Your Smart Home Is Running a Business You Didn’t Sign Up For

A few months ago I was setting up a new TV and actually read the setup screens instead of tapping through them. Not the full terms of service — nobody does that — just the summary descriptions on each permission prompt.

One of them, buried in a screen labeled something like “Personalized Viewing Experience,” described a feature that captured a fingerprint of whatever was on my screen every few seconds, identified the content, matched it to my IP address, and used it to serve targeted advertising. It was on by default. The button to continue was larger and more prominent than the button to decline.

I turned it off. Then I went through every other device in the house and spent about an hour on settings I’d never looked at. What I found was not reassuring.

The average American home now contains 17 connected devices according to Parks Associates research. Each one arrived with default settings optimized not for your privacy but for the data collection model that makes the hardware economically viable for the company that sold it. Smart TVs are sold near cost because the data operation running inside your living room is the actual product. Smart speakers exist to establish a microphone in your home as a purchase-intent signal. The convenience is real. The trade you made to get it was probably never explained to you.

None of this requires legislation to address. Most of it takes under an hour to fix. Here’s what’s actually happening, device by device, and what to do about it.

The TV Situation Is Worse Than You Think

Every major smart TV brand — Samsung, LG, Vizio, Roku, and most Google TV devices — ships with a technology called Automatic Content Recognition, or ACR. Every few seconds, it captures a fingerprint of the pixels on your screen. It doesn’t care what the source is: cable, streaming, a game console, a DVD. It identifies exactly what you’re watching, pairs that information with your IP address, and sells it.

I’ve been tracking the downstream uses of this data for a while now, and the list is longer than most people expect. Advertisers and data brokers buy it, obviously. But it also flows to insurance underwriters running behavioral models, to political campaigns doing household-level targeting, and to credit analytics companies. Your viewing habits are an accurate proxy for things you haven’t disclosed to anyone — medical concerns, political ideology, financial anxiety, household composition. The FTC’s guidance on connected device data acknowledges this secondary use happens routinely, with no additional notice beyond the original terms of service.

The settings to disable ACR are different on every brand, and every brand names the feature something that obscures what it does. On Samsung it’s called “Viewing Information Services.” LG calls it “Live Plus.” Vizio uses “Viewing Data.” None of those names communicate that you’re authorizing your TV to monitor and sell your viewing behavior.

On Samsung: Settings → Support → Terms & Policy → Viewing Information Services → Off.
On LG: Settings → General → Live Plus → Off. On Vizio: Settings → System → Reset & Admin → Viewing Data → Off.
On Roku: Settings → Privacy → Smart TV Experience → Use Info from TV Inputs → Off.

While you’re in those menus, disable the advertising ID and opt out of any targeted advertising settings. Turn off microphone access if you’re not using voice commands. These changes take five minutes and cost you nothing in functionality.

Smart Speakers and the Recordings You Don’t Know Exist

The debate about smart speakers has been stuck on the wrong question. Everyone asks whether Alexa is always listening. The more useful question is what happens to the recordings that occur when it shouldn’t be listening at all.

Researchers at Northeastern University’s Mon(IoT)r Lab tested multiple smart speakers and documented a wide range of everyday phrases and sounds that falsely trigger recording mode — no wake word required. Some devices misactivated nearly once per hour during normal TV viewing. Roughly 10% of those false activations lasted ten seconds or longer. Each one sends an audio clip to Amazon’s or Google’s servers, stored indefinitely unless you’ve configured automatic deletion.

Those clips don’t just sit idle. Bloomberg reported in 2019 that Amazon employed contractors worldwide who listened to Alexa recordings — including clips of clearly private household conversations — to improve AI accuracy. Users weren’t notified. Google ran an identical program, exposed the same year by a Belgian broadcaster. Both companies now offer opt-outs. Almost nobody uses them because almost nobody knows they exist.

There’s a second concern I’ve been thinking about more since writing about AI voice cloning scams. Every audio clip stored on Amazon’s or Google’s servers is a potential training sample for voice synthesis. Researchers have demonstrated that three seconds of audio is sufficient to produce a convincing voice clone. Data breaches at major tech companies are not hypothetical. A voice, unlike a password, cannot be changed after it’s compromised.

The fixes:

In the Alexa app, go to Settings → Alexa Privacy → Manage Your Alexa Data → set recordings to auto-delete or “Don’t Save” → turn off “Help Improve Alexa.”

Also disable Amazon Sidewalk — it’s a default-on feature that shares a portion of your home internet bandwidth with nearby Amazon devices owned by strangers.

Find it under Settings → Account Settings → Amazon Sidewalk → Disabled. Most users have no idea this exists.

For Google: Settings → Privacy → Your Data in the Assistant → Audio Recordings → uncheck “Include voice and audio activity.” Set auto-delete to three months.

