Root exposed 72,852 peoples drivers license numbers in plaintext. Bots scraped them automatically. The stolen numbers were used to file fake unemployment claims during COVID, stealing pandemic relief from real people. New York fined Root $975,000. Root does not even sell insurance in New York. They just left the door open for New Yorkers to be robbed. Root turns your phone into a driving surveillance device. Accelerometer tracks braking. GPS tracks routes. Gyroscope tracks cornering. Drive at night? Higher rates. Drive through a poor neighbourhood? Higher rates. The "fair pricing" algorithm penalises shift workers and people who can't afford to live in suburbs. Your phone watches you drive, and the algorithm decides what you're worth.
What they claim: Root Insurance promotes fair pricing based on how you actually drive
What we found: Root uses phone sensors — accelerometer, GPS, and gyroscope — to monitor driving behaviour during a test period, then sets insurance rates based on the data. Privacy researchers noted the app effectively turns your phone into a surveillance device that monitors speed, braking, cornering, phone usage while driving, time of day, and route patterns. Poor neighbourhoods and night-shift workers get penalised by algorithms that correlate driving times with risk.
What they claim: Root Insurance markets itself as transparent and fair, pricing based only on how you actually drive.
What we found: Root CTO Dan Manges confirmed the persistent monitoring is necessary and the app monitors you at all times and cannot be switched off without disrupting the trial period. The app uses accelerometer, gyroscope, GPS, GLONASS, and compass data continuously. It tracks trips even when you are a passenger in someone else car or on a plane. Users must complete the test drive surveillance period to get a quote at all.
What they claim: Root says it addresses privacy concerns through clear data collection practices and transparent opt-in consent.
What we found: As an insurer, Root is explicitly exempt from most state privacy laws that provide specific rights regarding personal information. In most states, customers have no right to access, correct, or delete data Root collects. Only California and Minnesota provide limited protections for non-insurance data. Root collects accelerometer, gyroscope, GPS, location history, and driving behaviour data with fewer legal constraints than a social media app.
What they claim: Root markets the "Test Drive" as a limited evaluation period after which monitoring ends.
What we found: The Root app continues to track driving even after the test drive period ends and uses gathered data to set new rates at renewal. While Root says an untouched app only refines their algorithm rather than re-rating individual premiums, the data collection never stops unless users manually disable tracking features. The default is perpetual surveillance.
What they claim: Root Insurance offers lower premiums to customers who prove safe driving through telematics monitoring.
What we found: As telematics becomes standard, customers who refuse surveillance face increasingly high premiums. The UK insurance market found a 2,000 pound pricing penalty forcing young drivers into surveillance programs. Consumer groups warn this creates a two-tier system where privacy becomes a luxury only wealthy drivers can afford. Those who cannot afford the surveillance premium or who lack compatible phones are priced out.
What they claim: Root says it uses telematics to measure YOUR driving habits and price YOUR risk fairly.
What we found: The app records trips when you are a passenger in someone elses car, when riding public transport, and even on planes. Users report being marked for phone use when they were passengers. While Root says you can correct mislabeled trips in-app, the data is collected regardless and the burden falls on the user to constantly audit and dispute false records.
What they claim: Root positions itself as a modern, fair, technology-driven alternative to traditional insurance companies.
What we found: ToS Watchdog scored Root Insurance 40 out of 100 for fairness, Grade D, the lowest among all insurtech companies reviewed. Root extensive surveillance requirements, the constant location tracking, phone monitoring, and opaque algorithm create what reviewers describe as significant privacy trade-offs that most consumers do not fully understand when they sign up attracted by the promise of cheaper rates.
What they claim: Root Insurance collects personal data with promises to protect it through robust security measures.
What we found: New York AG Letitia James fined Root $975,000 after their online quoting tool exposed full plaintext drivers license numbers in generated PDFs. 72,852 people were impacted. Automated bots exploited the vulnerability to harvest 44,449 New Yorkers license numbers. The stolen data was used to file fraudulent unemployment claims during COVID-19. Root failed to perform risk assessments, did not identify plaintext exposure, and lacked controls against automated attacks.
What they claim: Root Insurance claims fair, behaviour-based pricing that rewards good drivers
What we found: Consumer advocacy groups and researchers have raised concerns that telematics-based insurance systematically disadvantages low-income drivers, night-shift workers, and residents of high-crime neighbourhoods. Driving at night (shift workers), through certain zip codes (low-income areas), or on poorly maintained roads (rural/disadvantaged areas) all trigger higher risk scores. The algorithm converts socioeconomic disadvantage into higher premiums.