Texas sues Allstate for collecting driver data to raise premiums

Texas is suing one of the nation’s largest auto insurance providers, alleging it violated state privacy laws by secretly collecting detailed location data on millions of drivers and using that information to justify raising insurance premiums.

State Attorney General Ken Paxton said court case against Allstate and its subsidiary Arity is the first enforcement action ever brought by a state attorney general to enforce a data privacy law. It also follows a fraudulent business practice lawsuit he filed v. General Motors accusing the automaker of misleading customers by collecting and selling driver data.

“Our investigation revealed that Allstate and Arity paid millions of dollars to mobile apps to install Allstate’s tracking software,” Paxton said in a statement. “The personal information of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better, and we will hold all of these companies accountable.”

In 2015 Allstate developed the Arity Driving Engine software development kit (SDK), a package of code that the company allegedly paid mobile app developers to install in their products to collect various sensitive data from users’ phones. The SDK collected phone geolocation, accelerometer and gyroscope data, details of where phone owners start and end their journeys, and “driving behavior” information, such as whether phone owners appear to be speeding or driving while are distracted, according to the lawsuit.

Apps that have installed the SDK include GasBuddy, Fuel Rewards and Life360a popular family monitoring app, according to the lawsuit.

Paxton’s complaint says Allstate and Arity used data collected from its SDK to develop and sell products to other insurers such as Drivesight, an algorithmic model that assigns a driving risk score to individuals, and ArityIQ, which allows to other insurers to “(a)ccess actual driving behavior collected from cell phones and connected vehicles to be used at quote time to more accurately price nearly every driver.”

Allstate and Arity marketed the products as providing data about “driver behavior,” but because the information was collected through cell phones, the companies had no way of determining whether the owner was actually driving, according to the lawsuit. “For example, if a person was a passenger in a bus, taxi, or friend’s car, and the driver of that vehicle accelerated, slammed on the brakes, or made a sharp turn, defendants would conclude that the passenger, not the actual driver, was involved in “bad” driving,” the suit states.

Neither Allstate and Arity nor the app developers properly informed customers in their privacy policies what data the SDK collects or how it will be used, according to the lawsuit.

The Texas Data Privacy and Security Act is one of dozens of state privacy laws enacted in recent years. While other states have charged and settled with companies for violating their privacy laws, the Texas lawsuit against Allstate is significant because it claims the company missed an opportunity to change its practices and avoid a lawsuit.

Like many other state laws, the Texas DPSA has what is known as a right-to-cure provision, which states that companies who are notified that they are violating the law have a certain period of time (30 days, in the case of Texas ) to correct the alleged violations and avoid coercive action. Allstate and Arity have not done so, according to the lawsuit.

In its complaint filed in federal court, Texas asked that Allstate be ordered to pay a fine of $7,500 for violating the state’s privacy law and $10,000 for violating the state’s insurance code, which would likely amount to millions of dollars given the number of users allegedly affected.

The suit also asks the court to order Allstate to delete all data obtained through actions that allegedly violated the privacy law and to make full restitution to customers harmed by the companies’ actions.