Following enforcement cases and compliance with the Texas Data Broker Law, the Texas Data Privacy and Security Act, Texas Deceptive Trade Practices Act (DTPA), and applicable federal standards.
Popular Topics
What Happened
On January 13, 2025, the State of Texas filed a lawsuit against Allstate and its subsidiaries, including Arity, LLC (collectively, the “Allstate Defendants”), alleging violations of the Texas Data Privacy and Security Act (“TDPSA”), the Texas Data Broker Law, and the Texas Insurance Code. According to the lawsuit, the Allstate Defendants collected, used, and sold Texans’ geolocation data through various mobile applications without proper notice or consent.
The allegations claim that the Allstate Defendants paid app developers to embed technology within seemingly unrelated apps, such as Life360®, enabling the Allstate Defendants to collect precise geolocation data. This data was allegedly used to compile a comprehensive database of drivers’ habits, which the Allstate Defendants utilized internally and sold to other insurance companies for adjusting insurance rates. Notably, users of these apps were not informed that their data was being collected by the Allstate Defendants, violating the TDPSA's notice and consent requirements.
Additionally, the lawsuit asserts that the Allstate Defendants’ privacy notice failed to adequately disclose the sale of sensitive consumer data and did not provide users with clear mechanisms to opt out of data sales or targeted advertising. The Allstate Defendants also failed to register as data brokers, as required under the Texas Data Broker Law. These practices are further alleged to constitute unfair or deceptive acts under the Texas Insurance Code.
This lawsuit marks the first enforcement action under the TDPSA and, according to the Texas Attorney General, the first lawsuit by any State Attorney General to enforce a state’s general privacy law.
Key Takeaways
This case highlights the risks associated with data collection and sharing practices, especially when transparency with consumers is lacking. While it is not inherently illegal to engage third-party entities to collect, use, or sell data through a first-party application, it is critical to:
- Understand precisely what data is being collected, used, shared, or sold.
- Ensure clear, accurate, and comprehensive disclosures are made to end users.
The Texas Attorney General’s lawsuit emphasizes the importance of transparency in explaining what data is collected and how it is ultimately used by third parties.
Under TDPSA Section 541.154, the Texas Attorney General must provide written notice at least 30 days before initiating a lawsuit, specifying the provisions allegedly violated. In this case, the Allstate Defendants were notified on November 29, 2024, and the lawsuit was filed on January 13, 2025. This swift action underscores the Attorney General’s commitment to aggressively enforcing the TDPSA and positioning Texas as a leader in data privacy enforcement.
Final Thoughts
The TDPSA has only been in effect for six months, and its legal boundaries remain largely untested in the courts. Businesses that collect consumer data must proactively ensure their practices comply with this evolving legal framework.
Having legal counsel experienced in data collection technologies, the TDPSA, and enforcement trends is crucial to mitigating risk and avoiding litigation. If your business collects consumer data, contact us to schedule a review of your data handling practices and ensure compliance with applicable privacy laws.
Find the original petition here.