Your Privacy, Your Devices, and You

If you own or are looking to buy a new TV, Blu-ray player, or media streamer, you should keep in mind that the device is almost certainly tracking what you watch and reporting that and other information back to the company, which might then share or sell the data to advertisers or other interested parties.

Some companies allow you to disable this “feature” (which, they claim, helps them show you the programming you want). Others don’t. In some cases you can choose to never connect the product to the Internet, though this option isn’t always practical (media streamers, for example, won’t function without being online). Such offline use also has its own issues, which we’ll discuss below. In practice, opting out in that fashion generally means that you’ll merely miss out on extra features like personalized recommendations or overlay displays of cast and crew info for movies and TV shows, but in some cases we found that streaming services and apps were not available at all.

Recently, Vizio got mainstream media attention for its tracking policies, which include such sketchy practices as enabling the tracking by default and bundling your IP address with your viewing habits so that advertisers can send ads to any other device on your network (like your phone or tablet). Two class-action lawsuits have been filed against Vizio, alleging that the company’s data-sharing practices allow users to be personally identified and violate the Video Privacy Protection Act, among other offenses.

While such tracking is morally dubious, during our research into the practice we found that Vizio isn’t alone. In fact, some companies are arguably worse.

We don’t like this trend any more than you do, but frustratingly, there's no way around it right now. So instead, we’re going to explain what each company does so that you can make your own decision about its policies. We’ve simplified the language as best we can, but in most cases the language of such policies is intentionally vague or unclear.

You have two ways to read this guide. If you’re interested in a product from a specific company, you can go directly to that product maker’s section using the table of contents below. Or if you’re interested in a product category (media streamers, say), you can scroll down to read all of the policies for that category.

An important note: This overview is accurate as of the date stamp you see above. We’ve included screen captures of the various websites to show what we saw when we wrote this article, because companies have a history of changing their policies and then crying foul and claiming that any criticism is unfounded. We’ve included the links, too, so you can double-check the current policy. Generally a company will provide what date its policy is effective from. In some cases we reached out to companies whose policy language was unclear; we’ve included responses from those we heard from, and we will add to this guide as we hear from those that haven’t responded yet.

Also, these are just the policies of the manufacturers. Any content you stream, any websites you access, any apps you download, or any games you play may have their own ways of collecting—and possibly distributing—information about you and what you do.

Short list of terms

The exact language may vary slightly, but each company policy uses similar terms to describe what kinds of data it captures. Here are a few key terms to understand before you read on.

Viewing data: What you watch, usually also when and if the show is live or via DVR or streaming.

Personal data: Your name, address, credit card info, and the like.

Non-personal data: A dubious term, but usually it refers to your IP address (the location of your Web-connected devices on the Internet), your device ID (a unique identifier for your TV, tablet, phone, or computer), your general location, and other such data. Often “non-personal data” refers to everything except your name and physical address.

Opt-in: By default, data collection and tracking are off. You have to choose to enable those functions, or “opt in” to be a part of the program.

Opt-out: By default, data collection and tracking are on. If you don’t want to be tracked, you have to find the option in the menu and disable it (when you can).

Cross-device tracking: This is a relatively new type of tracking that links data about your behavior across multiple Internet-connected devices and platforms, such as websites, smartphones, tablets, and TVs. Say that you watch an episode of House of Cards on your TV; after that, an ad for a different Netflix series appears on a website that you’re viewing on your phone.

Hash: This is an algorithm that converts a piece of text to another, random-seeming string of characters of a fixed length, say, “WIRECUTTER” to “NJ3IL0XP.” Hashing is, ideally, a one-way process, or at least the algorithms are designed to make the strings very difficult to reverse to derive the original text. When you create a password on a website, the company stores only the hashed version. That way, if hackers breach the servers, they won’t be able to access a database of actual passwords. Some companies say they hash your IP address when sharing it with third parties.

