Texas is suing Allstate for collecting driver data to raise premiums

Texas has sued one of the nation’s largest auto insurers, alleging it violated state privacy laws by secretly collecting detailed location data on millions of drivers and using the information to justify raising insurance premiums.

State Attorney General Ken Paxton said: lawsuit against Allstate and its subsidiary Arity is the first-ever enforcement action brought by an attorney general to enforce data privacy laws. This also follows a lawsuit he filed alleging deceptive business practices v. General Motors accusing the car manufacturer of misleading customers by collecting and selling driver data.

“Our investigation found that Allstate and Arity paid mobile apps millions of dollars to install Allstate tracking software,” Paxton said in a statement. “The personal information of millions of Americans was sold to insurance companies without their knowledge or consent, which is a violation of the law. Texans deserve better and we will hold all these companies accountable.”

In 2015, Allstate developed the Arity Driving Engine Software Kit (SDK), a package of code that the company allegedly paid mobile app developers to install on its products to collect a variety of sensitive data from consumers’ phones. According to the lawsuit, the SDK collected phone geolocation data, accelerometer and gyroscopic data, details about where phone owners started and ended their trips, and information about “driving behavior,” such as .

Apps that have installed the SDK include GasBuddy, Fuel Rewards, and Life360According to the lawsuit, it is a popular family monitoring app.

Paxton’s complaint alleged that Allstate and Arity used data collected by its SDK to develop and sell products to other insurers, such as Drivesight, an algorithmic model that assigns individuals a driving risk score, and ArityIQ, which allowed other insurers “(a) access to actual driver behavior collected from mobile phones and connected vehicles, which can be used at the time of pricing to more accurately price almost any driver.”

Allstate and Arity advertised these products as providing data on “driving behavior,” but because the information was collected via cellphones, the lawsuit says, the companies had no way of determining whether the owner was actually driving. “For example, if a person was a passenger in a bus, taxi or a friend’s car and the driver of that vehicle accelerated, braked hard or made a sharp turn, defendants would conclude that it was the passenger, not the actual driver, who was involved in the ‘bad’ behavior while driving,” the lawsuit states.

The lawsuit says neither Allstate, Arity nor the app developers informed customers in their privacy policies about what data the SDK collected and how it would be used.

The Texas Data Protection and Security Act is one of dozens of state privacy laws passed in recent years. While other states have accused and settled companies of violating their privacy laws, the Texas complaint against Allstate is significant because the company allegedly passed up an opportunity to change its practices and avoid a lawsuit.

Like many other state laws, Texas’ DPSA includes a so-called right-to-remedy provision, which states that companies that are notified of law violations have a specified period (30 days in Texas’ case) to cure the alleged violations and avoid enforcement action . The lawsuit says Allstate and Arity failed to do so.

In its complaint filed in federal court, Texas asked for Allstate to be ordered to pay penalties of $7,500 for violating the state’s data privacy law and $10,000 for violating the state’s insurance code, which would likely amount to millions of dollars given the number of consumers allegedly affected.

The lawsuit also asks the court to order Allstate to delete all data obtained through activities that allegedly violate privacy laws and to make full restitution to customers harmed by the companies’ actions.