A California woman is suing a popular smart TV maker, Vizio, for secretly collecting information about what she watches and sharing it with advertisers and data brokers without her consent. The claim, which seeks at least $5 million on behalf of other TV owners, raises questions over privacy and how to regulate a new generation of Internet-enabled TVs that can capture broad swaths of data from consumers’ living rooms.
In the lawsuit, filed last week in San Francisco, Palma Reed claims she bought two Vizio smart TVs—from Sam’s Club and Costco—and connected them to her home wireless network. Only later, Reed claims, did she discover that the TVs are configured to suck up data on which shows or video games are being displayed, as well as personal data related to mobile devices and Wi-Fi networks.
The lawsuit also alleges that Vizio collects this information via software provided by its subsidiary, Cognitive Networks, and then works with third-party data brokers in order to match it to specific households or individuals. In practice, this implies that Vizio may have detailed records about the TV and Internet habits of numerous Americans.
Here is a more technical description, as set out in the lawsuit (reporter’s emphasis):
Defendants may know from the Tracking Software that an individual watched Scandal on a Thursday at 8:00 pm pacific time with an IP address of 22.214.171.124 and a Wifi router MAC address of 04:bd:88:7a:1c:c1, but they want to know the individual’s name, address, and other demographic information.
By contracting with a data broker, Defendant Vizio obtains that data. Vizio sends the information it has to the broker. The broker then matches and links that information to consumers in its database by linking across, for instance, IP address or Wifi router MAC address. The broker may have in its table that Jane Doe, with a home address of 123 Main Street, is linked to a Wifi router with the same MAC address as provided (04:bd:88:71:1c:c1). The broker then appends that information to the data it received and sends the enhanced data back to Vizio.
While Consumer Reports and other news outlets have reported that Vizio, Samsung, and other smart TV makers now have the technology to collect such information, the lawsuit sheds light on how it may actually be deployed.
The other key issue in the case is the alleged lack of consent on the part of consumers when it comes to the TVs collecting their data. According to the lawsuit, Vizio fails to inform its customers about the process, and instead relies on an “opt-in” policy under which they agree to turn over the data by default. And while consumers can turn off the data collection, Reed alleges that the option comes in tiny small print, and is buried deep within an obscure corner of the TV’s settings interface.
Vizio, which announced plans for an IPO earlier this year, did not immediately reply to a request for comment about the case.
If the lawsuit gains traction, it could force the company and others using the technology to compensate millions of consumers who have bought smart TVs in recent years. According to the complaint, Vizio should pay for violating the Video Protection Privacy Act, which restricts companies from sharing customers’ private viewing histories, as well as for breaching a variety of California consumer protection laws.
More broadly, the Vizio situation shows how the TV and telecom industries are turning to increasingly invasive techniques to capture the treasure trove of marketing data that can be obtained when devices can be connected to the Internet. AT&T, for instance, is demanding that consumers agree to turn over data about what websites they visit as a condition of receiving its new high-speed Internet service. Verizon, meanwhile, is attracting attention from the FCC over its use of undeletable “super cookies,” which the carrier placed on users’ mobile devices to capture marketing data.
While such techniques can result in more efficient ad targeting, they also raise questions about privacy and consent, and about the security of the data that the companies are collecting. Companies like Vizio appear to be aware of such concerns and regard them as a potential business threat. In a note to the SEC cited in the lawsuit, Vizio wrote: “If the wider public perceives data privacy or security concerns with respect to our Smart TVs, this could negatively impact the growth potential for the net sales of our Smart TVs and our Inscape data services.”
Vizio had reported net sales of $1.34 billion in the first half of 2015, and claims to have about 35% of the U.S. smart TV market.
Here’s a copy of the complaint with some of the relevant bits underlined:
Here’s a take on how Netflix sees smart TVs:
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.