Binding arbitration: Several companies’ terms-of-use agreements contain binding-arbitration clauses. Binding arbitration is a way of resolving disputes outside of the court system, with a neutral third party acting as arbitrator, reviewing the law and evidence and issuing a decision that the parties typically can’t appeal.

Agreeing to binding arbitration means, basically, that all parties give up their right to sue, and that they agree to resolve any disputes with an arbitrator, not in court. That means, in practice, that consumers can’t bring an individual lawsuit against a company and can’t launch or join a class-action lawsuit.

The New York Times recently ran a series of articles about the growing use of such clauses in the terms-of-use agreements attached to products that large companies sell. (They often appear in credit-card agreements too, so that’s the focus of the article.) The Times found that with the increasing use of binding-arbitration clauses, the number of successful class-action lawsuits has dropped dramatically. Some people argue that this means companies face fewer frivolous lawsuits, but others say that this means consumers have become more disempowered against large corporations, and that unfair or questionable business practices can remain unchallenged, since without being able to join as a class and thus share resources, individuals can’t easily confront large companies in court.

We’ve noted which companies require you to agree to binding arbitration when you use their services. Some companies do allow you to opt out of the agreement, so make sure to read the fine print.

TVs and Blu-ray players

Vizio, LG, Samsung, Sony, and Sharp all collect viewing data, IP addresses, and other device data. All say they share this non-personally identifiable viewing and device data with third parties to some extent. What varies is whether the program is opt-in versus opt-out, what the companies and the third parties use the data for, and whether the data collection is limited to your TV or could include your other devices.

Vizio

Privacy policy date: October 31, 2015

What it collects: Vizio collects information about what you watch and your IP address, among other information.

How it uses the data: Vizio says it combines your viewing data with your IP address and other information received from third parties in order to analyze usage and inform third-party ad selection.

How it shares the data: Vizio shares your viewing information and IP address with third-party companies, such as advertisers. It says that “in most cases” it hashes your IP address when sharing. Vizio says that third-party advertisers can use your IP address and viewing information to serve ads to other, non-Vizio devices that share your IP address.

Your choices: The collecting and sharing of your viewing data and IP address is enabled by default, but you can turn it off.

Wirecutter’s review: We don’t like how Vizio’s tracking is on by default, nor that the company also links your viewing data to your IP address, nor that this practice allows ads using the information to be served on any device in your home that shares the IP address (essentially, anything on your home Wi-Fi network).

Read the full text here.

LG

Privacy policy date: July 28, 2014

What it collects: LG collects information about what you watch and your TV’s IP address, among other information.

How it uses the data: LG says it uses your viewing information and IP address to deliver personalized advertising.

How it shares the data: LG says it shares your viewing information, IP address, and other information with third parties (which can in turn share that data with other third parties).

Your choices:  When you set up your TV, you opt in to allow LG to collect, use, and share your viewing information, as well as to permit LG and third parties to serve you personalized advertising. But be careful: When you access the on-screen terms of service during initial setup, the boxes related to your viewing data and personalized advertising are marked “Agree” by default, and you must uncheck them.

Wirecutter’s review: We like that LG’s service is sort of opt-in, though most people won’t notice it since it’s part of the initial setup menus. If you do choose to opt out (or more accurately, if you don’t choose to opt in), you can still use the streaming features, which is good.

You can read the full text here.

Samsung

Privacy policy date: February 10, 2015

What it collects: Samsung collects information about what you watch and your TV’s IP address, among other information.

How it uses the data: Samsung says it uses your viewing information and IP address to serve personalized advertising and recommend content, among other things.

How it shares the data: Samsung says it shares viewing information and your IP address with third parties, which then deliver personalized advertising and other content to your TV and other devices. (This feature is called SyncPlus.) It’s not clear whether “other devices” includes any device that shares your IP address, regardless of whether it’s connected to your Samsung TV.

