Sorbis / Shutterstock / The Atlantic

In 2017, the FTC and the state of New Jersey fined Vizio $2.2 million, alleging that the smart-TV manufacturer’s products tracked consumers in minute detail, without their knowledge or consent. “On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content,” the FTC alleged. “What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.” According to the complaint, Vizio also pushed updates to older TV sets that enabled them to collect data on users, and sold the compiled data to third parties who wanted insight into people’s viewing habits. (Vizio did not respond to two requests for comment from The Atlantic.)

Two years later, we’re still being watched. Three-quarters of American households have at least one internet-connected TV: a smart TV like the ones Vizio makes, or a plug-in player such as Roku or Amazon Fire TV. The FTC settlement doesn’t outlaw collecting our data; it simply says that viewers must opt into it. But in effect, that just means a streamlined series of menus that are easy to click through blindly. If you have a smart TV or connected device, chances are good it has collected data on your viewing habits, location, and device serial numbers.

“When you watch video on any one of these things, imagine that there is someone sitting next to you with a notepad,” Scott Tranter, the CEO and co-founder of the political-data consultancy Øptimus, told me.

This information is, of course, highly valuable to advertisers—so valuable, in fact, that Vizio’s CTO told The Verge that manufacturers would have to charge a premium on “dumb” TVs to make up for what they lose without the ability to show viewers targeted ads. Advertising is most effective when it works like a heat-seeking missile. All these data about user habits allow companies to place them in easy-to-target audience categories: parents, Spanish speakers, gamers, and so on.

But it isn’t just traditional advertisers who are interested: In the run-up to 2020, political campaigns hungry to connect with younger voters—cord-cutters and “cord nevers”—are using smart-TV data, combined with voter information, to target people precisely.

Imagine that a campaign wanted to reach active voters who care strongly about a political issue—the environment, for example. One way to reach them might be to find out what they’re watching—Our Planet, say—and advertise on those shows. This isn’t all that different from the way advertising has worked forever: A car manufacturer might advertise on Top Gear, or a meal-kit start-up on Top Chef. But now campaigns can combine the sophisticated, segmented data sets they already have with the ones smart-TV manufacturers have gathered to target small groups of voters with greater precision.

Since 2002, companies such as Aristotle, eMerges, and NationBuilder have made a lucrative business of compiling databases of segmented voter information—names, addresses, gender, race, party affiliation, voting history, donation history, and so on—and selling them to political campaigns, which then use them to target canvassing efforts. (For example, a presidential campaign might send a fundraising announcement only to Republicans in wealthy zip codes who have a history of high-value donations, or target get-out-the-vote door-knocking campaigns toward registered Democrats who’ve voted in the past two elections.)

Campaigns, or third parties working on their behalf, now work with providers such as Vizio, Roku, Dish Network, and DirecTV to match their lists—of voters and customers, respectively—against each other. (Dish Network and DirecTV confirmed their use of such tactics to The Atlantic. Representatives for Roku did not respond to requests for comment, though the company has posted a listing for a political-ad-sales account manager.)

As explained by the Interactive Advertising Bureau, a data broker matches anonymous voter identities to anonymous smart-TV households. A connected-TV ad server then sends the ad to said household’s device. Let’s say your TV knows your household watches a lot of children’s programming, and a campaign knows you’re a registered Democrat living at a specific address in suburban Sacramento, California. By combining this information, the two together might be able to assume you’re a parent—and thus might be able to specifically target you with ads for a local school-board candidate, or for a national candidate with a universal-child-care platform.

Targeting households using audience analysis that combines different data sets is called “addressable advertising,”and it is just one small part of the billions spent on political advertising. Retailers use addressable advertising on connected-TV platforms as well. But most states outlaw using voter rolls for product marketing. Retailers instead target people based on online-shopping behavior (for example, by assuming households that have recently bought dog food have pets).

As David Seawright, chief revenue officer at Deep Root Analytics, an analytics company working with advertisers and political campaigns, explained, “The classic example of addressable advertising is the idea that four houses in the same cul-de-sac could be watching the same program at the same time, but see four different ads.”

The data brokers—such as Experian and Acxiom—that do the matching anonymize data to avoid one-to-one identifications. A campaign (or analytics company working on its behalf) will use voter data to generate a list of right-leaning Millennial women to target. As described in an Experian white paper, the campaign provides that list to data brokers who will compare the list with viewership data provided by a company such as Roku or Vizio.

Instead of identifying who matched, the data broker will report that, say, 15 percent of people in their original list matched in aggregate. Those people are sent targeted campaign ads. TV providers won’t know how you voted, and political campaigns won’t know the viewership history of every voter. “We don’t know, for example, which individuals we care about have been matched in,” Seawright explained. “But we know that every ad that fires will go to someone that we care about.”

Rather than directly selling third-party access to data, the cause of the 2017 penalty against Vizio, TV providers put its users into segments, explained Tal Chalozin, the CTO and co-founder of Innovid. A user who downloaded children’s games or the Nickelodeon smart-TV app may be identified as having young kids, for example; users might also be segmented based on how many hours of TV they watch in a day. “It’s not that the operating-system company would sell [advertisers] the specific data,” he explained. “They would allow you to target just those people.”

Connected-TV data can be surprisingly robust. Privacy policies are notoriously vague regarding data collection, and cybersecurity researchers from Princeton University and the University of Chicago found that smart TVs communicate a wealth of information.

“There’s not a lot of [Internet of Things, or IoT] devices that have [made clear to consumers] security and privacy problems,” explained Danny Huang, the Princeton computer-science professor who helped lead the research project. “There aren’t any good tools for an average consumer to find out.”

Huang’s team found evidence that, in addition to viewing habits, Amazon and Roku devices transmit Wi-Fi network names, location data, device serial numbers, and sometimes even semi-anonymized email addresses. Countermeasures meant to limit ad tracking had only a minor effect on the data being transferred.

Huang explained that his research team showed only that data are being collected and transmitted to servers, but not precisely what they’re being used for. It’s possible the data collected could be combined with other data sources to identify users by matching known devices (the smart TV that already has your email address) to websites or other IoT devices that use the same Wi-Fi. This could create a more complete picture of what users watch and browse, the websites they visit, some offline behavior, and other devices they use.

Matching user databases between IoT devices, phones, laptops, and offline behavior such as voting patterns gives campaigns working with big data significant insight into our lives. That’s likely to continue into 2020 and beyond.

Tranter argues that the future of political advertising targeted to smart-TV users could expand enormously as the ad-supported streaming-services market grows. Vizio, Disney, AT&T, Comcast, and others in March announced joint plans for addressable standards.

“They’re honestly trying to build a footprint where I could take my list [and compare] it against … an AT&T cable subscriber [or] a Disney+ subscriber [list],” Tranter said. “In the past, I’d take my list to a cable company; they match 10 percent. Now they’re matching 40 percent. The addressable footprint gets enough where it’s like, okay, this is a significant part of my audience that I’m trying to get at.”

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.