...
All posts

Your Fleet Tracking Company Is Selling Your Location Data to Insurance Companies

The FTC caught GM/OnStar selling vehicle location data to insurance companies and data brokers. Fleet tracking companies collect the same data. Here's what they do with it and how to protect your fleet.

fleet tracking data privacygps tracking data soldfleet tracking insurance data
Your Fleet Tracking Company Is Selling Your Location Data to Insurance Companies
12 min read

Your Fleet Tracking Company Is Selling Your Location Data to Insurance Companies

In January 2025, the Federal Trade Commission took action against General Motors and its OnStar subsidiary for collecting and selling precise vehicle location data from 9 million customers to data brokers, who then resold it to insurance companies. The data included latitude and longitude coordinates recorded every three seconds. Insurance companies used this information to raise premiums on individual drivers.

The FTC called it "surveillance pricing." GM enrolled customers in OnStar's Smart Driver program through confusing dark patterns during the vehicle purchase process. The drivers thought they were getting driving tips. Instead, they were feeding a data pipeline that ended at LexisNexis Risk Solutions and Verisk, two of the largest consumer data brokers in the insurance industry.

This is not hypothetical. This is not a privacy thought experiment. This is an FTC enforcement action with a proposed order banning GM and OnStar from sharing geolocation and driver behavior data with consumer reporting agencies for five years.

If GM did this to millions of individual car owners, what is your fleet tracking company doing with your data?

The Data Broker Pipeline

The GM/OnStar case exposed a supply chain most people didn't know existed. It works like this:

  1. Vehicle tracking company collects location, speed, braking, acceleration, idle time, and route data
  2. Data is packaged as driving behavior profiles, sometimes labeled "anonymized" or "aggregate"
  3. Data brokers (LexisNexis Risk Solutions, Verisk, IntelliDrive) purchase this data and enrich it with other consumer records
  4. Insurance companies use the enriched profiles for underwriting, premium adjustments, and risk scoring

LexisNexis Risk Solutions operates a product called LexisNexis Telematics Exchange, which aggregates driving data from connected vehicles and telematics providers. Verisk runs a similar platform through its Verisk Data Exchange. Both sell to property and casualty insurers.

The FTC found that OnStar shared driving data with these brokers even when consumers believed they had opted out. The "consent" was buried in a multi-step enrollment flow during the already-overwhelming process of buying a new car.

For fleet operators, the implication is direct. Your fleet tracking provider collects the same categories of data OnStar collected: GPS coordinates, speed, hard braking events, rapid acceleration, cornering forces, idle time, stop durations, route histories. If consumer vehicle manufacturers sell this data, fleet tracking companies have the same economic incentive and far less regulatory scrutiny.

What Fleet Tracking Companies Actually Collect

The average fleet tracking platform records more data than fleet managers realize. A typical installation collects:

Location data: GPS coordinates at intervals ranging from every few seconds to every minute. Over a year, a single vehicle generates millions of location records. Across a 50-truck fleet, that's tens of millions of data points.

Driving behavior: Hard braking events, rapid acceleration, speeding incidents, harsh cornering, seatbelt status, phone usage. These are precisely the signals insurance underwriters use to assess driver risk.

Operational data: Engine hours, idle time, fuel consumption, odometer readings, diagnostic trouble codes, maintenance intervals. This data reveals equipment value, usage intensity, and maintenance discipline.

Route patterns: Origin-destination pairs, stop durations, time-of-day patterns, geographic concentration. This data reveals what neighborhoods your drivers frequent, what customers you serve, and how your operations flow.

Driver scores: Many platforms compute composite driver safety scores. These scores are, by design, actuarial data in a different format.

Insurance underwriters would pay real money for any one of these data categories. Combined, they represent a complete risk profile more detailed than anything an insurer could collect through traditional methods.

Read the Fine Print

Fleet tracking companies don't advertise data sales. But privacy policies tell the real story, if you read them carefully.

Look for these phrases in your provider's terms:

"Anonymized or aggregated data." This is the most common loophole. A company can claim they don't sell "your" data while selling data derived from your fleet's activity. Aggregated driving behavior from your zip code, your industry vertical, or your fleet size bracket is still your data with the serial number filed off. And research repeatedly shows that "anonymized" location data can be re-identified with surprisingly little effort. A 2013 MIT study found that just four spatiotemporal points were enough to uniquely identify 95% of individuals in a dataset of 1.5 million people.

