How a License Plate Becomes a Person

Introduction

A license plate is, by itself, an anonymous string of seven or eight characters. The privacy implications of the surveillance economy documented in Parts 1 and 2 of this series depend entirely on the ability of commercial actors to convert that string into a named individual — with an address, a phone number, a driving history and, increasingly, a real-time behavioral profile.

Industry literature consistently describes ALPR data as “anonymous.” The California Bureau of Automotive Repair’s official ALPR policy, for example, states that a license plate photograph is not personally identifiable information because it does not contain a first name or driver’s license number. The same policy adds, in the next sentence, that ALPR data “can be linked to an identifiable person” when cross-referenced with DMV registration data.

That cross-reference is the entire game. This piece documents how it works.

The Five-Step Pipeline

Across every major use case — insurance underwriting, repossession, targeted advertising, employment screening, federal immigration enforcement — the path from a captured plate to an actionable decision moves through the same general sequence.

Step	Input	Operator	Output
1. Capture	Photograph of plate in public space	DRN / Flock / billboard camera / connected vehicle	Plate string + GPS + timestamp + photo
2. Aggregation	Plate string	DRN database / Flock network / data broker	Historical sightings, vehicle attributes
3. Resolution	Plate + VIN	LexisNexis Risk Solutions (via DMV records + LexID linking)	Registered owner name, address, phone, demographics
4. Enrichment	Owner identity	C.L.U.E. database; credit headers; telematics feeds	Driving history, claims history, behavior data
5. Delivery	Composite profile	Insurance carriers, lenders, repo agents, advertisers, employers	Underwriting decision, repo order, targeted ad, denial

Step 3, resolution, is the linchpin. The remainder of this article explains how that step actually happens — and why the legal frameworks examined in Parts 1 and 2 fail to constrain it.

Mechanism 1: The LexisNexis Identity Graph

LexisNexis Risk Solutions, a division of the London-listed information conglomerate RELX, operates the central commercial identity-resolution infrastructure that the rest of the driver-data economy depends on. The company’s published self-description includes the following facts: 99% of U.S. personal auto and home insurance carriers and the top 25 U.S. life and commercial auto carriers use its products, and 88% of new U.S. auto insurance policies in 2024 “benefited from” its solutions.

The technical foundation is a proprietary identifier called LexID, which links data points across hundreds of source feeds into a single consolidated profile per individual. The inputs include:

State motor vehicle records purchased directly under the Driver’s Privacy Protection Act’s permissible-use exceptions (the subject of Part 1).
Credit header data sourced from the three credit bureaus.
Public records, including property deeds, voter registration, court filings, professional licenses and bankruptcies.
The C.L.U.E. (Comprehensive Loss Underwriting Exchange) database, which aggregates auto and home insurance claims history.
Telematics feeds from connected vehicles supplied directly by automakers.
Marketing data acquired from commercial data brokers.

LexisNexis markets a specific product, Owner Check, that converts a Vehicle Identification Number into a current registered-owner profile by combining DMV data with what the company describes as “billions of public records.”

In plain terms: when an insurance carrier, repo agent or private investigator obtains an ALPR scan from DRN, Flock or any other camera network, they typically already hold a LexisNexis subscription that converts the plate into a name. The ALPR vendor does not need to buy DMV data because the buyer of the ALPR data already has.

Mechanism 2: The DPPA Permissible-Use Back Door

The Driver’s Privacy Protection Act prohibits the disclosure of personal information from motor vehicle records, but the statute lists 14 categories of permissible use that authorize disclosure to qualifying recipients. The categories most relevant to the camera economy include:

Use by an insurer or insurance support organization in connection with claims, anti-fraud activities, rating and underwriting.
Use in connection with motor vehicle or driver safety, theft, emissions, product alterations, recalls and advisories.
Use by a licensed private investigative agency for a purpose otherwise permitted under the statute.
Use in connection with civil, criminal, administrative or arbitral proceedings.

