Texas AG Targets Allstate in First Enforcement of Texas Data Privacy and Security Act

Overview of the Case

The Texas AG alleges that Defendants secretly harvested sensitive consumer data by embedding a software development kit (“SDK”) into popular third-party mobile apps, including Life360, GasBuddy, Fuel Rewards, and Routely. According to the lawsuit, the SDK enabled continuous tracking of users’ real-time location, movement patterns, and driving behaviors, such as speed, acceleration, and braking, without their knowledge or consent. The Texas AG claims that Defendants aggregated this data into what Arity marketed as the “world’s largest driving behavior database,” purportedly containing information on over 45 million Americans.

The complaint further alleges that Defendants paid app developers millions of dollars to integrate the SDK into their apps and further incentivized them to expand the “driving behavior” database through bonuses. Once collected, the data was used by Allstate to underwrite its insurance policies and was further monetized via sale of the data to other insurance carriers. According to the lawsuit, insurance carriers used the data to assess driver risk profiles, adjust premiums, and, in some cases, deny or drop coverage. The Texas AG also asserts that the data was misleadingly marketed as “driving behavior” information, despite being based primarily on phone movement, which could mischaracterize passengers in cars or even individuals on amusement park rides as reckless drivers. The lawsuit contends that these practices violate multiple Texas laws, including the TDPSA, the Texas Data Broker Law,¹ and the Texas Insurance Code.

Important Takeaways for Businesses

Businesses that rely on consumer data for targeted advertising, risk assessments, or analytics may be most impacted by this enforcement action and should focus on the following compliance risks:

1. Increased scrutiny of consumer privacy notices

The Texas AG alleges that Defendants violated the TDPSA by failing to offer a clear and accessible privacy notice informing consumers that their geolocation and movement data were being collected. Businesses must ensure that their privacy policies explicitly disclose what data is being collected, for what purposes, and with whom it is shared. Failure to do so may not only violate the TDPSA but also invite regulatory action for deceptive trade practices.

2. Stricter enforcement of geolocation data collection

The Texas AG also alleges that the companies violated the TDPSA by failing to receive consumers’ affirmative consent to process their precise geolocation information. Any company collecting location data, whether through mobile apps, tracking technologies, or third-party data partnerships, must obtain explicit opt-in consent from consumers before processing such information. Businesses should also implement safeguards to ensure that any location data shared with third parties complies with these privacy regulations.

3. Mandatory disclosure of sensitive data sales

The complaint asserts that Defendants failed to include the legally required notice stating:

“NOTICE: We may sell your sensitive personal data.”

Under the TDPSA, businesses that sell sensitive consumer data must provide this notice clearly and prominently in their privacy policies and any relevant consumer disclosures. Companies engaging in data monetization, analytics, or advertising practices should review their public-facing privacy policies and data-sharing agreements to ensure compliance with the notice requirement.

4. The requirement for opt-out mechanisms

Lastly, the Texas AG’s lawsuit alleges that Defendants violated consumer rights under the TDPSA by failing to provide a mechanism to opt out of data sales or targeted advertising. Businesses that engage in targeted advertising, data-sharing partnerships, or behavioral tracking must implement easy-to-use opt-out mechanisms, such as a clear and visible opt-out link on websites and mobile apps.

Is your business impacted by the TDPSA?

While the complaint focuses on businesses involved in the collection, processing, or monetization of consumer data, particularly those that track, analyze, and sell geolocation or behavioral data without proper notice or consent, the TDPSA applies broadly to both individuals and businesses engaging in data collection and processing activities in Texas. Specifically, it applies to any person that (i) conducts business in the state of Texas or produces a product or service consumed by Texas residents, (ii) processes or engages in the sale of personal data, and (iii) is not a small business, as defined by the U.S. Small Business Administration.²

This broad criteria means that many companies, even those based outside of Texas, may need to comply with the TDPSA if they collect or process personal data from Texas residents. However, the following types of entities are explicitly exempt from compliance³:

• State agencies and political subdivisions of the state
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLB)
• Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Nonprofit organizations
• Institutions of higher education
• Electric utilities, power generation companies, or retail electric providers

How do you comply with the TDPSA?

It is important for all businesses operating in Texas or selling products or services to Texas residents to review their potential obligations under the TDPSA. Any business that is subject to the TDPSA should:

1. Complete a data inventory – Conduct a comprehensive privacy audit to assess data collection, processing, and security practices, identifying gaps such as missing consumer consents or improper data retention.
2. Conduct a data protection assessment – Perform a risk-based evaluation before engaging in targeted advertising, data sales, or other high-risk processing activities, including sensitive data processing, ensuring alignment with similar assessments required under other privacy laws.
3. Segregate sensitive data – Implement mechanisms to identify and isolate sensitive data from general personal data, ensuring that explicit consumer consent is obtained before processing in accordance with TDPSA requirements.
4. Update privacy policies – Revise privacy notices to provide clear and detailed disclosures about the categories of personal data collected, purposes for processing, consumer rights, third-party data sharing, and opt-out mechanisms for data sales and targeted advertising.
5. Provide consumers with opt-out controls – Establish at least two accessible methods for consumers to exercise their rights, and ensure that consent mechanisms are free from deceptive or misleading design elements.
6. Review third-party contracts – Review vendor agreements to confirm that they comply with TDPSA notice and consent requirements.
7. Bolster security measures – Implement reasonable and proactive security protocols, such as encryption, access controls, multi-factor authentication, and incident response plans, to protect personal data from unauthorized access or breaches.

Looking Forward

The Texas AG’s enforcement action against Defendants marks a pivotal moment in the application of the TDPSA, setting a strong precedent for how the Texas AG’s office will scrutinize businesses handling consumer data in Texas. This case underscores the importance of compliance for any organization that processes personal data, particularly in industries that rely on data-driven decision-making, such as insurance and technology. With Texas actively enforcing its privacy laws, businesses should take proactive steps to assess their data practices, update privacy policies, and strengthen security measures.

As more states enact comprehensive data privacy laws, businesses must recognize that compliance with one state’s regulations does not guarantee compliance with another. As of the date of publication, twenty (20) states have passed comprehensive data privacy laws, all of which impose unique obligations, including varying definitions of personal data, consent requirements, and enforcement mechanisms. Companies operating across multiple jurisdictions need a comprehensive privacy strategy that accounts for these differences to mitigate risks and prevent costly regulatory penalties.

Given the complexity of the TDPSA and its interplay with other state and federal privacy laws, businesses that are uncertain about their compliance obligations should consult legal counsel. The Vinson & Elkins Technology Transactions team assists clients in identifying, managing, and mitigating cybersecurity and data privacy risks from early planning and assessment to drafting and revising policies and notices to comply with applicable laws, including the TDPSA and other state privacy laws, and managing incident response and resulting investigations and litigation. If you have questions, please contact your V&E attorney.

*Christine Croasdaile is a law clerk in our New York office.

¹ Tex. Bus. & Com. Code §§ 509.001–509.009.

² “Small business” is as defined by the United States Small Business Administration, except as otherwise noted. Small businesses still may not engage in the sale of sensitive personal data without receiving prior consent from the consumer. Tex. Bus. & Com. Code §§ 541.002; 541.107.

³ Tex. Bus. & Com. Code § 541.002.