In a groundbreaking enforcement action, Texas Attorney General Ken Paxton has filed a lawsuit against Allstate Corporation and its subsidiary Arity, alleging systematic violations of the Texas Data Privacy and Security Act (TDPSA) and other consumer protection laws. This is the first ever enforcement action under the TDPSA, which became effective in 2024, and the lawsuit highlights the pervasive risks associated with unauthorized collection of precise geolocation data.

The Allegations 

According to the complaint, Allstate and Arity developed software embedded in popular mobile apps—such as GasBuddy—to collect sensitive geolocation and behavioral data without users’ knowledge or consent. This data was allegedly sold to third parties, including insurance companies, and used to justify increased car insurance premiums.

Key allegations include:

• Covert Data Harvesting: Embedding software to track detailed metrics such as location, movement, speed, and even distracted driving behaviors from over 45 million users nationwide.
• Unauthorized Monetization: Selling access to this data to insurers, creating what Allstate described as the "world’s largest driving behavior database."
• Lack of Transparency: Failing to provide consumers with notice or obtain explicit consent as required under TDPSA.

Alleged Violations 

The State of Texas has charged Allstate and Arity with:

1. Processing sensitive data, including precise geolocation information, without consent.
2. Failing to provide clear and accessible privacy notices as mandated by law.
3. Selling sensitive data without requisite disclosures or opt-out mechanisms.
4. Using consumer data in insurance underwriting in ways that allegedly constitute deceptive practices under the Texas Insurance Code​.

Potential Consequences 

If liable, Allstate and Arity could face:

• Civil penalties of up to $10,000 per violation per user.
• Injunctive relief requiring the deletion of unlawfully processed data.
• Restitution to affected consumers.

Looking Forward 

The lawsuit against Allstate and Arity sets the stage for what could be a transformative year in data privacy enforcement. As regulators ramp up efforts and consumers demand greater accountability, businesses should proactively adapt to this shifting landscape. Ensuring compliance is no longer optional—it’s essential for protecting both consumers and corporate reputations.

As a growing number of jurisdictions adopt robust privacy regulations, companies should review their data collection practices and consent mechanisms to ensure compliance and mitigate legal risks.

This lawsuit follows Attorney General Paxton’s lawsuit against General Motors and his ongoing investigations into several car manufacturers for secretly collecting and selling drivers’ highly detailed driving data. The Baker Botts Privacy and Cybersecurity team will continue to monitor and report on this  landmark case as it develops and sets the tone for future data privacy enforcement.