The cumulative effect is that the largest commercial buyers of ALPR data — insurers, repossession contractors, private investigators, towing operators, fraud-investigation units — all qualify for direct DMV record access under at least one DPPA exception.

Mechanism 3: Connected Vehicles Sending Identity Directly

The connected-vehicle pipeline closes the correlation loop without any need for plate photography at all. In March 2024, New York Times reporter Kashmir Hill published an investigation documenting that General Motors, through its OnStar Smart Driver program, was transmitting trip-level driving behavior data — including individual instances of hard braking, hard acceleration, speeds over 80 miles per hour, late-night driving and trip distances — to LexisNexis Risk Solutions and Verisk.

The data was tied to the named primary registered owner of the vehicle. One driver Hill profiled had received a 21% insurance rate increase after a LexisNexis consumer disclosure report documented 640 of his trips and showed that eight different insurance carriers had pulled his profile in the preceding month.

On January 16, 2025, the Federal Trade Commission announced a proposed consent order banning GM and OnStar from sharing geolocation and driving behavior data with consumer reporting agencies for five years. The FTC action covers GM only. Comparable practices at Honda, Hyundai, Kia, Toyota and others remain the subject of pending state attorney general investigations and private civil litigation. Kia America publicly announced in February 2024 that it had joined the “LexisNexis Telematics Exchange.”

Mechanism 4: Flock’s Explicit Pivot to Identity Resolution

Through 2024, Flock Safety publicly maintained that its license plate readers did not collect personally identifiable information because, the company argued, plates were not identities. In October 2025, the American Civil Liberties Union reported that Flock had announced plans to integrate its national camera network with commercial data brokers offering “people lookup” services. The ACLU quoted Flock’s own marketing language describing the new product as enabling police to “jump from LPR to person.”

Mechanism 5: VIN Scanning and Vehicle Fingerprinting

Modern ALPR systems capture more than the plate. Flock’s product literature describes a proprietary “Vehicle Fingerprint” capability that records make, model, color, body style and aftermarket modifications. Where the front windshield is visible to a roadside camera, the federally mandated VIN plate at the base of the windshield is also potentially readable. The VIN, unlike the plate, is a globally unique identifier that ties directly to the National Motor Vehicle Title Information System.

Mechanism 6: Mobile Advertising IDs and GPS Triangulation

For the out-of-home advertising industry, the correlation step does not require resolving the plate to the registered owner. It requires only matching the vehicle’s location and time to a smartphone present at the same coordinates. Major mobile advertising data brokers — including X-Mode, Veraset, Cuebiq and SafeGraph — aggregate location pings from partner applications. The data is keyed to a Mobile Advertising ID (MAID) assigned by the device’s operating system.

Why the Legal Framework Misses the Correlation Layer

Each of the six mechanisms above is, in isolation, legal under current federal law. DPPA permissible-use exceptions authorize the DMV-to-LexisNexis link. The Fair Credit Reporting Act regulates how LexisNexis discloses consumer reports to insurers but does not restrict the underlying aggregation. The Fourth Amendment does not apply to private data flows.

In simple terms: there is no single law you can point to that prohibits the pipeline. There is also no single regulator with end-to-end visibility into it.

Analysis

The plate-to-person correlation infrastructure is, at present, the most consequential and least examined component of the U.S. driver-data economy. It depends on a small number of master aggregators (LexisNexis, Verisk, Experian, Thomson Reuters) that hold near-universal coverage of U.S. drivers, plus a federal statute whose exception structure functions as a sorting mechanism delivering state data to those aggregators.

Conclusion

Camera networks did not need to buy DMV data because someone else already did. The correlation between a license plate and a person now runs through a small, concentrated commercial infrastructure that operates legally under the permissive structure of the 1994 Driver’s Privacy Protection Act and the absence of a comprehensive federal privacy statute.

Key Takeaways

ALPR data is technically anonymous but is consistently re-identified through cross-reference with DMV records held by commercial data aggregators.
LexisNexis Risk Solutions, used by 99% of U.S. personal auto carriers, operates the master identity graph (LexID) that links plates, VINs, owners, claims history and telematics data.
The DPPA’s 14 permissible-use exceptions channel DMV records to insurers, repo agents and private investigators.
Through March 2024, GM’s OnStar transmitted trip-level driver behavior data with named owner identifiers to LexisNexis and Verisk; the FTC banned the practice for GM in January 2025.
Kia, Honda, Hyundai and other automakers have operated similar programs; Kia publicly joined the LexisNexis Telematics Exchange in February 2024.
Flock Safety announced in October 2025 a product designed to “jump from LPR to person.”
No single federal law prohibits the end-to-end pipeline; each individual step is legal under current authorities.

Frequently Asked Questions

How does a license plate get connected to a person’s identity?

A captured license plate is matched against commercial identity-resolution databases — most prominently LexisNexis Risk Solutions, which holds DMV records purchased under DPPA permissible-use exceptions. The plate is cross-referenced to the registered owner via LexisNexis’s proprietary LexID identifier.

What is LexisNexis Risk Solutions?

LexisNexis Risk Solutions is a division of the London-listed information conglomerate RELX. It operates the central commercial identity-resolution infrastructure for the U.S. driver-data economy. 99% of U.S. personal auto insurance carriers use its products.

How is ALPR data linked to vehicle owners?

ALPR data is technically anonymous but is consistently re-identified through cross-reference with DMV records held by commercial data aggregators. Cross-referencing produces make, model year and registered owner information.

What is the C.L.U.E. database?

C.L.U.E. (Comprehensive Loss Underwriting Exchange) is a LexisNexis-administered claims information exchange that collects up to seven years of auto and home insurance claims data, used by insurers for pricing and underwriting decisions.

Did GM really sell driving data to insurance companies?

Yes. Through March 2024, GM’s OnStar Smart Driver program transmitted trip-level driving behavior data to LexisNexis and Verisk. GM terminated those relationships on March 20, 2024, and agreed to an FTC consent order in January 2025 prohibiting the practice for five years.

What is LexisNexis Owner Check?

Owner Check is a LexisNexis product that converts a Vehicle Identification Number into a current registered-owner profile by combining DMV data with billions of public records.

Related Coverage from NexfinityNews

State DMVs Collected at Least $282 Million From Driver-Data Sales — Part 1 — the regulated DMV side of the driver-data economy.
Beyond the DMV: The Private Camera Networks Tracking American Drivers — Part 2 — how private ALPR networks bypass the DPPA.
Flock Safety Surveillance Expansion: How Local Cameras Built a National Police Network — Investigation into how Flock’s 76,000+ ALPR cameras became a de facto federal surveillance system.
Chatrie v. United States: The SCOTUS Case That Could Reshape Digital Surveillance — Inside the Supreme Court geofence warrant case and what it means for location data privacy.
Can You Opt Out? A Driver’s Guide to the Limited Tools That Work in 2026 — Part 4 — practical opt-out tools with direct resource links.
Are Automakers Now Data Companies? The Recurring Revenue Math — Part 5 — the financial logic behind the surveillance economy.

Sources

Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq.
California Bureau of Automotive Repair, Automated License Plate Reader Privacy and Usage Policy.
LexisNexis Risk Solutions, “About Us — Insurance,” corporate disclosures, 2024–2026.
LexisNexis Risk Solutions, “Owner Check” product announcement, June 28, 2021.
Kashmir Hill, The New York Times, GM/OnStar telematics investigation series, March–April 2024.
Federal Trade Commission, proposed consent order against General Motors LLC and OnStar LLC, January 16, 2025.
LexisNexis Risk Solutions and Kia America joint announcement on the LexisNexis Telematics Exchange, February 8, 2024.
American Civil Liberties Union, “Flock’s Aggressive Expansions Go Far Beyond Simple Driver Surveillance,” October 17, 2025.
Electronic Frontier Foundation, Street Level Surveillance: Automated License Plate Readers.
Mozilla Foundation, *Privacy Not Included: Connected Vehicles review, 2023.