Introduction
In an era where consumer privacy has become a paramount concern, corporations have a legal and ethical responsibility to respect individuals’ data rights. The State of Texas, through its complaint against the Allstate Corporation and its subsidiaries, alleges a blatant disregard for such responsibilities. The complaint outlines a sophisticated scheme to covertly collect and monetize sensitive consumer data, including precise geolocation and driving behavior information, without the awareness or consent of end-users. By embedding the Arity SDK into third-party mobile applications, the Defendants harvested extensive data, which was subsequently monetized through a variety of products and services, including databases sold to insurers. These practices not only violated the Texas Data Privacy and Security Act (TDPSA) but also compromised the privacy and financial well-being of millions of Texans. This legal challenge serves to hold the Defendants accountable for their alleged unlawful actions and aims to reinforce the importance of transparency, consent, and fairness in data practices.
You can read more about the complaint below.
Background
Secret Collection and Sale of Driving Data
Defendants, a group of companies owned by The Allstate Corporation, engaged in a scheme to secretly collect and sell vast amounts of consumers' driving behavior data without their knowledge or consent. This data was gathered from mobile devices, in-car devices, and vehicles, allowing the creation of a database claimed to be the "world’s largest driving behavior database," encompassing the driving patterns of over 45 million Americans. The database served two primary purposes: supporting Allstate’s car insurance business and generating a profit by selling the data to third parties, including other car insurance providers. Millions of consumers, including Texans, were unaware of and did not consent to the ongoing collection and sale of their sensitive data.
Covert Data Collection Methods
The data collection was carried out covertly by embedding software into third-party apps. When consumers downloaded these apps, they unknowingly installed Defendants’ software, which enabled real-time monitoring of their location and movement. The software extracted detailed information, such as geolocation, accelerometer, magnetometer, and gyroscopic data, capturing specifics like altitude, longitude, latitude, bearing, GPS time, speed, and accuracy. To incentivize developers to include their software, Defendants paid millions of dollars and offered bonuses tied to the size of the dataset generated. This strategy allowed Defendants to maintain active connections with approximately 40 million mobile devices, capturing data at intervals as frequent as every 15 seconds.
Monetization of Consumer Data
Once collected, the data was monetized in multiple ways. Defendants sold access to their driving behavior database to other insurance providers, who used the data for underwriting, pricing premiums, and making coverage decisions, often resulting in increased premiums or denial of coverage for consumers. Allstate also utilized the data for its own insurance operations. Despite marketing the data as reflective of consumers’ driving habits, much of it was derived from phone-based monitoring rather than actual vehicle operation. To address this limitation, Defendants began purchasing data directly from car manufacturers, such as Toyota, Mazda, and Chrysler, to enhance their database’s accuracy for underwriting purposes.
Lack of Consumer Consent and Transparency
Consumers were neither informed about nor provided consent for this extensive data collection and sale. While Defendants had varying degrees of influence over the privacy disclosures and consent terms presented by app developers, they never explicitly informed consumers about the data collection or its intended use. Additionally, consumers were not made aware of how their data would be analyzed, utilized, or monetized.
Violations of Law and Legal Action
Defendants’ actions violated several laws, including the Texas Deceptive Trade Practices Act (TDPSA), the Data Broker Law, and the Texas Insurance Code’s provisions against unfair and deceptive practices in the insurance industry. The State of Texas, acting in the public interest, has initiated legal proceedings to address and penalize these privacy violations and the financial harm caused by Defendants’ conduct.
Facts of the Case
The following facts have been alleged in the complaint against the Defendant:
1. Defendants Developed Software to Covertly Collect Consumers’ Location Data
In 2015, Allstate Defendants developed a software development kit (SDK) named the Arity Driving Engine SDK ("Arity SDK") to covertly collect location and movement data from mobile devices. While SDKs typically assist app developers by providing tools for app functionality, Defendants’ Arity SDK was primarily designed to scrape user data under the guise of providing necessary app functions. Once integrated into a third-party app, the Arity SDK operated in the background, continuously harvesting a wide range of detailed data points from consumers’ mobile phones without their knowledge or consent.
The data collected by the Arity SDK included geolocation data, accelerometer data, magnetometer data, and gyroscopic data. Additionally, it extracted "trip attributes," such as start and end locations, distances, durations, and reasons for trip termination. The SDK also gathered granular GPS data, including position, longitude, latitude, heading, speed, and altitude, along with "derived events," such as acceleration patterns, distracted driving behavior, crash detection, and speed changes. Furthermore, metadata such as advertising identifiers, device type, operating system details, and app version was collected to support Defendants’ data profiling efforts.
Because the SDK operated invisibly in the background, users were entirely unaware of its existence or the scope of data collection. Defendants never informed or notified consumers that their data was being directly collected via the SDK or the third-party apps in which it was embedded. This lack of transparency ensured that users remained unaware of the extensive and continuous data harvesting occurring on their devices.