"Trusted partners" or "service providers." This language gives companies permission to share data with an undefined list of third parties. Who are these partners? How many of them are data brokers? The privacy policy doesn't say, and the company isn't required to tell you.

"Improve our services and develop new products." This catch-all justifies nearly any internal use of your data, including training models that are then sold as insights products to other companies, including insurers.

"As required by law or to protect our rights." Standard, but worth noting: this means your data can be disclosed in legal proceedings, regulatory inquiries, and subpoenas without your explicit consent.

"We may share information with affiliates." If your fleet tracking company has been acquired by or is affiliated with a larger conglomerate, your data may flow to entities you've never heard of.

Several major fleet tracking providers also operate "data insights" or "benchmarking" business lines. These divisions sell access to aggregated fleet performance data. The product descriptions use careful language about anonymization, but the underlying data comes from paying customers who signed up for fleet tracking, not data licensing.

The Economics of Data Sales

Fleet tracking is a competitive, margin-pressured business. The average fleet tracking subscription runs $20-$40 per vehicle per month. For a provider with 100,000 vehicles on its platform, that's $24-48 million in annual recurring revenue.

The same provider sits on billions of location records, millions of driver behavior events, and detailed operational profiles across industries. This data has value to insurance companies, real estate firms, retail analytics companies, advertising networks, and government agencies.

Data monetization offers near-100% gross margin revenue. There's no hardware cost, no support cost, no infrastructure beyond the data warehouse you already operate. For a fleet tracking company facing pricing pressure from competitors, data sales are the most attractive revenue line on the income statement.

You don't need to assume bad intent. You just need to follow the economics. If you were running a fleet tracking company with access to this data and under pressure to grow revenue, the rational business decision is to monetize it.

Real Consequences: Insurance Premiums You Can't Explain

Fleet insurance is already expensive and getting worse. Commercial auto insurance rates have increased consistently over the past several years, with double-digit annual increases common across the industry.

Fleet managers are reporting premium increases they can't explain through claims history alone. The insurance company cites "risk factors" and "industry data" without disclosing the source. If that source is telematics data purchased from your own fleet tracking provider, you're paying twice: once for the tracking subscription, and again through higher insurance premiums driven by data you generated.

The GM/OnStar case documented exactly this pattern at the consumer level. Drivers with clean records saw their insurance premiums increase. When they called their insurers, they were told the increase was based on "driving data" in their consumer file. The data came from OnStar, routed through LexisNexis, and used by the insurer without the driver ever being told.

For fleets, the stakes are higher. A 50-vehicle fleet paying $3,000-$5,000 per vehicle annually for commercial auto insurance is spending $150,000-$250,000 per year. A 10% premium increase driven by third-party telematics data costs $15,000-$25,000. That's more than many fleet managers spend on tracking itself.

The Spireon Data Breach: What Happens When It All Leaks

Data sales are one risk. Data breaches are another.

In January 2023, security researcher Sam Curry disclosed a vulnerability in Spireon's fleet tracking platform that exposed the real-time location data of approximately 15 million vehicles. The vulnerability allowed unauthorized access to vehicle locations, trip histories, and device commands across Spireon's entire customer base, including vehicles tracked through Spireon's GoldStar, LoJack, and FleetLocate products.

The exposed data included GPS coordinates, VINs, and in some cases the ability to remotely unlock vehicles and disable starters. Spireon's customers include rental car companies, fleet operators, and auto dealerships.

This is the problem with centralized fleet tracking architectures. Every vehicle's location data flows to a single server-side database. That database becomes a high-value target. When it's breached, every customer's fleet positions, routes, and patterns are exposed simultaneously.

The Spireon breach wasn't the only one. Researchers have found similar vulnerabilities in platforms from multiple fleet tracking vendors. The common thread is architecture: a central server that stores precise location histories for millions of vehicles in a format that's accessible through a single API.

How Apple Find My Is Architecturally Different

The Find My network processes over a billion location events daily across hundreds of millions of devices. Yet Apple cannot read any of them.

This is not a privacy policy promise. It's a cryptographic architecture. The difference matters.

When an AirTag (or any Find My accessory) broadcasts its location, the signal is encrypted with a rotating public key derived from a key pair generated on the owner's device. A nearby iPhone picks up the broadcast, encrypts the location with the tag's public key, and uploads the encrypted report to Apple's servers. Apple stores the encrypted blob but cannot decrypt it. Only the owner's device, which holds the corresponding private key, can decrypt the location.

