Researchers at Trinity College Dublin bought a Samsung phone, went through setup, and unchecked every single data sharing option. Then they watched what the phone actually sent. It sent telemetry anyway — your phone's unique ID, your list of installed apps, analytics data. The researchers' conclusion was blunt: "there is no opt-out." Samsung's opt-out toggle is a placebo. 600 million Galaxy owners have a button that does nothing. Samsung calls it "Customisation Service" like it's doing you a favour. In reality, it reads your text messages, scans your contacts, logs your call history, checks where your photos were taken, records what music you listen to, and tracks every website you visit in Samsung Internet. It's enabled the moment you create a Samsung account. Even if you find the buried toggle to turn it off, Samsung keeps everything it already collected. You have to separately beg them to delete it through their privacy website. And they don't let you opt out of Health data or calendar collection at all.
What they claim: Samsung advertises Knox as "defense-grade security" that protects user data on Galaxy devices.
What we found: Three data breaches in two years: Lapsus$ stole 190GB of source code including TrustZone biometric security components (March 2022); US customer breach potentially affecting over half of all US Samsung consumers with PII exposed including names, dates of birth, demographics (August 2022); UK online store breach went undetected for over three years, leaking customer data from July 2019 to June 2020 (discovered November 2023).
What they claim: Samsung says it is "clear about how it collects, uses, discloses, transfers, and stores information" across its ecosystem.
What we found: The Texas Attorney General sued Samsung (December 2025) for collecting Automated Content Recognition data from Smart TV users without informed consent, calling it a "mass surveillance program." Samsung settled in March 2026, agreeing to rewrite privacy prompts and implement opt-in consent. Samsung had been burying ACR consent in lengthy Terms of Service. Cross-device Samsung Account links TV viewing data with phone telemetry data.
What they claim: Samsung's Gallery app provides convenient photo management features for Galaxy users.
What we found: Nearly 50,000 Samsung Galaxy users filed Illinois BIPA claims alleging Samsung collected facial biometric data through the Gallery app without informed consent. Samsung pushed for individual arbitration for all claimants, then refused to pay its share of arbitration costs. A federal judge had to order Samsung to engage in the arbitration proceedings it had demanded.
What they claim: Samsung Knox provides "defense-grade" containerization protecting sensitive enterprise and personal data from unauthorized access.
What we found: Multiple published CVEs demonstrate Knox vulnerabilities: remote code execution via smdm:// protocol handler allowing malicious APK installation with arbitrary permissions (Galaxy S4/S5/Note 3/Ace 4); CVE-2016-1919/1920/3996 allowing attackers to access Knox-protected data or intercept all traffic inside and outside the Knox container; clipboard data leaks between Knox and personal containers; Knox Guard bypass via system time manipulation (pre-Dec 2023); Knox AI privilege escalation (pre-Sep 2023).
What they claim: Samsung claims to be transparent about cross-device data practices and gives users meaningful control over their Samsung Account data.
What we found: Samsung Account links data across phones, tablets, watches, TVs, and appliances. Smart TV ACR data (everything displayed on screen) flows through the same account as phone telemetry. The Customisation Service builds profiles from all connected devices. Users who own multiple Samsung products face compounding data collection with no unified dashboard showing what data is collected from which device or how it is combined.
What they claim: Samsung's Customisation Service "provides an enhanced user experience" with user control, and users can "opt out at any time."
What we found: The Customisation Service builds advertising profiles from contacts, call logs, text messages, photo metadata (location/time), browsing history, music habits, precise GPS location, and installed app lists. Samsung does not allow opt-out from collection of Health data, calendar events, app usage, or photo metadata. Disabling the service does not delete already-collected data — users must separately request erasure through Samsung's privacy website.
What they claim: Samsung claims users can control their data and choose what to share on their Galaxy devices.
What we found: Samsung Galaxy devices ship with 127-132 pre-installed apps (documented on Galaxy Note 10+ and S20) that cannot be uninstalled, including Facebook, Facebook App Installer, Facebook App Manager, and Facebook Services installed via revenue-sharing agreements. Each app operates under its own data collection policies. Carrier software updates can re-enable previously disabled bloatware without user consent.
What they claim: Samsung says it protects user data and follows privacy best practices across its Galaxy device ecosystem.
What we found: Trinity College Dublin researchers found Samsung phones collect and transmit long-lived hardware identifiers (IMEI, hardware serial numbers) that persist across factory resets and cannot be changed by users. All Samsung phones also transmit the complete list of installed apps to Samsung servers — an app list that can profile medical needs, political leanings, religion, and sexual orientation.
What they claim: Bixby Voice Privacy Notice states Samsung will "only collect voice information if you activate Bixby" and gives users control over their voice data.
What we found: Bixby transmits voice recordings and device identifiers to third-party service providers for speech-to-text processing. Samsung's privacy policy permits combining Bixby data with data from other Samsung services and third-party sources for user profiling. Common Sense Media rated Bixby's privacy as "Warning" — citing data sharing with third-party ad networks, unclear encryption practices, and no clear data retention or deletion policies.
What they claim: Samsung requires a Samsung Account for "a better experience" and claims users control their data.
What we found: The CCPA lawsuit (Seirafi et al v. Samsung) alleged Samsung "should never have collected the information in the first place" by requiring account registration for basic device features (Galaxy Store, Find My Mobile, themes). Creating an account triggers Customisation Service enrollment and links all device data to a single identity. Two data breaches in 2022 then exposed this unnecessarily collected personal information.
What they claim: Samsung states it collects diagnostic data "with the user's consent" and users can opt out of data sharing at any time.
What we found: Trinity College Dublin researchers conducted a peer-reviewed study proving Samsung phones send telemetry (IMEI, serial numbers, installed app lists, analytics) even when users explicitly opt out of all diagnostic data sharing during setup. The researchers concluded: "there is no opt-out" and "this data collection occurs even though privacy settings are enabled."
What they claim: Samsung promotes Galaxy Store as a curated, safe app marketplace that gives users choice.
What we found: Galaxy Store ships pre-installed and cannot be removed. It duplicates Google Play Store functionality under Samsung's separate data collection policies. Samsung uses Galaxy Store download data as part of its analytics pipeline. Users have two irremovable app stores collecting data about usage, preferences, and download history — doubling the tracking surface with no option to remove either.