Your choices: You can opt in to have Samsung collect your viewing history when you set up your TV, and to receive personalized advertising and other content from third parties, through SyncPlus. But be careful: The first option, before you even have a chance to read the respective policies, is “agree to all.”

Wirecutter’s review: Samsung’s policy isn’t too far removed from Vizio’s, but like LG’s it is technically opt-in, though you can easily miss the option. If you don’t choose to opt in, you can still use the streaming features. However, in our testing, some extra features—such as overlay displays providing information about the cast of the show we were watching—didn’t work, and on a Samsung Blu-ray player one of our staffers was unable to use streaming services after opting out following a full system reset.

You can read the full text here.

Sony

Privacy policy date: The policy appears as on-screen text when you set up your TV, and doesn’t indicate a date.

What it collects: Sony’s on-screen privacy policy says that the company collects data on what you watch and search for, including through applications. It says it collects “device IDs,” but doesn’t state that it associates viewing data with your IP address. For Sony televisions with Android TV, Google’s privacy policies apply as well.

How it uses the data: Sony says it uses the data it collects to provide personalized recommendations and content, to serve advertising, and for “product improvement.”

How it shares the data: Sony says it will share viewing data and other information with Gracenote, a company that uses audio recognition to provide TV listings, recommendations, and other content. Gracenote’s privacy policy says it receives your IP address but doesn’t use that information for direct marketing.

Your choices: You must opt in during setup to have Sony collect and use your viewing data.

Wirecutter review: Sony’s policies, though somewhat vague, are on the better side of average among the TV companies. We’ve sent emails to Sony for clarification on some points, and we’ll update this post when we hear back.

You can read Google’s privacy policy here (the Sony policy is on-screen only).

Sharp

Privacy policy date: April 20, 2015

What it collects: Sharp says it collects your IP address and “usage patterns, cache data, and other actions” when you use its smart TVs.

How it uses the data: Sharp says it uses this information for “personalization” and to “deliver content,” but doesn’t specify whether it uses the data for personalized advertising or other tracking.

How it shares the data: Sharp doesn’t specify whether it shares personal or non-personal information with third parties for advertising or tracking purposes.

Your choices: Sharp’s policy says that the only way to stop the collection of personal and non-personally identifying information is to stop using its smart TV service.

Wirecutter’s review: Sharp’s policy is more troubling than others because it’s so vague. The fact that the only way to opt out is to stop using its smart TV features is also unfortunate.

You can read the full text here.

Media streamers

All media streamers, be they from Roku, Apple, Amazon, Google, Microsoft, or Sony, collect user data, though to what degree varies. Most of them don’t allow you to opt out in any way, and any app, channel, or other online content you stream through your media player may also collect data about you, so you’ll need to review their privacy policies as well.

Roku

Privacy policy date: September 30, 2015

What it collects: Roku collects information about what you watch and search for, plus the IP address of your Roku device or app, your Wi-Fi network name, and “other connected devices.” Roku also assigns your device a unique identifier (RIDA) for serving advertising.

How it uses the data: Roku says it uses the information it collects to personalize content, serve advertising, and track usage, among other things.

How it shares the data: Whether Roku itself shares viewing information, device IDs, or IP addresses with third parties is unclear. The privacy policy does state that third parties such as advertisers and channel providers can collect information about your device and usage. (You should read the privacy policies for the specific channels you watch on Roku to learn about their data collection.)

Your choices: Roku’s privacy policy does not say whether you can opt out entirely from data collection or sharing when you use its services. You can limit ad tracking, which will stop Roku from serving personalized advertising to you, but Roku says third parties that serve personalized advertising will not necessarily honor your choice. Additionally, you can reset your RIDA; this process will assign a new ID to your device for advertising purposes, wiping out past tracking data.

