Irish researchers from Trinity College Dublin have discovered that Google begins tracking Android devices the moment they are powered on. This occurs through the storage of unique identifiers, cookies, and other data—even if the user has never opened any pre-installed applications. The report asserts that no consent is sought for this data retention, nor is there any means to disable the mechanism.
These findings stand in stark contrast to Google’s recent push for greater transparency. For instance, while Chrome is set to phase out cookies entirely, Android device owners remain under surveillance. Researchers have specifically highlighted the role of Google Play and Play Services, which serve as critical components of this data collection system.
This revelation is particularly significant in light of the recent controversy surrounding SafetyCore—a module installed on millions of Android smartphones without users’ knowledge. Despite widespread public outrage, Google has not provided any option to disable this functionality. Similarly, in the case of these new findings, it appears that users have no means to prevent such tracking.
The Trinity College report details how Google monitors advertising clicks and ad impressions using the Android ID, a persistent identifier that can be linked to both the user and their device. Even performing a factory reset does not eliminate this tracking, as the data collection simply resumes from scratch.
Furthermore, Google has recently re-enabled developers to use “device fingerprinting” as a method of user identification—a technique previously banned due to its inability to be cleared or manually disabled. Researchers argue that Google’s actions contradict its own 2019 statements, in which the company asserted that such methods undermine users’ right to privacy.
The key question now is whether these practices comply with data protection laws such as the European e-Privacy directive and GDPR. Given that the research was conducted in Ireland—where strict regulations govern the collection and processing of personal data—this could lead to further legal scrutiny. Notably, the e-Privacy directive mandates that any data storage on a user’s device requires explicit consent unless it is essential for providing a requested service.
Google has responded to the findings, stating that the company fully complies with all applicable data protection laws and that the report’s conclusions are based on inaccurate legal interpretations. However, the company has no immediate plans to introduce changes to Play Services or the Play Store.
This is not the first time Trinity College has criticized Google for its data collection practices. In 2022, researchers found that Google Messages and Google Phone apps were transmitting call and SMS data—including call timestamps and phone numbers—back to the corporation. A year earlier, they reported that Android devices send 20 times more telemetry data to Google than iOS devices send to Apple.
Amid these revelations, researchers are urging regulators to intensify oversight of Google and other platforms, ensuring that users have genuine control over their personal data. For now, Android users appear to have little choice but to accept these conditions or seek alternative operating systems.
