Texas AG Sues Allstate for Unlawful Location Data Collection

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” said Paxton in a news release Monday. “The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law.” The Texas AG office said it was the first enforcement action ever filed by a state AG to enforce a comprehensive data privacy law. Allstate didn't comment.

Keir Lamont, Future of Privacy Forum senior director, in a LinkedIn post, wrote that the “interpretation, implementation, and [ultimate] enforcement of this multi-pronged consent standard (in the U.S. context) will be very important in shaping the ultimate impact of this emerging body of law on consumer privacy interests.”

Paxton alleged that Allstate’s actions violated the Texas Data Privacy and Security Act (TDPSA), which became effective in July. The TDPSA establishes safeguards for privacy protection from companies that collect, use, store, sell, share, analyze, or process consumers’ personal data, including geolocation data.

Hintze Law's Mason Fitch said the AG's action "adds yet another data point to consider when you process sensitive personal data: third party collection and use must be reflected in the consent for processing.”

Commenting on LinkedIn, Fitch said, “Sensitive data consents are already under significant strain—between adequate disclosure of first party collection and use, and third-party collection and use, we’re starting to talk about a miniature privacy policy in consent requests.” Fitch added, “Finding the right balance is critical.”