A Texas state court has issued a temporary restraining order (“TRO”) blocking Hisense, a major Chinese smart TV manufacturer, from collecting data on the content viewers watch via Automatic Content Recognition (“ACR”) technology.
Background
The TRO follows lawsuits that Texas Attorney General (“AG”) Ken Paxton filed on December 15, 2025, against Hisense and four other smart TV manufacturers. The complaints allege unlawful business practices related to the collection and use of sensitive ACR data without adequate disclosure to consumers, and through obtaining consent from consumers in a deceptive or misleading manner. The AG alleges that these practices violate the Texas Deceptive Trade Practices Act (“DTPA”).
What Is ACR And Why Does It Matter?
ACR is a technology that identifies content played on a media device or presented within a media file. Devices with ACR can collect content consumption information automatically at the screen or speaker level, without any user-based input or search efforts. In the Hisense case, the Texas AG alleges that “Hisense uses ACR technology to capture every sound and image playing on its TVs every 500 milliseconds.” This information is often used for personalized advertising and content recommendations and monetized through other mechanisms including licensing to third parties.
Allegations in the Lawsuits
The lawsuits allege that the defendants use ACR to monitor what consumers watch across streaming apps, cable services, and external devices such as gaming consoles and Blu-ray players and build detailed consumer profiles for targeting and behavioral tracking, without adequate consumer notice or informed consent.
Specifically, the AG alleges that the manufacturers, among other things:
- Fail to provide clear and conspicuous disclosures regarding the collection and commercial use of viewing data;
- Obtain purported consent through misleading design choices and default settings;
- Use “unlawful dark patterns,” making it easy to opt-in but extremely difficult to opt-out;
- Collect and process more data than necessary for basic device functionality;
- Monetize consumer data through advertising and profiling without informed consent; and
- Engage in false, misleading, and deceptive acts or practices in violation of §§17.46(a) and (b) of the DTPA.
The AG further stated in the complaints that the complaints also serve as notice of noncompliance to the defendants under the Texas Data Privacy and Security Act (“TDPSA”), triggering its 30-day cure period[1]. According to the complaints, the defendants violate the TDPSA because consent from consumers is not informed, privacy choices are not meaningful, users cannot reasonably understand the surveillance model, and the system defaults towards maximal data extraction. The AG intends to amend the complaints to add TDPSA claims if manufacturers fail to cure the violations within a 30-day period under the TDPSA.
Notably, lawsuits against Hisense and another Chinese manufacturer include additional allegations that Chinese law may require these companies to turn over consumer data to the Chinese government. The complaints assert that the ACR data collection program fails to disclose this potential access by the Chinese Communist Party to consumers, raising significant privacy concerns.
The AG seeks permanent injunctive relief, civil penalties of up to $10,000 per violation of the DTPA, restitution, and recovery of legal costs.
The TRO
Two days following the filing of these lawsuits, the court found good cause to believe that Hisense’s collection and use of ACR data was false, deceptive, or misleading—citing the alleged use of dark patterns that prevented consumers from unenrolling, lack of informed consent, inadequate privacy choices, and disclosures that failed to clearly explain the data practices. Based on these findings, the judge issued a TRO against Hisense, prohibiting the manufacturer from collecting, using, sharing, disclosing, selling, or transferring ACR data.
What to Expect
Texas and other states continue to signal aggressive enforcement of consumer privacy standards. Texas’s action in this instance helps further punctuate the importance for businesses to understand, at a technical level of detail, how their products and solutions collect, process, and share personal data, and to ensure clear, transparent disclosures to consumers and consumer choice.
[1] TDPSA, effective July 1, 2024, is a comprehensive privacy law that applies to businesses in Texas or those serving Texans that process significant amounts of data. It requires controllers to provide privacy notices, obtain consent for sensitive data, and honor consumer rights such as access, deletion, and opt-outs from targeted advertising.
