Full Report
Samsung and the State of Texas have reached a settlement agreement over the alleged unlawful collection of content-viewing information through its smart TVs [...]
Analysis Summary
# Regulation/Compliance: Texas DTPA Settlement (Samsung ACR Data Privacy)
## Overview
This compliance requirement stems from a settlement agreement between the State of Texas and Samsung Electronics America. It addresses the unlawful collection of consumer viewing data via Automated Content Recognition (ACR) technology. The mandate focuses on eliminating "dark patterns," ensuring express informed consent, and providing transparent privacy disclosures regarding how smart TVs capture and process content-viewing information for targeted advertising.
## Key Details
- **Issuing Authority:** Texas Attorney General (OAG)
- **Effective Date:** Pending immediate implementation as per March 1, 2026, announcement.
- **Jurisdiction:** State of Texas (Consumers and devices located within the state).
- **Status:** Final Settlement (Legally Binding Agreement).
## Requirements
### Mandatory Requirements
1. **Cessation of Unauthorized Collection:** Immediately halt any collection or processing of ACR viewing data from Texas consumers without express informed consent.
2. **Clear and Conspicuous Disclosures:** Implement updated privacy disclosures that are "clear and conspicuous" (i.e., not buried in sub-menus).
3. **Opt-In Consent Screens:** Provide specific consent screens prior to data collection, ensuring users can make an informed decision.
4. **Elimination of Dark Patterns:** Move away from complex navigation (previously cited as 200+ clicks/4+ menus) to obtain privacy information.
5. **Technical Updates:** Promptly push software updates to smart TVs in the Texas market to reflect these new privacy controls.
### Recommended Practices
1. **Granular Privacy Controls:** Allow consumers to change privacy settings at any time with ease.
2. **Proactive Review:** Regularly audit privacy notices to ensure they align with "forefront" privacy standards rather than just minimum regulatory requirements.
## Affected Organizations
- **Industries:** Consumer Electronics, Smart Appliance Manufacturers, Advertisers using ACR data.
- **Organization Size:** All manufacturers regardless of size if operating in the Texas market.
- **Geographic Scope:** Texas, USA (though often becomes a de facto national standard for logistics/software consistency).
## Compliance Timeline
- **December 2025:** Lawsuit filed by Texas AG Ken Paxton.
- **January 2026:** Temporary Restraining Order (TRO) briefly issued/vacated.
- **March 1, 2026:** Settlement reached; immediate implementation of "enhancements" and updates required.
- **Current Status:** Samsung TVs expected to push updates "promptly" to comply.
## Implementation Guidance
### Assessment Phase
- **Data Inventory:** Map what ACR data is being collected (e.g., screenshots, metadata, viewing habits).
- **UI/UX Audit:** Evaluate the user journey to find "dark patterns" or excessive "clicks" required to reach privacy settings.
### Implementation Phase
- **Consent Mechanism:** Deploy an "Accept/Decline" prompt for ACR during the initial setup and within the settings menu.
- **Notice Simplification:** Rewrite privacy policies into plain language and display them in high-visibility areas of the interface.
### Validation Phase
- **Privacy UX Testing:** Verify that a standard user can reach and opt-out of tracking within a reasonable number of steps.
- **Software Verification:** Ensure the ACR "capture" function is technically disabled until the opt-in flag is set to true.
## Technical Requirements
- **ACR Disabling:** Backend systems must stop ingesting data packets from devices where consent is not recorded.
- **Firmware Update System:** Ability to push mandatory UI changes to legacy and new devices in a specific geographic region (Texas).
- **State Management:** Securely store the user’s consent status locally and on the server to prevent "re-prompting" fatigue or accidental data leaks.
## Penalties & Enforcement
- **Fines:** Violations of the Texas Deceptive Trade Practices Act (DTPA) can result in civil penalties of up to $10,000 per violation.
- **Other Consequences:** Specific Performance (court-ordered software changes), reputational damage, and monitoring by the Texas OAG.
- **Enforcement:** Ongoing oversight by the Texas Attorney General’s office.
## Related Standards
- **NIST Privacy Framework:** Aligns with "Control" and "Inform" functions.
- **ISO/IEC 27701:** PII Processor/Controller privacy management alignment.
- **Texas Data Privacy and Security Act (TDPSA):** The broader state law governing consumer data rights.
## Resources
- **Official Documentation:** [texasattorneygeneral[.]gov/news/releases/attorney-general-paxton-secures-major-agreement-samsung]
- **Guidance Documents:** Texas Deceptive Trade Practices-Consumer Protection Act (DTPA)
- **Tools:** Privacy Impact Assessments (PIAs) for Consumer IoT.
## Practical Recommendations
- **Audit UI/UX Immediately:** If your product requires more than three clicks to opt-out of tracking, it may be classified as a "dark pattern" under current Texas enforcement trends.
- **Regional Compliance:** If you cannot segment your software by state, consider adopting the highest common denominator (Texas/California standards) across the entire US fleet.
- **Collaborate with Legal:** Ensure that "Viewing Information Services" (VIS) or similar naming conventions are clearly defined as "Advertising Tracking" in public-facing notices.