Wirecutter’s review: Roku engages in some of the most extensive data collection of any company; it’s a lot, even by the unsavory standards of the other companies here. Unfortunately, Roku also offers no way to totally opt out, and it doesn’t clearly state whether it shares any of the information it collects with third parties. It does state that it collects information about “other connected devices,” but whether that category is limited to devices running Roku is unclear. Roku also requires you to consent to a binding-arbitration agreement when you use its services, which means you can’t launch or join a class-action suit if you have a dispute with the company. (You can opt out of this agreement by sending the company a written notice within 30 days of purchasing a Roku device.)

You can read the full text here.

Apple TV

Privacy policy date: February 3, 2015

What it collects: Apple’s general privacy policy says the company may collect some usage data, including search data, which it doesn’t associate with your IP address. The supplementary privacy policy for Apple TV says that the company collects only log data, not what you watch or search for.

How it uses the data: Apple’s general privacy policy says that it uses the information it collects to improve its services, including advertising. The Apple TV supplement says it uses log data to diagnose and record problems with your device.

How it shares the data: Apple’s privacy policy does not state whether the company shares usage information with third parties, for advertising or other purposes.

Your choices: Apple says it collects log data from your Apple TV only if you opt in.

Wirecutter’s review: This policy stands in stark contrast to all the others here. Apple collects next to nothing and anonymizes all of it.

You can read the main privacy policy here and the Apple TV supplement here.

Chromecast (Google)

Privacy policy date: August 19, 2015

What it collects: Google says it collects information about how you use your Chromecast, including the sites and apps you cast. Google also collects device identifiers and IP addresses, as well as other information about how you use its sites and services, including the content you view. Whether Google associates your Chromecast data with other information it collects across its sites and services is not clear.

How it uses the data: Google does not specify how it uses the information it collects when you use your Chromecast. The general privacy policy states that it uses the information it collects to serve personalized advertising and customized content, among other uses.

How it shares the data: Google doesn’t state that it shares any of your Chromecast usage data with third parties. It does say that it sends a unique device identifier to third parties whose content you cast. Those third parties may collect their own data on your usage of their apps and media through your Chromecast.

Your choices: You can opt out of Google’s collection of usage data on your Chromecast through the device settings. You can also control your privacy across assorted Google sites and services here.

Wirecutter’s review: If you use any Google products or services, it should come as no surprise that the company tracks you.

You can read the main privacy policy here and the Chromecast addition here.

Xbox One and Kinect (Microsoft)

Privacy policy date: October 2015

What it collects: Microsoft says it collects information on the games you play on the Xbox One. It doesn’t mention collecting your IP address, but your Xbox One does have a unique identifier. If you use the Xbox TV app, Microsoft will collect data about what you watch.

How it uses the data: Microsoft’s policy doesn’t specify how the company uses the information it collects when you use your Xbox One. It does say the company will not use the information it collects when you use the Kinect for marketing purposes.

How it shares the data: Microsoft’s policy says that third parties may receive information collected when people use the Kinect or Xbox One, but that they can’t use it for marketing or personalized advertising.

Your choices: Microsoft’s policy doesn’t specify whether you can disable or opt out of having your game and viewing data collected.

Wirecutter’s review: A fairly average amount of collection here. Microsoft’s general terms-of-service agreement includes a binding-arbitration clause, which means you can’t launch or join a class-action suit if you have a dispute with the company.

Read the full text here and the FAQ page about Xbox One and Kinect privacy here.

Amazon Fire TV and Fire TV Stick

Privacy policy date: March 3, 2014

What it collects: Amazon says it collects viewing information and other data about your use of the Fire TV and Fire TV Stick.

How it uses the data: Amazon’s privacy policy doesn’t state how the company uses the viewing and usage information collected from your Fire TV. The general privacy policy specifies that it uses non-personal information such as your IP address and your browsing and search data to serve personalized advertising, measure usage, and customize content. After we inquired about this point, Amazon representatives responded: “Some customer actions on the device are logged in order to provide the service, improve the customer experience and monitor the health of the network.”