2. Defendants Paid to Integrate the Arity SDK into Mobile Apps
Since 2017, Defendants have been licensing their Arity SDK by paying millions of dollars to app developers to integrate the software into their mobile apps. To avoid drawing attention to their data collection practices, Defendants strategically partnered with apps that already relied on location-based features, such as Routely, Life360, GasBuddy, and Fuel Rewards. These apps routinely obtained user permission to access location data for their features, but once the Arity SDK was integrated, granting such permission also enabled Defendants to collect extensive data through the SDK without users’ knowledge.
Defendants’ agreements with app developers included provisions allowing Defendants to collect and own all data harvested through the Arity SDK. While the developers retained a license to use certain subsets of this data for specific app features, such as trip summaries or fuel efficiency metrics, Defendants were free to use the collected data for their own purposes. This arrangement enabled Defendants to build a comprehensive data repository while maintaining control over the data’s primary use.
Initially, the data collected through the Arity SDK could not reliably be linked to individual users. However, Defendants addressed this limitation by obtaining personal data from the app developers themselves. This personal data, typically including names, phone numbers, addresses, zip codes, mobile ad IDs, and device IDs, was licensed to Defendants by the app publishers. By combining this personal data with the granular information collected via the Arity SDK, Defendants were able to reliably identify individual users and monitor their movements and activities with precision.
3. Defendants Products and Services Monetized Consumers’ Data
Defendants utilized the data collected through the Arity SDK and additional personal data to develop, market, and sell various products and services to third parties, including insurers. These offerings included Drivesight, which assigned driving risk scores based on a proprietary scoring model; ArityIQ, which allowed insurers to access driving behavior data for precise pricing; and Arity Audiences, which targeted advertisements to specific driver demographics. They also provided real-time driving insights to business customers and marketed their Routely app to consumers as a tool for driver insights while simultaneously promoting it to insurers as a solution for identifying and pricing riskier drivers.
Despite marketing the Arity SDK data as "driving behavior" data, the collected information primarily reflected the movements of a person’s mobile phone. Defendants lacked a reliable method to determine whether the phone owner was the driver or merely a passenger. Consequently, erroneous conclusions were drawn about individuals' driving behavior, such as assigning "bad driving" scores to passengers in vehicles driven by others. This data was then sold or shared with third parties, influencing decisions about individuals' insurability without proper acknowledgment of these inaccuracies in Defendants’ public-facing marketing.
To address the limitations of the Arity SDK data, Defendants supplemented it with driving-related data obtained directly from car manufacturers, including major brands like Toyota, Lexus, and Chrysler. However, consumers were neither informed of nor consented to the sale of their data by these manufacturers, raising further concerns about privacy violations and transparency in Defendants’ data collection practices.
4. Lack of Privacy Disclosures and Inadequate Transparency
Defendants, along with their partnered app developers, failed to disclose to consumers that the Arity SDK was collecting their data. Agreements between Defendants and app developers granted varying levels of control over privacy disclosures, yet neither Defendants nor the apps informed users about the data collection or its monetization. For instance, Life360 informed users about location sharing for in-app features but omitted any mention of Defendants’ data collection or existence. As a result, consumers were unaware their data was being harvested and used to develop and sell products and services, including those marketed to insurers.
5. Misleading and Contradictory Privacy Disclosures
Even if consumers sought out Defendants’ privacy disclosures on their website, the information provided was misleading and inconsistent with their actual practices. Defendants falsely claimed not to sell personal information for monetary value, despite selling data-driven products linking users to their driving behaviors. Additionally, Defendants obscured the extent of their profiling practices, describing them as merely developing predictive driving models and creating a “Driving Score” for analytics purposes. In reality, Defendants used data to create and sell detailed driving profiles for over 45 million Americans.
6. Limited Consumer Control and Confusing Opt-Out Mechanisms
Consumers were given no means to stop Defendants from collecting their data or generating Driving Scores. Instructions for opting out of targeted advertising redirected users to third-party websites, such as the Apple Support Center, which only offered general guidance on managing targeted advertising. These links did not provide a way to submit opt-out requests to Defendants directly, leaving consumers unable to prevent their data from being used for profiling or targeted advertising.
Details of Violations and Causes of Action
Violation of Section 541.102(a)(1): Failure to Provide a Clear Privacy Notice
Section 541.102(a)(1) of the Texas Data Privacy and Security Act (TDPSA) mandates that controllers provide consumers with an accessible and clear privacy notice, including details on any sensitive data being processed. As a controller, Arity Defendants collected, analyzed, and repurposed sensitive consumer data without notifying consumers or providing a privacy notice. Mobile apps with integrated Arity SDKs failed to inform users about the processing of their sensitive data. This lack of transparency and failure to disclose sensitive data processing violated Section 541.102(a)(1) of the TDPSA.
Violation of Section 541.101(b)(4): Processing Sensitive Data Without Consent
Section 541.101(b)(4) of the TDPSA prohibits the processing of sensitive data without obtaining the consumer’s clear and informed consent. Arity Defendants processed sensitive consumer data—such as location information—without informing users or obtaining valid consent. Consumers were unaware that their data was being owned, analyzed, and sold by Arity Defendants. This processing occurred without the clear affirmative consent required under the TDPSA, constituting a violation of Section 541.101(b)(4).