For fleet tracking, this means:

No centralized location database. Apple's servers store encrypted data they cannot read. There is no database of fleet positions to sell, share, or breach.

No data broker pipeline. Because Apple cannot access the location data, they cannot sell it to LexisNexis, Verisk, or anyone else. The data literally doesn't exist in a form that could be monetized.

No single point of breach. If Apple's Find My servers were compromised, the attacker would get encrypted blobs that are cryptographically useless without the individual owner's private keys. There is no Spireon-style scenario where one breach exposes millions of vehicles.

No driving behavior scoring. The Find My network reports location, not speed, braking, or acceleration. Insurance underwriters can't build risk scores from position-only data with the update frequency of Find My.

This is end-to-end encryption applied to fleet tracking. The same principle that protects your iMessages protects your fleet locations.

What Fleet Managers Should Do

The FTC's GM enforcement action established a precedent. Vehicle location data is sensitive. Companies that collect and sell it without meaningful consent face regulatory consequences. But enforcement moves slowly, and the fleet tracking industry hasn't received the same scrutiny as consumer vehicles.

Until it does, fleet managers need to protect themselves.

1. Read your tracking provider's full privacy policy and terms of service. Not the summary. The full document. Search for "aggregate," "anonymize," "partner," "third party," "share," "disclose," and "insurance." If any of these terms appear in the context of data sharing, you need to understand exactly what's being shared and with whom.

2. Ask your provider directly: "Do you sell, license, or share any fleet data with insurance companies, data brokers, or data aggregators?" Get the answer in writing. A verbal "no" has no legal weight.

3. Request a Data Processing Agreement (DPA). A DPA contractually limits what your provider can do with your data. If they won't sign one, that tells you something.

4. Check whether your provider operates a "data insights," "benchmarking," or "analytics" product. If they sell aggregate fleet data as a separate business line, your fleet's data is likely contributing to that product.

5. Ask your insurance broker whether your insurer uses third-party telematics data for underwriting. If yes, ask them to identify the source. If the source is your own fleet tracking provider, you have a problem and a negotiating position.

6. Evaluate providers with end-to-end encrypted architectures. The Find My network's encryption model makes data monetization architecturally impossible. Your tracking provider literally cannot sell what they cannot access.

The Competitive Advantage of Privacy

Data privacy is becoming a business requirement, not just a compliance checkbox.

Government contracts increasingly include data sovereignty clauses. Enterprise customers ask vendors about data handling before signing contracts. The EU's GDPR and state-level privacy laws in California, Virginia, Colorado, and others create legal liability for companies that can't demonstrate data protection.

If you're a fleet operator bidding on contracts, your tracking provider's privacy architecture is part of your bid. A customer asking "who has access to our delivery fleet's location data?" deserves a better answer than "our vendor's privacy policy says they might share anonymized data with trusted partners."

The answer fleet customers want to hear is: "Our tracking uses end-to-end encryption. Nobody, including the tracking provider and including us, can access your fleet location data except through our secured dashboard."

That answer is only possible with a privacy-by-design architecture like Find My.

The FTC Set the Precedent. The Fleet Industry Hasn't Caught Up.

The GM/OnStar enforcement action drew a line. Collecting vehicle location data and selling it to insurance companies without clear, informed consent is a deceptive trade practice. The FTC's proposed order bans GM and OnStar from sharing geolocation and driver behavior data with consumer reporting agencies for five years and requires them to allow consumers to delete their data.

This logic applies directly to fleet tracking. The data is the same. The collection methods are the same. The broker pipeline is the same. The only difference is that fleet tracking companies haven't faced their FTC moment yet.

When they do, the fleet managers who chose encrypted, privacy-first tracking architectures will be on the right side of the line. The ones who signed up for the cheapest per-vehicle rate without reading the privacy policy may find that the real cost was measured in insurance premiums, data exposure, and customer trust.

Your fleet data is valuable. That's why you track it. Make sure you're the only one who profits from it.

AirPinpoint provides fleet and asset tracking built on Apple's Find My network with end-to-end encryption. Your location data is encrypted on-device and never stored in a centralized database that could be sold or breached. See pricing or start a free trial.

Ready to get started?

Track your assets with precision using AirPinpoint.

Contact Sales
Share:

On this page