Samsung says it watches what you view on your TV to give you better recommendations. In reality, the TV takes a screenshot every half second of everything on screen — including content from your gaming console, laptop, or DVD player connected via HDMI — and sends this data to Samsung's advertising servers. Samsung was sued by Texas and paid $46 million in a class action because this data was being sold for advertising, not just used for recommendations. Samsung told customers their voice data was encrypted when sent from the TV. Security researchers proved this was a lie — voice recordings were sent without encryption, meaning anyone on the same network could listen to what you said near your TV. A privacy watchdog filed a formal complaint with the FTC over this.
What they claim: Samsung describes Smart TV viewing data collection for personalisation
What we found: The Texas Attorney General settled with Samsung over its Automated Content Recognition (ACR) system, which captured screenshots of whatever was on screen every 500 milliseconds — twice per second. Samsung must now obtain express consent before collecting viewing data. Texas also sued Sony, LG, Hisense, and TCL for identical ACR surveillance, with Hisense receiving the first-ever temporary restraining order against a TV maker.
What they claim: Samsung's SmartTV privacy supplement describes ACR as collecting information about "channels and networks you watch" and "programs you view" — implying it only tracks broadcast/streaming content on the TV's native apps.
What we found: UCL/UC Davis research (2024) confirmed that Samsung's ACR fingerprints content displayed on ALL inputs, including HDMI. This means content from external devices (gaming consoles, laptops, Blu-ray players) connected via HDMI is also captured and fingerprinted. The $46M class action specifically noted ACR records "content displayed when the TV is used as a computer monitor." The policy language about "channels" and "programs" obscures the true scope of surveillance.
What they claim: The Samsung Smart TV is a television — a display device for watching content. It does not make phone calls, track physical activity, or function as a surveillance camera.
What we found: The SmartThings companion app requests 46 permissions including: CALL_PHONE, RECORD_AUDIO, CAMERA, ACCESS_FINE_LOCATION, ACCESS_BACKGROUND_LOCATION, ACTIVITY_RECOGNITION, HIGH_SAMPLING_RATE_SENSORS, READ_CONTACTS, READ_PHONE_NUMBERS, READ_PHONE_STATE, MODIFY_PHONE_STATE, QUERY_ALL_PACKAGES, WRITE_SECURE_SETTINGS, and WRITE_SETTINGS. Many of these permissions have no reasonable connection to controlling a television.
What they claim: CVE-2022-44636 (Samsung-classified as critical, SVE-2022-50125): Samsung TV smart remote control allows Bluetooth spoofing to enable microphone access. Samsung markets its TVs as not having built-in microphones — the mic is on the remote — framing this as a privacy advantage.
What we found: The remote control's microphone can be hijacked via Bluetooth spoofing (CVE-2022-44636). An attacker within Bluetooth range can spoof the remote pairing process when a user presses a button, gaining unauthorized microphone access. This means the "privacy advantage" of not having a built-in TV mic is undermined — the remote's mic is equally exploitable. Samsung's own security bulletin classified this as critical severity, yet the marketing materials continue to emphasize the absence of a built-in TV microphone.
What they claim: Samsung Tizen TVs include a built-in web browser based on Chromium/V8, marketed as a feature for internet browsing on the big screen.
What we found: Multiple high-severity vulnerabilities in the TV's browser engine: SVE-2022-50146 through SVE-2022-50152 (V8 JIT compiler bugs enabling remote code execution on 2020-2022 models) and SVE-2023-50069 (XML validation bypass in Chromium). Visiting a malicious website on the TV's browser could allow an attacker to execute arbitrary code on the TV — a device that has ACR access to everything displayed on screen, network access, and (via CVE-2022-44636) potential microphone access through the remote.
What they claim: Samsung's privacy policy claims data is processed securely and mentions Samsung Knox security for device protection.
What we found: EPIC's 2015 FTC complaint established that Samsung transmitted voice recordings unencrypted to Nuance Communications. The $46M class action found ACR data collected without proper consent. The Texas AG found privacy prompts were misleading. CVE-2022-44636 shows the remote's mic can be hijacked via Bluetooth. V8 JIT bugs (SVE-2022-50146) enable remote code execution via the browser. The pattern across a decade (2015-2026) shows Samsung repeatedly failing to meet its own stated security commitments.
What they claim: Samsung markets its Crystal UHD TVs as entertainment devices with "PurColor" and "Crystal Processor 4K" for an enhanced viewing experience.
What we found: The TV's firmware contacts 9+ dedicated endpoints including ACR tracking servers (acr-us-prd.samsungcloud.tv, log-config.samsungacr.com), advertising infrastructure (osb-apps.samsungqbe.com), and Samsung cloud services. The device functions as an advertising platform that also displays content — not the other way around. The ACR system captures screen fingerprints every 500ms across ALL inputs, making the TV fundamentally a surveillance device wrapped in entertainment marketing.
What they claim: Samsung's SmartTV Supplement states that viewing information is collected "to enhance video content" and provide "customised TV, movie, and other content recommendations." This frames ACR as a helpful recommendation feature.
What we found: Firmware-level ACR system captures screen fingerprints every 500ms and transmits to dedicated ACR servers (acr-us-prd.samsungcloud.tv, acr0.samsungcloudsolution.com, log-config.samsungacr.com). UC Davis/UCL research (IMC 2024) confirmed Samsung transmits up to 2x more ACR data than LG. The $46M class action settlement and Texas AG lawsuit (December 2025) established that this data is monetized for advertising — not merely used for recommendations. Samsung settled with Texas on February 26, 2026, agreeing to halt ACR collection without express consent.
What they claim: Samsung's privacy policy mentions sharing data with "service providers" and "analytics companies" but does not name specific third parties receiving SmartThings app data.
What we found: The SmartThings app (v1.8.21.28) embeds two Microsoft trackers: Microsoft Visual Studio App Center Analytics and Microsoft Visual Studio App Center Crashes (identified via Exodus Privacy report). These trackers send app usage data, crash reports, and device information to Microsoft's servers. Samsung's privacy policy does not specifically name Microsoft as a data recipient, despite the SmartThings app being the primary way users interact with Samsung smart home devices including TVs.
What they claim: Samsung's privacy policy states it uses encryption to secure consumers' personal information and protect data in transit.
What we found: EPIC's 2015 FTC complaint documented that Samsung transmitted voice recordings from SmartTV voice recognition to Nuance Communications without encryption. Security researchers independently confirmed they could decode the voice audio in transit, enabling eavesdropping on conversations in users' homes. Samsung's privacy policy explicitly claimed encryption was used, which was demonstrably false.
What they claim: Samsung's privacy policy states users can control data collection through settings and make informed decisions about their data.
What we found: Texas AG Paxton's December 2025 lawsuit specifically alleged that Samsung's privacy prompts and consent dialogs were NOT clear or conspicuous, preventing consumers from making informed decisions. The February 2026 settlement required Samsung to "rewrite its on-screen privacy prompts and consent screens" to be clear and conspicuous. The $46M class action similarly alleged Samsung collected data "without proper consent." The ACR opt-out is buried under Settings > Support > Terms & Privacy > Privacy Choices > Viewing Information Services — five menu levels deep.