On January 13, 2025, Texas Attorney General Ken Paxton announced a lawsuit against the Allstate Corporation, Allstate Insurance Company, Allstate Vehicle and Property Insurance Company, Arity LLC, Arity 875, LLC, and Arity Services, LLC (together, “Allstate”) for the collection, receipt and use of driving data. The suit alleges that Allstate and several subsidiaries unlawfully collected, received, used, and sold sensitive data about Texas resident’s cell phone location and movements through its Arity Driving Engine SDK. 

Context: 

This action by the Texas AG reflects a trend of heightened scrutiny on data brokers and the sharing of sensitive user data. Late last year, AG Paxton issued warning letters to several companies regarding the sharing of sensitive user data, including location data, without proper notice and consent. The apps are also alleged to share driving data with Arity. The AG subsequently also sent a warning letter to Arity, accusing the company of processing sensitive data without obtaining consent. Specifically, the letter alleged that Arity used SDKs to collect sensitive data from various mobile applications, including precise geolocation information, and sold the sensitive data to car insurance companies. AG Paxton has historically placed a significant focus on sensitive data, also suing General Motors and conducting investigations into car manufacturers for the sale of driving data.      

Causes of Action:

The lawsuit raises several causes of action against the defendants: 

• Violations of the Texas Data Privacy and Security Act (“TDPSA”): AG Paxton alleges that Allstate and its related subsidiaries designed an SDK which harvests broad categories of personal data including geolocation, accelerometer, magnetometer, and gyroscopic data; trip attributes such as movement and start and end times; GPD points; “derived events” defined as acceleration, speeding, distracted driving, crash detection, and other similar data categories; and metadata. This SDK was then integrated into other widely-used apps. When a user allowed an app to access their location for in-app features, they also “unwittingly” enabled the collection of Arity SDK data. Though the Arity SDK data could not be linked to a specific individual, the lawsuit alleges that app publishers licensed the personal data they collected from their users to Allstate, including personal data such as name, phone number, address, zip code, mobile ad-ID, device ID, and ad-ID. The combination of these data points would then allow Allstate to identify specific people. The Arity SDK data and the personal data is then alleged to have been sold to third parties, including insurers. 
  
  The suit alleges that the Arity Defendants: (i) failed to provide a clear and accessible privacy notice indicating the sensitive data processed, (ii) processed sensitive data without consumer consent, (iii) failed to post a disclosure regarding the sale of sensitive data as required by the TDPSA, (iv) did not provide a disclosure regarding the sale of personal data, targeted advertising practices, or a consumer’s opt-out rights, and (v) failed to provide a method for consumers to exercise their data subject rights, including their rights to opt out. 
  
  Notably, the TDPSA contains an exception for entities subject to the Gramm-Leach-Bliley Act. As an insurer, Allstate would typically be exempt from the TDPSA. However, the violations of the TDPSA are alleged to have stemmed from the actions of Arity, an Allstate subsidiary that operates as a mobility data and analytics company. 
   
• Data Broker Law: AG Paxton also brings a cause of action under the Texas Data Broker Law, due to Arity’s failure to register as a data broker. 
   
• Unfair Methods of Competition and Unfair or Deceptive Acts or Practices in the Business of Insurance: The lawsuit alleges violations of the Insurance Code due to the defendant’s failure to verify “consumer’s consent before purchasing driving-related data from vehicle manufacturers,” “turning a blind eye to the strong possibility that consumers did not consent to [the] collection and sale of sensitive and/or anonymized data to insurers, using the unlawfully obtained data for [d]efendant’s own car insurance underwriting processes, and marketing and advertising the data to insurers as ‘driving behavior’ data.”

Takeaways: 

It is important to stay up to date on addressing obligations under comprehensive state privacy laws. Though the AG’s lawsuit focused heavily on the sale of sensitive data, it also alleged violations of state law due to missing disclosures in the defendant’s privacy policies, and importantly, violations of laws outside of the TDPSA based on activities that would otherwise be covered by the TDPSA. Companies should regularly review their practices and policies as new laws go into effect throughout 2025. And, this review should take a holistic view of a company’s, and its subsidiaries’, practices. Though a company may be exempt under some comprehensive state privacy laws, its activities across the business may nevertheless be subject to enforcement. 

Additionally, the regulation of data brokers will be an area of significant scrutiny going into 2025. Companies should review their practices and confirm whether their business meets the definition of a “data broker,” particularly given the broadened definition under state laws such as California’s CPPA. For further guidance on data broker regulations, refer to our overview on significant developments in the data broker space: https://www.law360.com/articles/2277029/a-guide-to-significant-2024-data-broker-legal-developments.