivery. The privacy policy confirms data is shared with "ad networks, advertising partners and our advertisers." The device's architecture prioritizes surveillance infrastructure alongside content delivery.
What they claim: The Roku Streaming Stick 4K is a media streaming device. The companion app includes voice search functionality for finding content.
What we found: The companion app requests RECORD_AUDIO permission for microphone access. Roku's privacy policy lists "voice recordings" among collected data categories. The Michigan AG COPPA lawsuit specifically alleges Roku collects voice recordings from children without parental consent. Mozilla's review identified voice recordings as a concern and recommends users "turn off microphone access." While voice search is a legitimate feature, the policy's broad language about voice recording collection, combined with the lack of specific retention limits, means voice data may be used beyond immediate search queries.
What they claim: The Roku Streaming Stick 4K is sold as a standalone streaming device that plugs into a single TV. Users expect it to operate as a media player for that specific television.
What we found: Roku's privacy policy states it "associates the browsers and devices used by the same individual or household for purposes of advertising." The companion app requests ACCESS_COARSE_LOCATION, BLUETOOTH, BLUETOOTH_CONNECT, and ACCESS_WIFI_STATE — permissions that enable mapping the user's device ecosystem and physical location. Combined with ACR data from the streaming device, Roku builds a comprehensive profile linking the user's TV viewing, phone usage, location, and household composition.
What they claim: Roku's privacy policy states personal information "may be retained for as long as needed to fulfill legitimate business purposes...or for a time period specifically required or allowed by applicable regulations or laws." No specific retention period is disclosed.
What we found: The CCPA filing confirms Roku collects device identifiers, MAC addresses, viewing habits (second-by-second via ACR), voice recordings, search queries, app usage, location data, and inferred interests. Under CCPA, Roku's data sharing with advertisers may constitute a "sale" of personal information. The policy's vague retention language — "as long as needed" — effectively means indefinite retention of highly granular personal data including second-by-second viewing records and voice recordings, with no mechanism for users to verify what is actually retained.
What they claim: Roku's ACR advertising page states that ACR data collection requires users to have "opted-in." The privacy policy mentions users can disable ACR in Settings > Privacy > Smart TV Experience.
What we found: The privacy policy also states: "Roku still receives information about your interactions and streaming activities on your devices through other methods" even after ACR is disabled. The device firmware contains hardcoded endpoints for analytics.roku.com, advertising.roku.com, scribe.roku.com, and logs.roku.com that operate independently of the ACR opt-in setting. Consumer Reports found it takes 11 to 24 clicks to disable ACR. The opt-in framing creates an illusion of control while the underlying data collection architecture continues operating.
What they claim: Roku's privacy policy states it "associates the browsers and devices used by the same individual or household for purposes of advertising" and discloses data to "ad networks, advertising partners and our advertisers." The policy describes sophisticated cross-device tracking capabilities.
What we found: Mozilla's independent cybersecurity review found Roku lacks a vulnerability management system and has no dedicated security contact or bug bounty program, failing Mozilla's minimum security standards. Meanwhile, CVE-2018-11314 (CVSS 9.6) showed the External Control API had zero authentication — any website could remotely control the device via DNS rebinding. The 2024 credential-stuffing breaches compromised 591,000+ accounts, and Roku only enabled 2FA after the second breach. Roku invests in sophisticated ad-tracking infrastructure while leaving basic security unaddressed.
What they claim: Roku stores payment methods for user accounts to enable purchases of streaming subscriptions and hardware directly through the platform.
What we found: Mozilla's security review found Roku lacks a vulnerability management system and has no bug bounty program. CVE-2018-11314 demonstrated the External Control API had zero authentication (CVSS 9.6). In 2024, two credential-stuffing attacks compromised 591,363 accounts total, with attackers making unauthorized purchases using stored payment methods in ~400 cases. Roku only enabled 2FA for its 80 million accounts after the second breach. The absence of basic security infrastructure for a platform handling payment data for 80 million users is a significant security gap.