Texas AG Brings First Ever Lawsuit Under a State Comprehensive Privacy Law

Texas AG Brings First Ever Lawsuit Under a State Comprehensive Privacy Law

Blog WilmerHale Privacy and Cybersecurity Law

On January 13, 2025, the Texas Attorney General (AG) announced a lawsuit against insurance company Allstate, and its subsidiary, Arity, for allegedly collecting, using and selling the geolocation and movement of Texan drivers. This action was brought under Texas’ Data Privacy and Security Act (“TDPSA”) and marks the first lawsuit to be filed by a State Attorney General to enforce a comprehensive data privacy law.

While the lawsuit is the first of its kind, the complaint touches on familiar privacy allegations, including the failure to obtain proper consent, provide a privacy notice, and offer an opt-out method. Additionally, the focus on driver data is not unique to Texas. The California Privacy Protection Agency (CPPA) announced its own focus on connected vehicles in 2023, and the Federal Trade Commission recently announced its own enforcement action against a car manufacturer for allegedly illegally sharing driver data without consent.

In this post, we summarize the Allstate complaint and provide some key takeaways. We are happy to answer any questions you might have about your company’s data compliance programs. To keep up to date on the latest state comprehensive privacy laws, be sure to subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.

Summary of the Complaint

According to the Texas AG’s Office, Allstate collected drivers’ geolocation and movement data from mobile devices, in-car devices, and vehicles. The insurance company allegedly designed a software development kit (“SDK”) that could be integrated into third-party mobile apps so that consumers would unknowingly download Allstate’s software whenever downloading the third-party’s app on their phone. Furthermore, Allstate, through its subsidiary data analytics company, Arity, allegedly paid app developers millions of dollars to integrate Allstate’s SDK into their apps. According to the Texas AG’s Office, Allstate and Arity specifically sought out apps that already contained location-based features to avoid alerting consumers of Allstate’s data collection, including apps like Routely, Life360, and Fuel Rewards.

As a result, Allstate could allegedly track consumers’ geolocation, movement, and speed in real time and ultimately “capture[d] [data] ever 15 seconds or less” from “40 [million] active connections.” Altogether, the data amassed by Allstate was used to build “the world’s largest driving behavior database,” which consisted of over 45 million Americans’ driving data. According to the Texas AG’s office, this driving behavior data was then used to justify raising Texan’s car insurance premiums.

Based on Allstate and Arity’s collection, processing, and sale of consumers’ geolocation data, the Texas AG’s Office alleged that the defendants violated the TDPSA, along with Texas’ Data Broker Law and Insurance Code. More specifically, the Allstate complaint asserts the following to be violations of the TDPSA and Texas’ Data Broker Law.

Failure to Provide a Reasonably Clear and Accessible Privacy Notice

The TDPSA requires a controller, or an entity that “determines the purpose and means of processing personal data,” to “provide consumers with a reasonably accessible and clear privacy notice that incudes…any sensitive data processed by the controller.” Under the TDPSA, “personal data” is defined as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual,” which includes “pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” By integrating the SDK into third-party mobile apps, analyzing the driving data for certain behaviors, and repurposing the data for its sale to third-party customers, Arity acted as a controller on behalf of Allstate. However, Arity allegedly failed to provide consumers with a privacy notice, with many consumers remaining unaware that Arity was even processing their sensitive data.

Additionally, the TDPSA requires privacy notices to include how consumers may exercise their rights. Under the TDPSA, consumer rights include the right to opt-out of the processing of their personal data for purposes like targeted advertising and the sale of personal consumer data. Given that Arity allegedly failed to provide consumers with a privacy notice, Arity also failed to provide consumers with notice of how they can exercise their rights under Texas’ data privacy law. Furthermore, Arity allegedly told consumers that it does not sell personal data and that consumers could “[l]earn how to opt out of targeted advertising” by visiting another link. However, according to the Texas AG’s Office, the link provided by Arity only led to a page that listed third-party websites like Apple Support Center and did not detail how a consumer could submit an opt-out request to Arity specifically.