How it shares the data: Amazon’s privacy policy doesn’t specify whether it shares viewing data from your Fire TV, but when we asked the company, representatives responded: “We do not share data with third parties regarding what customers are watching.”

Your choices: The policy isn’t clear as to whether you can disable or opt out of Amazon’s collection of viewing and usage data from your Fire TV.

Wirecutter’s review: Amazon, like Google, tracks you whenever you use any of its services. Amazon also requires you to consent to a binding-arbitration agreement when you use its services, which means you can’t launch or join a class-action suit if you have a dispute with the company.

You can read the main privacy policy text here, and the Fire TV/Fire TV Stick terms of service here.

Sony PlayStation 4

Privacy policy date: September 28, 2015

What it collects: The on-screen privacy policy for the PlayStation 4 states that Sony collects device data, including your IP address, and gameplay information. If you make a PlayStation Network account, Sony also collects information about your Web browsing, content downloads, and other interactions.

How it uses the data: The PS4 on-screen privacy policy doesn’t specify whether Sony uses gameplay information and your IP address for anything other than delivering the service. The PlayStation Network policy says Sony can use the non-personally identifiable information it collects about you without reservation.

How it shares the data: The PS4 policy doesn’t state that the company shares any information it collects with third parties. The PlayStation Network privacy policy says it may share non-personally identifiable information with third parties that deliver advertising.

Your choices: Neither privacy policy states that you can opt out from having your usage information collected or shared.

Wirecutter’s review: Not much different from Microsoft’s policy. Sony’s terms of use for the PlayStation 4 include a binding-arbitration agreement, which means you can’t launch or join a class-action lawsuit if you have a dispute with the company.

You can read the PlayStation Network privacy policy here. (You can access the PS4 privacy terms by going to “Settings,” then “PSN Account Management” and “Privacy Settings.”)

Why not stay offline?

Since streaming-media boxes (and the streaming services themselves) track you as well, you can’t gain much by keeping your TV or Blu-ray player offline—unless you want to skip streaming video altogether. For some people, that might be something to consider, but we’re assuming that for most people, it isn’t.

Further, leaving your TV and Blu-ray player unconnected has some drawbacks. For instance, companies regularly release firmware updates that fix bugs, improve performance, and add features. In the case of TVs, this is rarely a huge deal. In the case of Blu-ray players, however, ever-changing encryption means that Blu-ray discs newer than your player might not play.

For some devices, you can manually update the TV or player by downloading the update onto a thumb drive on your PC and then transferring that file to the TV or player. But you can’t use that tactic with Vizio TVs, for example, and for other models the process is a hassle.

And that leads us to the final question...

How big of a deal is this?

We’ll say it again: We don’t like this situation any more than you do. But it has become a fact of life. We hate to be the bearer of bad news, but if you surf the Web, use any online shopping sites, use certain apps on your phone or tablet (Facebook, Twitter, and many more), or use store loyalty cards and club cards, you’re already being tracked.

Always remember that if you’re using a product or service for free, you are the product. This latest trend of having the products you purchased track you is certainly tactless but sadly not much different from what’s been going on for some time.

And although it is technically true that no company is tying your name to your data, at this point that’s practically just semantics. Many companies are getting pretty much everything else there is to know about you, except your name. And studies have shown that it takes only a few steps to use this “anonymous” data to identify you.

What are they using this data for? Well, mostly to serve you ads that are more in tune with your interests, so you’re more likely to buy what the advertiser is selling. But potentially it could also help them vary the prices of online products based on what they think you're willing to pay, or to make inferences about your political views or financial situation, or to serve you "customized" content (so you see certain search results or media based on what they think you want). Also, many companies are simply just collecting the data until they can figure out how to monetize it. And what if some other group gets the data? If the modern world has taught us anything, it’s that anything can be hacked.

We’ll leave the judgment up to you as to how serious all of this is.