The physical mute button on any smart speaker is a hardware switch. When it shows red, the microphone circuit is physically broken — no software can override it. Use it during sensitive conversations.

Your Robot Vacuum Is Mapping Your Home for Someone Else

The privacy concern with robot vacuums isn’t audio. It’s spatial.

LIDAR-equipped vacuums build a precise floor plan over their first few runs — room dimensions, furniture placement, doorway locations, and in models with cameras, visual documentation of the interior. That map gets uploaded to the manufacturer’s cloud. In iRobot’s case, which Amazon acquired in 2023, it now sits on Amazon’s infrastructure — held by one of the world’s largest advertising companies.

A detailed home floor plan reveals things that aren’t obvious at first. Room sizes and furniture signal wealth. A nursery signals a young child. Daily cleaning patterns reveal occupancy schedules. MIT Technology Review documented in 2022 that images from iRobot development-model vacuums had been shared with Scale AI contractors and subsequently leaked to Facebook groups — including photos of people in private situations inside their homes. The images were being processed by gig workers overseas. The homeowners had no idea.

Check your vacuum’s companion app for a local storage option. Several Roborock and Ecovacs models now support fully local operation — the map stays on the device, the app communicates over your local network only, nothing uploads to the cloud. Review the companion app’s permissions and deny anything unrelated to cleaning: a vacuum app has no legitimate need for microphone or contacts access.

The $12 Bulb That Can Unlock Your Entire Network

This is the smart home privacy risk that gets underexplained in most coverage, so I want to be direct about it: it doesn’t matter how strong your banking password is if a discount smart bulb on your Wi-Fi network hasn’t received a firmware update since 2022.

Bitdefender’s threat intelligence team documented in late 2025 that smart plugs, smart TVs, and consumer electronics were among the most frequently targeted device categories in global attacks on home networks. A compromised smart bulb isn’t an end in itself — it’s a door into everything else sharing your network. Your laptop. Your phone. Every financial account you’re logged into on those devices.

The defense is a Guest Network, and it takes about ten minutes to set up on any router made in the last five years.

Log into your router’s admin panel — usually 192.168.1.1 or 192.168.0.1 in a browser. Find Guest Network settings. Create a separate network with its own password. Then apply one rule without exceptions: every IoT device goes on the Guest Network. Smart TVs, speakers, vacuums, cameras, bulbs, thermostats, plugs — all of it. Your phones and computers stay on your primary network.

If any IoT device is compromised, the attacker is contained in the Guest Network. They cannot reach your primary network, your laptop, or anything sensitive on it. This is what NIST’s Cybersecurity Framework calls network segmentation, and it’s one of the most effective single changes you can make to your home security posture.

While you’re in the router settings: change the admin password — separate from your Wi-Fi password — enable WPA3 encryption if your router supports it, and turn on automatic firmware updates. The router is the most important device on your home network and receives the least attention. A password manager will generate and store unique credentials for every device and account, which matters here because most camera and router breaches involve factory-default credentials that were never changed.

The One Regulatory Change Worth Knowing About

The regulatory picture is improving, slowly.

The FCC’s Cyber Trust Mark program, rolling out through 2026, puts a shield logo with a scannable QR code on smart devices meeting baseline security standards. Scan it before you buy and you can see what data the device collects, whether it sells that data, and how long it will receive security updates — disclosed at the point of purchase rather than buried in terms of service.

The EU’s Cyber Resilience Act goes further, requiring manufacturers to certify device security before selling in European markets. Because manufacturers generally prefer building one product rather than two, EU standards tend to become global standards. US enforcement still lags years behind the threat, but the direction is right.

Until these have genuine teeth, no agency is actively monitoring what your smart TV’s ACR system does with your viewing data at 11pm. The steps above are what your own oversight looks like in practice.

The Part That Connects to Everything Else

The data your smart home generates doesn’t stay in your home. It feeds the same broker ecosystem that holds your name, address, browsing history, and financial behavior in databases that anyone can search or purchase. The same companies buying your viewing data from your TV are often buying transaction data from your bank’s ad network, location data from your phone, and demographic inferences from your social media behavior.

I think about this as a system rather than a set of isolated settings changes. The subscription audit, the biometric security risks from passkeys, the home network configuration, the voice recordings — they’re all entry points into the same profile. Addressing one while ignoring the others is locking the front door and leaving the back window open.

The good news is that the highest-impact changes are genuinely quick. ACR off: five minutes. Voice recording auto-delete: five minutes. Guest Network setup: ten minutes. Camera default password changed: two minutes. In under an hour, the data your home generates about you drops significantly — without losing any functionality you actually use.

Your home is supposed to be the one place that’s still yours. These settings are how you keep it that way.