Failure to Provide the TDPSA’s Required Notice for Controllers Selling Sensitive Data

The TDPSA also requires controllers that sell sensitive data to provide the following notice to consumers: “NOTICE: we may sell your sensitive data.” Furthermore, the TDPSA requires controllers to post this notice in the same manner and location as the privacy notice. According to the Texas AG’s Office, Arity sold the sensitive driving behavior it collected from third-party mobile apps, including “the start and end location of a trip, the start and end time of a trip, distance traveled, duration of travel, hard breaking events, and whether a consumer picked up or opened their phone while traveling at certain speeds.” Arity allegedly used this sensitive data to create products like ArityIQ, which provides third-party insurance companies with consumers’ driving behavior data to more accurately price any driver. However, Arity allegedly failed to provide consumers with the notice required under TDPSA despite its sale of consumer’s sensitive data.

Failure to Obtain Affirmative Consent Before Processing Consumers’ Sensitive Data

Additionally, the TDPSA prohibits controllers from processing consumers’ sensitive data without first obtaining consumers’ consent. Under the TDPSA, consent is defined as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” According to the Texas AG’s Office, consumers unwittingly downloaded mobile apps with Arity’s SDK and were wholly unaware that permitting the mobile app to access their “location” meant that Arity was permitted to collect, use, and sale their sensitive data. Furthermore, neither Arity nor the third-party mobile apps took any steps to inform consumers about Arity’s data processing or obtain consumers’ affirmative consent to such practices.

Failure to Disclose Targeted Advertising Practices and Provide Opt-Out Methods

Finally, the TDPSA requires controllers that sell sensitive data or process data for targeted advertising to “clearly and conspicuously” disclose its data practices and the ways in which consumers can opt-out. According to the Texas AG’s Office, Arity’s sale of consumers’ sensitive data through its products and services meant that third-party businesses were able to target consumers based on their geolocation, vehicle information, and locations visited throughout the day. However, Arity allegedly failed to provide any notice to consumers whatsoever – falling short of its duty to provide a “clear and conspicuous” disclosure of its sale of personal data and targeted advertising.

Failure to Register as a Data Broker with Texas’ Secretary of State

In addition to the TDPSA, the Texas AG’s Office alleged that Arity violated the State’s Data Broker law when it failed to register with the Texas Secretary of State’s Office. Under Texas law, any company that derived revenue from processing or transferring data from more than 50,000 individuals, without collecting that data from the individuals directly, was required to register with the Texas Secretary State by March 1, 2024. According to the Texas AG’s Office, Arity was covered by the law because it derived revenue by processing and transferring the personal data of over 45 million third-party app users. At the time the lawsuit was filed, Arity still was not registered with Texas Secretary of State’s Office.

Key Takeaways

  • Texas continues to be one of the top enforcers of state privacy laws. While the Allstate case is Texas’ first enforcement action under its state comprehensive privacy law, the action itself is just one of many recent enforcement actions coming from the Texas AG’s Office. Last year, the Texas AG launched a data and privacy initiative focused on protecting consumers’ sensitive data. This was quickly followed by an enforcement action against a car manufacturer for allegedly selling driving data to insurance companies without consumers’ knowledge or consent, in violation of Texas’ Consumer Protection Act.  Additionally, the Texas AG reached a settlement with Pices Technology regarding the healthcare AI firm’s alleged false, misleading or deceptive claims about the accuracy of its AI products. The Allstate action serves as a reminder that when it comes to data privacy, don’t mess with Texas. 
  • There is likely to be more enforcement at the state level going forward. Over the past few years, State AGs have increasingly stepped into the role of data privacy regulators. In early 2024, Connecticut’s AG published a report highlighting sensitive data – including geolocation data – as a top enforcement focus. The Connecticut AG’s report also emphasized the importance of privacy policies and disclosures that accurately and adequately inform consumers of their data privacy rights and how to exercise those rights. Similarly, the California AG emphasized the importance of clear and comprehensive privacy policies in its settlement with DoorDash. As a whole, companies should expect more enforcement actions like this one coming from State AG’s offices. 
  • Be careful with nuances among state privacy laws. To date, nineteen states have comprehensive privacy laws on the books. However, each state’s law can vary in its compliance obligations. One of Allstate’s alleged violations was the failure to provide a Texas-specific notice that reads “NOTICE: we may sell your sensitive data.” Thus, companies should ensure that they are evaluating each state’s unique provisions as part of their compliance program. 
     

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.
Cybersecurity and Privacy

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel