A new study from Trinity College Dublin has raised fresh concerns about data privacy on Android phones, revealing that Google apps quietly download and store advertising cookies, tracking identifiers, and other user data — even if the apps have never been opened by the user.

The research, led by Professor Doug Leith from Trinity’s School of Computer Science and Statistics, highlights how Google Play Services, the Google Play store, and other pre-installed Google apps automatically communicate with Google’s servers. These apps receive and save a variety of tracking cookies and device identifiers on the phone, all without any user interaction or consent.

“We’re all familiar with websites needing to ask for our consent before placing advertising and tracking cookies on our devices — it’s a core part of the EU’s e-Privacy Directive,” said Professor Leith.
“But these same rules apply to mobile apps too, and yet cookies used by apps have received far less attention. They are much harder to detect, and this study makes it clear that they deserve much closer scrutiny.”

Since Google Play Services and the Google Play store come pre-installed on nearly every Android device, they begin gathering and storing tracking data immediately — whether users open them or not. According to Professor Leith, Google neither requests user consent nor offers any way to block these cookies.

“This is a clear call to action for the Irish Data Protection Commissioner to enforce EU data protection laws and step up to protect Irish and EU Android users,” said Leith.

Key Findings from the Study

The study uncovered several troubling practices:

  1. Advertising and analytics cookies — used to track ad clicks and views — are automatically downloaded and stored on the device.

  2. Tracking cookies are saved by the Google Play store app and then sent back to Google servers along with data about user activity within the Play store (searches, page views, etc.).

  3. The Google Android ID, a persistent identifier tied to the device and its user, is stored on the phone by Google Play Services. This ID is sent to Google in multiple transmissions and can only be changed by performing a factory reset.

  4. Analytics cookies for A/B testing of Google app updates are also downloaded and stored on the device by Google Play Services. These are later transmitted back to Google alongside app performance data.

  5. Beyond these, several other cookies and identifiers capable of uniquely identifying the device or user are quietly downloaded and saved on the phone.

The study’s findings suggest that, despite growing awareness of data privacy on the web, the way mobile apps handle cookies remains largely unregulated and overlooked. With millions of Android phones pre-loaded with these apps, the scale of the issue is significant — affecting virtually every Android user in the EU and beyond.