The Texas attorney general’s office moved quickly. Temporary restraining orders were obtained against Hisense and Samsung, forcing the companies to halt certain ACR-related data collection practices in Texas. Those orders signal a willingness by state regulators to intervene directly at the technical level when embedded tracking mechanisms are deemed unlawful.
Embedded tracking meets state-level enforcement muscle
Paxton’s lawsuits assert that data collected through ACR was monetized by being sold to data brokers and used for advertising purposes. Beyond consumer privacy concerns, the complaints frame the practice as a cybersecurity and national security issue — particularly where manufacturers have ties to China. Hisense and TCL, both named in the actions, are owned by Chinese companies.
In announcing the lawsuits, Paxton took aim at the idea that smart TVs should function as silent data collectors inside private homes.
“Companies, especially those connected to the Chinese Communist Party, have no business illegally recording Americans’ devices inside their own homes.”
He described the alleged ACR practices as “invasive, deceptive, and unlawful,” while emphasizing that “owning a television does not mean surrendering your personal information to Big Tech or foreign adversaries.” The language underscores how Texas is framing these cases not merely as consumer protection disputes, but as matters tied to sovereignty, security, and domestic autonomy.
Why automated content recognition is different
Automated content recognition works by identifying what appears on a television screen using audio or visual “fingerprints,” which are then compared against large reference databases. Unlike traditional app-based tracking, ACR can identify content regardless of its source — streaming platforms, broadcast television, DVDs, or devices connected through HDMI inputs.
This capability is precisely what makes ACR so attractive to advertisers — and so problematic from a privacy perspective. It collapses the boundary between individual services that consumers knowingly subscribe to and the television hardware itself, which consumers often perceive as passive.
As Frankfurt Kurnit Klein and Selz Associate Andrew Folks explained, the technology challenges long-standing assumptions about user awareness and consent.
“Like so much in privacy, it boils down to a consumer’s reasonable expectation of privacy.”
Folks noted that consumers may reasonably expect streaming platforms to track viewing behavior within their own apps. However, that expectation does not necessarily extend to television manufacturers monitoring everything displayed on the screen — including content played through external devices.
“They might not expect manufacturers to collect information about what they are watching through their DVD player or HDMI port, as ACR enables.”
Consent problems begin at device setup
The Texas complaints argue that smart TV manufacturers failed to provide meaningful notice about the true scope of ACR monitoring. Instead, disclosures were allegedly buried in onboarding flows during initial device setup — a moment when consumers are primarily focused on getting their television to work.
Folks pointed out that this problem is hardly new. Connected devices have long relied on bundled consent screens that combine essential functionality with optional data collection.
Grouping consent during device setup “has been an issue since the early days.”
According to Folks, ACR opt-ins may be packaged together with features necessary to operate the television, raising serious questions about whether consent is truly voluntary or informed. When declining data collection risks impairing core functionality, regulators are increasingly skeptical that meaningful choice exists at all.
Texas’ legal toolkit: deceptive practices over privacy statutes
Rather than relying solely on comprehensive privacy laws, Paxton’s office alleges that the ACR practices violate the Texas Deceptive Trade Practices Act. The DTPA has emerged as one of Texas’ most powerful enforcement tools in privacy-related cases, offering broader remedies and fewer procedural hurdles than newer privacy frameworks.
The approach is consistent with Texas’ recent enforcement history. The DTPA played a central role in the state’s $1.4 billion settlement with Meta in 2024 and its $1.375 billion settlement with Google the following year.
“What Texas has demonstrated is that states have a deep bench of statutes they can leverage to address ACR practices.”
Folks emphasized that deceptive practices laws often provide clearer enforcement pathways than comprehensive privacy statutes, particularly when regulators want to move quickly or seek injunctive relief rather than narrowly defined statutory penalties.
Technical realities and enforcement feasibility
While the lawsuits raise sweeping concerns, experts caution that ACR technology does not provide unlimited access to consumers’ devices or raw video feeds. The systems operate within defined parameters, identifying content rather than continuously surveilling households.
Alva Strategy Center Principal founder Aaron Alva explained that the temporary restraining orders obtained by Texas are technically realistic to implement.
“Typically, they can take the IP address, which is also another data element that might be a part of what’s being collected, and take the IP addresses that are generally in the geographic area of Texas, and then decide to turn off that data collection remotely from their servers.”
Alva, who previously spent a decade as a technologist and advisor at the U.S. Federal Trade Commission, noted that this type of technical intervention could extend beyond smart TVs.
“Imagine a state attorney general recognizes that there’s someone collecting real-time location data and using it for purposes that they deem to be both unfair and creating harm to consumers.”
He added that imposing temporary restraints on data collection could become a logical enforcement step in future cases involving sensitive data types.
“The attorney general taking that sort of temporary restraint or action seems like a logical step.”
National security fears versus technical limits
The Texas complaints also argue that data collected by Hisense and TCL could be subject to China’s National Security Law, which can compel companies to provide data to the government. While nonconsensual data sharing is itself a privacy issue, the possibility of access by a foreign adversary elevates the concern in the eyes of state officials.
Alva cautioned, however, that the national security risk should be understood in light of what ACR actually collects.
“Whenever you have sensitive data being sent to unknown actors, whether they be foreign or domestic, then that creates sensitivities when it comes to those entities.”
He emphasized that the core risk is not cinematic surveillance, but the aggregation of behavioral data that can be used to profile, influence, or target individuals in harmful ways.
“Being able to know more about a particular consumer and target them in ways that might cause harm can create national security issues.”
What this moment signals for privacy enforcement
Texas’ ACR lawsuits illustrate a broader shift in U.S. privacy enforcement. Regulators are increasingly willing to challenge tracking technologies embedded at the hardware level, especially when they operate outside consumers’ expectations and inside private spaces like the home.
The cases also reinforce a trend toward using general consumer protection and deceptive practices statutes as privacy enforcement vehicles. For companies, that means compliance risk is no longer limited to explicit privacy laws; it extends to any practice that regulators can plausibly characterize as misleading, unfair, or inconsistent with how consumers reasonably understand a product to function.
As smart devices become more ambient, more interconnected, and less visibly “online,” the Texas actions suggest that enforcement scrutiny will follow the technology — from screens and microphones to sensors, location data, and beyond.
