Allstate Data Privacy Lawsuit: Texas AG Enforcement Action

The Texas Attorney General sued Allstate and its subsidiaries for secretly collecting and selling the driving data of millions of Americans, which violated the Texas Data Privacy and Security Act (TDPSA), the Texas Data Broker Law, and the Texas Insurance Code. This is the first lawsuit to enforce a state comprehensive data privacy law.

Description

The Texas Attorney General's Office filed a lawsuit against Allstate and its subsidiary Arity for allegedly developing a software development kit (SDK) and paying third-party mobile app developers to integrate it into their apps. This SDK allowed Allstate to surreptitiously collect the geolocation, movement, and driving behavior data from approximately 45 million Americans, including Texas residents. Allstate allegedly used this data to create risk profiles for insurance purposes, potentially increasing premiums, denying coverage, or not renewing policies for some drivers. The data, which was collected as often as every 15 seconds, was also allegedly sold to third parties. The suit alleges that this data collection was done without providing users with clear and accessible privacy notices, or obtaining their informed consent, which are violations of the TDPSA. Allstate is also alleged to have violated Texas's Data Broker Law by failing to register with the Texas Secretary of State, and to have engaged in unfair or deceptive business practices in violation of the Texas Insurance Code. The collection of this data without user's knowledge and consent constitutes ^surveillance, and the aggregation of this data into a large database is an example of ^aggregation. The fact that the data was used to determine insurance rates is an example of ^{secondary use}, which was facilitated by a lack of transparency and breach of confidentiality. The surreptitious nature of the data collection was also an ^intrusion into the privacy of users and ^{decisional interference} because users could not make informed decisions about their insurance and driving habits. The penalties for violations of the TDPSA can be up to $7,500 per violation, while the Texas Broker Law has a $10,000 criminal penalty per violation in a 12-month period, and the Texas Insurance Code has a civil penalty of up to $10,000.

Laws and Regulations

Texas Data Privacy and Security Act

Sources

[https://www.oag.state.tx.us/news/releases/attorney-general-ken-paxton-sues-allstate-and-arity-unlawfully-collecting-using-and-selling-over-45%0Ahttps://www.oag.state.tx.us/sites/default/files/images/press/Allstate_and_Arity_Petition_Filed.pdf%0Ahttps://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20250121-texas-ag-brings-first-ever-lawsuit-under-a-state-comprehensive-privacy-law https://www.oag.state.tx.us/news/releases/attorney-general-ken-paxton-sues-allstate-and-arity-unlawfully-collecting-using-and-selling-over-45 https://www.oag.state.tx.us/sites/default/files/images/press/Allstate%20and%20Arity%20Petition%20Filed.pdf https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20250121-texas-ag-brings-first-ever-lawsuit-under-a-state-comprehensive-privacy-law]