Fitbit is a good example. I'm willing to bet a good amount of money that they sell a lot of the BLE beacon data they snarf up alongside their heart rate monitor data.
Fitbit is a good example of an app that requires permanent Bluetooth access, but a terrible example of a company likely to sell user data. Fitbit's users are its customers, and are the source of $1.5 billion per year in revenue. Any money gained from selling that data would be miniscule in comparison, and would put the main revenue stream at risk by alienating customers.
It's not Fitbit that necessarily is collecting this data, though. Fitbit might simply be using an SDK for Bluetooth detection, for example, that's provided by a company that does sell user data. The number of paid platforms and frameworks that are out there and used by all kinds of companies is crazy and it's not too big of a stretch to realize that some kind of tracking framework runs on the business of aggregating and selling that data while only providing the company in question using the framework with some of it.
It's not even too big of a stretch to realize how many free WordPress frameworks out there collect and sell aggregated site visitor data. I mean... if you're using a free Google Analytics service, do you honestly think they're not doing something with all that access to your site info?
That doesn't change the fact that they could be using another framework or library that has code to access Bluetooth. As long as the app has been granted access, the framework would have access too.