Violation of Section 541.102(b): Failure to Provide Required Sale Notice
Section 541.102(b) of the TDPSA requires controllers engaging in the sale of sensitive personal data to include a clear notice: “NOTICE: We may sell your sensitive personal data.” Despite selling sensitive consumer data, including GPS and driving behavior details, to insurers and third parties, Arity Defendants did not provide the required notice in their privacy policies. This omission violated Section 541.102(b) of the TDPSA.
Violation of Section 541.103: Failure to Disclose Data Sales and Targeted Advertising
Section 541.103 of the TDPSA obliges controllers to disclose data sales, targeted advertising practices, and a method for consumers to opt-out. Arity Defendants sold personal data and used it for targeted advertising without providing any notice or opt-out mechanism. Consumers received no information about these activities or how to exercise their rights, resulting in a violation of Section 541.103.
Section 541.102(a)(3) of the TDPSA requires controllers to inform consumers of their rights, including opting out of data sales, targeted advertising, and profiling, as outlined in Section 541.051(b)(5). Arity Defendants failed to provide consumers with a privacy notice explaining these rights or a clear method to exercise them. Even when directed to external resources, consumers were not given any actionable way to opt out of data processing or targeted advertising. This failure to inform consumers of their rights and provide accessible mechanisms to exercise them violated Sections 541.102(a)(3) and 541.051(b)(5) of the TDPSA.
Violations of the Texas Data Broker Law
The Arity Defendants violated the Texas Data Broker Law (Tex. Bus. & Com. Code §§ 509.001 et seq.) by failing to register with the Texas Secretary of State by the required deadline of March 1, 2024, as mandated under Section 509.005. The company processed and transferred the personal data of over 45 million individuals, including names, phone numbers, zip codes, device IDs, and mobile ad-IDs, without directly collecting the data from these individuals. This data was obtained from app developers and subsequently combined with other datasets before being sold to third parties, such as insurers. Despite conducting these activities in Texas, the Arity Defendants have yet to comply with the registration requirement, constituting a clear violation of the law.
Unfair Methods of Competition and Unfair or Deceptive Acts or Practices in the Business of Insurance
The Defendants violated Section 541.003 of the Texas Insurance Code, which prohibits unfair and deceptive acts or practices in the business of insurance. Specifically, the Defendants failed to verify consumer consent before purchasing driving-related data from vehicle manufacturers, disregarded the likelihood that consumers did not consent to the collection and sale of their sensitive or non-anonymized data, and used the unlawfully obtained data for their own car insurance underwriting processes. Additionally, they marketed and advertised this data to insurers as "driving behavior" data. These actions constitute unfair trade practices under the Texas Insurance Code, which is designed to regulate and prevent deceptive practices in the insurance industry. Under Tex. Ins. Code § 541.204, such violations may result in civil penalties of up to $10,000 per violation.
Prayer for Relief
Civil Penalty Under the Texas Deceptive Trade Practices Act (TDPSA)
The State of Texas requests the Court to impose a civil penalty of up to $7,500 per violation, pursuant to Section 541.155 of the TDPSA.
Civil Penalty Under the Data Broker Law
The State of Texas requests the Court to impose a civil penalty of up to $10,000, including:
- Not less than $100 for each day Defendants violated Section 509.004 or 509.005, and
- The amount of unpaid registration fees for each year the entity failed to register, pursuant to Tex. Bus. & Com. Code § 509.008(b)(1).
Civil Penalty Under the Texas Insurance Code
The State of Texas requests the Court to impose a civil penalty of up to $10,000 per violation, pursuant to Section 541.204 of the Texas Insurance Code.
Declaratory and Injunctive Relief
The State of Texas requests the Court to:
- Declare Defendants' conduct in violation of the TDPSA, the Data Broker Law, and the Texas Insurance Code.
- Direct Defendants to delete or destroy all data obtained prior to the judgment, including data in possession of third parties.
- Require Defendants to provide restitution to consumers who suffered losses due to the violations, under Section 541.205 of the Texas Insurance Code.
- Permanently enjoin Defendants and related parties from further violations of the TDPSA, the Data Broker Law, and the Texas Insurance Code.
Attorney’s Fees and Court Costs
The State of Texas requests the Court to award attorney’s fees and court costs to the Texas Attorney General’s Office, as recoverable under the TDPSA, the Data Broker Law, and the Texas Insurance Code.
General Relief
The State of Texas requests any additional equitable or further relief the Court deems just and proper.
Conclusion
The State of Texas v. The Allstate Corporation & Others underscores the critical need for corporate accountability in data collection and monetization practices. The alleged violations—ranging from covertly harvesting sensitive consumer data to selling it without informed consent—represent a serious breach of privacy laws, including the TDPSA. By prioritizing profit over transparency and consumer trust, the Defendants’ actions have exposed millions of individuals to privacy risks and potential financial harm. This case serves as a pivotal moment in the ongoing fight to protect consumer data rights and reinforces the imperative for businesses to adopt ethical and lawful data practices. The resolution of this case will not only seek to remedy the harms caused but also set a precedent to deter future violations in an increasingly data-driven world.
