Privacy
Texas AG Takes Action Against Allstate for Alleged Misuse of 45 Million Drivers' Data Without Consent
Why the Alert Is Important
This lawsuit underscores the increasing focus on data privacy and compliance in the auto insurance and connected vehicle industries. Allegations of unauthorized data collection and sales without consumer consent highlight the critical need for robust privacy practices and transparency. Organizations must align with stringent data protection laws to mitigate risks and preserve consumer trust.
Overview of the Lawsuit
On January 22, 2025, Texas Attorney General Ken Paxton filed a lawsuit against Allstate, one of the largest publicly traded insurance companies in the U.S., for allegedly collecting, using, and selling sensitive driving data from over 45 million consumers without their consent. This lawsuit is the first enforcement action under the Texas Data Privacy and Security Act, which prohibits the sale of geolocation data without explicit consumer consent, as well as the first US state outside of California to file a lawsuit under state-level privacy legislation.
The legal action follows an investigation into the auto industry's data collection practices, where companies were found to gather detailed information such as geolocation, driving behaviors, and personal data, raising significant privacy concerns. The lawsuit also implicates Arity, a subsidiary of Allstate, for allegedly using this data to adjust insurance premiums without adequate consent or transparency. The fact that the data contained precise geographic locations made data considered “sensitive,” and therefore subject to heightened regulatory requirements.
Implications of the Lawsuit
This case brings to light the broader challenges surrounding data privacy in the connected vehicle ecosystem. Key concerns include:
- Lack of Transparency: Consumers are often unaware of how their data is being collected, used, or shared.
- Compliance Challenges: Companies must navigate evolving privacy laws, such as the Texas Data Privacy and Security Act, to avoid regulatory scrutiny.
- Consumer Trust: Allegations of data misuse can erode public trust in both automakers and insurance providers.
The lawsuit also serves as a warning to organizations that handle sensitive data, emphasizing the importance of explicit consent and transparent data practices. In addition to state regulations, the federal government (in the form of the FTC) has also expressed concerns about the inappropriate use of sensitive consumer location data for commercial purposes without obtaining verifiable consent.
The Texas Attorney General’s lawsuit against Allstate for allegedly collecting and selling 45 million drivers’ data without consent is a pivotal moment in state-level privacy enforcement. This marks the first major action under the Texas Data Privacy and Security Act (TDPSA) and signals growing regulatory scrutiny on the auto insurance and connected vehicle industries. The case underscores key privacy risks, including lack of consumer transparency, improper use of geolocation data, and potential regulatory non-compliance—all of which could result in significant financial and reputational harm for businesses that fail to prioritize privacy.
Organizations collecting sensitive data, such as geolocation and behavioral analytics, must ensure explicit consumer consent, proper disclosures, and robust data governance practices. This lawsuit also serves as a warning that state regulators beyond California are now aggressively pursuing privacy violations. With the FTC already targeting companies for improper handling of consumer location data, businesses must take a proactive approach to compliance, leveraging solutions like Exterro’s Consent Management to streamline consent collection, preference management, and regulatory compliance.
Data Privacy Tip
Ensure compliance with evolving data privacy regulations by implementing a transparent and robust consent management framework. Effective consent management helps organizations mitigate legal risks, enhance consumer trust, and align with regulatory requirements. Learn how to establish a strong consent management strategy with Exterro’s resource Mastering Consent Management.