Texas Sues Allstate for Collecting Driver Data to Raise Premiums

Texas has sued one of the nation’s largest car insurance providers alleging that it violated the state’s privacy laws by surreptitiously collecting detailed location data on millions of drivers and using that information to justify raising insurance premiums.

The state’s attorney general, Ken Paxton, said the lawsuit against Allstate and its subsidiary Arity is the first enforcement action ever filed by a state attorney general to enforce a data privacy law. It also follows a deceptive business practice lawsuit he filed against General Motors accusing the car manufacturer of misleading customers by collecting and selling driver data.

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” Paxton said in a statement. “The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

In 2015, Allstate developed the Arity Driving Engine software development kit (SDK), a package of code that the company allegedly paid mobile app developers to install in their products in order to collect a variety of sensitive data from consumers’ phones. The SDK gathered phone geolocation data, accelerometer, and gyroscopic data, details about where phone owners started and ended their trips, and information about “driving behavior,” such as whether phone owners appeared to be speeding or driving while distracted, according to the lawsuit.

The apps that installed the SDK included GasBuddy, Fuel Rewards, and Life360, a popular family monitoring app, according to the lawsuit.

Paxton’s complaint said that Allstate and Arity used the data collected by its SDK to develop and sell products to other insurers like Drivesight, an algorithmic model that assigned a driving risk score to individuals, and ArityIQ, which allowed other insurers to “[a]ccess actual driving behavior collected from mobile phones and connected vehicles to use at time of quote to more precisely price nearly any driver.”

Allstate and Arity marketed the products as providing “driver behavior” data but because the information was collected via mobile phones the companies had no way of determining whether the owner was actually driving, according to the lawsuit. “For example, if a person was a passenger in a bus, a taxi, or in a friend’s car, and that vehicle’s driver sped, hard braked, or made a sharp turn, Defendants would conclude that the passenger, not the actual driver, engaged in ‘bad’ driving behavior,” the suit states.

Neither Allstate and Arity nor the app developers properly informed customers in their privacy policies about what data the SDK was collecting or how it would be used, according to the lawsuit.

Texas’s Data Privacy and Security Act is one of dozens of state privacy laws enacted in recent years. While other states have accused and reached settlements with companies for violating their privacy laws, the Texas complaint against Allstate is significant because the company allegedly passed up the opportunity to change its practices and avoid a lawsuit.

Like many other state laws, the Texas DPSA has what is known as a right-to-cure provision, which says that companies who are notified that they’re violating the law have a certain amount of time (30 days, in Texas’s case) to fix the alleged violations and avoid an enforcement action. Allstate and Arity didn’t do that, according to the lawsuit.

In its complaint, filed in federal court, Texas requested that Allstate be ordered to pay a penalty of $7,500 per violation of the state’s data privacy law and $10,000 per violation of the state’s insurance code, which would likely amount to millions of dollars given the number of consumers allegedly affected.

The lawsuit also asks the court to make Allstate delete all the data it obtained through actions that allegedly violated the privacy law and to make full restitution to customers harmed by the companies’ actions.