Texas AG Sues Allstate Insurance for Privacy Law Violations

Texas Attorney General Ken Paxton is suing insurance giant Allstate and its subsidiary data analytics company Arity. The lawsuit alleges Allstate Insurance violated the Texas Data Privacy and Security Act (TDPSA) by unlawfully collecting, using, and selling data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps. Paxton claims Allstate collected trillions of miles worth of location data from over 45 million consumers and used the data to create the “world’s largest driving behavior database.” The insurance company is also accused of using that data to increase insurance rates.

Allegations in the Texas Allstate Insurance Lawsuit

The lawsuit alleges the defendants developed a software development kit (SDK) that could be integrated into phone apps to collect the phone’s location and movement data. An SDK called the Arity Driving Engine was designed to collect location data including a phone’s geolocation, data related to speeding and distracted driving, and trip attributes (distance, duration, start and end locations, etc.).

Allstate is accused of paying app developers millions of dollars to integrate the Arity SDK into their apps. To avoid being detected by consumers, the defendants only attempted to partner with apps that already relied on location information to function. Life360, GasBuddy, and Fuel Rewards are some of the apps that integrated the Arity SDK.

Allstate used the data from the SDK to develop and sell driver behavior data products. The lawsuit points out that the data collected was from mobile phone movement. The data collected on a consumer may not have been from when they were driving but were a passenger in a car, bus, etc.

Allstate, along with the apps that integrated the SDK, are accused of failing to notify consumers about the data collection via the SDK. They also didn’t inform consumers how the data would be collected, used, and monetized. The defendants failed to gain consumer consent before performing these actions and collecting this type of information.

Allstate did not provide consumers with any sort of notice of their data and privacy practices through the apps. The privacy notice on Allstate’s website did not accurately represent the company’s practices. Allstate stated that they “do not sell personal information for monetary value,” but they are accused of selling the data in the driver data packages.

TDPSA Violations

The lawsuit alleges the defendants committed five Texas Data Privacy and Security Act violations.

1. Failing to provide consumers with a reasonably accessible and clear privacy notice.
2. Processing sensitive data without obtaining the consumer’s consent.
3. Failing to notify consumers that their sensitive personal data may be sold (GPS data from a consumer’s phone is considered sensitive data.).
4. Not providing consumers with a process to opt out of the sale of their data for targeted advertising.
5. Failure to provide consumers with a reasonably accessible and clear privacy notice that includes information on how consumers may exercise their rights.

The TDPSA includes a 30-day right to cure. Lawsuit documents state defendants were notified about the violation but failed to cure them within 30 days.

Texas is seeking more than $1,000,000 in penalties, including up to $7500 for each TDPSA violation, and up to $10,000 for each Texas Data Broker Law violation.

Other Lawsuits from the Texas AG

In August 2024, Ken Paxton sued General Motors, claiming the automaker illegally collected and sold the data of Texas drivers to insurance companies without their knowledge or consent. That lawsuit alleged that GM installed technology in its vehicles that was promoted as a tool for improving safety, but it was also used to collect, record, analyze, and transmit “Driving Data,” which includes speed, seatbelt status, driving distances, and times. GM is accused of using that data to create a “Driving Score” that insurance companies could purchase.

CompliancePoint has a team of privacy experts who can help your business comply with all applicable regulations, including the GDPR, CCPA, and other state privacy laws. Contact us at connect@compliancepoint.com to learn more about our services.