Texas Attorney General Sues Allstate Corporation in First Privacy Enforcement Lawsuit Alleging Texas Data Privacy Security Act, Texas Broker Law, Texas Insurance Code Violations

The Texas Attorney General (AG), Ken Paxton, filed a complaint in the District Court of Montgomery County against Allstate Corporation (Allstate), alleging that the company violated the Texas Data Privacy and Security Act (TDPSA) by illegally obtaining sensitive driving data from third party apps on consumer cell phones. Allstate is accused of using the data to create a database that it sold to underwriters, which resulted in consumer harm because the data was used to justify increased premiums, or to deny or drop auto insurance coverage all together. This marks the first enforcement action brought by the Texas AG under the state’s data privacy and security law.

Alleged Collection and Sale of Consumer Data

According to the complaint, Allstate collected data from consumer mobile devices—such as geolocation, accelerometer, magnetometer, and gyroscopic information—to create what it marketed as the “world’s largest driving behavior database.” The complaint states that Allstate developed and integrated software into third-party apps, and more than 45 million Americans who downloaded these apps unknowingly also downloaded Allstate’s software. Allstate allegedly failed to disclose the data collection to consumers or obtain their opt-in consent before selling the data to third-party insurance carriers. The Texas AG further claims the carriers used this data to set higher premiums, and, in some cases, to deny or cancel auto coverage. Additionally, Allstate is alleged to have purchased data from multiple car manufacturers—including Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram—to confirm a user was actually driving based on the phone’s movements.

Violations of the Texas Data Privacy and Security Act (TDPSA)

The AG asserts that Allstate violated several TDPSA provisions, which require a data controller to:

• Provide a clear privacy notice outlining any sensitive information processed.
• Obtain opt-in consent before processing sensitive consumer data.
• Disclose the potential sale of personal data by posting, “Notice: We may sell your personal data” in the same manner as the privacy notice.
• Explain how consumers can opt out of targeted advertising if data is sold for that purpose.
• Offer a means for consumers to exercise these data rights.

Violations of the Texas Data Broker Law (TDBL)

The complaint also alleges that Allstate breached the Texas Data Broker Law (TDBL), which applies when processing or transferring data of more than 50,000 individuals, if the data was not collected directly from those individuals. Allstate is accused of acquiring personal data from third-party app providers and then selling it to insurers without registering with the Texas Secretary of State’s Office, as required by TDBL.

Alleged Texas Insurance Code Violations

The AG also contends that Allstate violated the Texas Insurance Code by engaging in practices classified as unfair methods of competition or unfair or deceptive acts in connection with its insurance business.

Lack of Compliance After Cure Letter

On November 29, 2024, the Texas AG issued a cure letter to Allstate, giving the company 30 days to remedy its alleged noncompliance. Specifically, the AG requested that Allstate correct its TDPSA violations, notify affected consumers of the privacy breaches, revise its internal policies, and register as a data broker under Texas law. As of January 13, 2025, Allstate had neither addressed the TDPSA violations nor registered as a data broker. Consequently, the Texas AG proceeded with filing its complaint.

Potential Fines

Allstate faces fines of $7,500 for each violation of the TDPSA and $10,000 per violation of the Texas Insurance Code. The Texas AG also asked the court to impose a civil penalty of $100 per day Allstate was not registered as a data broker until a maximum fine of $10,000 is reached and to require that Allstate pay unpaid state licensing fees for all of the years it was not licensed as a data broker.

Implications for Businesses

Businesses collecting or sharing consumer data from Texas residents – particularly sensitive information – should consider taking the following steps:

1. Provide Clear Privacy Notices: Businesses are encouraged to disclose exactly what data is collected, how it is used, and with whom it is shared and specifically disclose the sensitive categories of data (such as location or driving behavior) it collects in a prominent and understandable way.
2. Obtain Opt-In Consent for Sensitive Data: Businesses must ensure consumers explicitly agree (e.g., via checkboxes or clear digital consent forms) before processing or selling sensitive information.
3. Additional Disclosures: If selling personal data, a business must include a clear “Notice: We may sell your personal data” statement in the same manner as its main privacy notice and outline how consumers can opt out of such sales if required by law.
4. Provide Consumer Rights Mechanisms: Business must Clearly communicate how a simple, accessible process for consumers to exercise privacy rights—such as opting out of data sales, requesting deletion of information, or reviewing data you hold for them.
5. Register as a Data Broker When Required: Business that process or sell data for over 50,000 individuals that was not directly collected from them, should ensure they have licensed with the Texas Secretary of State as a data broker. In addition, businesses must maintain up-to-date registrations and comply with all relevant data broker obligations.
6. Promptly Address Cure Letters and Enforcement Notices: If notified by a regulator about potential violations, business should take immediate steps to remedy issues within the allotted timeframe and keep thorough records of communications, policy changes, and consumer notifications as proof of compliance efforts.

By prioritizing transparent privacy notices, proper consent frameworks, and any necessary registrations, businesses can significantly reduce the risk of enforcement actions and maintain trust with consumers.

NAVIGATE STATE PRIVACY LAWS WITH
The CommLaw Group! 

We are subject matter experts in data privacy, consumer protection, and regulatory compliance (telemarketing and more) and help organizations successfully navigate the ever-changing privacy law landscapes.  We closely follow regulatory and case law developments to guide businesses, developers, and investors on privacy-related legal compliance and legal risk mitigation. 

CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS

Susan Duarte – Tel: 703-714-1318 / E-mail: sfd@commlawgroup.com

Diana James – Tel: 703-663-6757 / Email: daj@CommLawGroup.com