Texas accuses four companies of sharing sensitive user data without proper notice and consent

Texas’ attorney general is continuing his aggressive but quiet enforcement of the state’s new comprehensive data privacy law, sending four new violation notices to companies in recent weeks.

Attorney General Ken Paxton warned satellite radio broadcaster Sirius XM and three app companies that they appeared to be sharing consumers’ sensitive data without clearly notifying them about aspects of their practices or obtaining user consent.

Although Paxton’s office has publicly stated its intention to strictly enforce the new law, it has not  issued press releases or other materials when warning potential offenders. Recorded Future News obtained the notices through a public records request.

Texas’ large population — 30.5 million — guarantees that at least some residents will be customers of any nationally available company or service. In October, Paxton’s office accused the app companies GasBuddy, Life360 and Excentus Corporation of inappropriately sharing consumer data, including locations, without clear notice and consent.

The four companies notified in November are:

Sirius XM

On November 20, the state sent a notice accusing Sirius XM of sharing users’ sensitive data, including location and vehicle data, with a host of groups, including “unaffiliated third-party business relationships.”

Sirius also allegedly failed to tell consumers which categories of sensitive data it collects and did not obtain their consent to share it.

While the Sirius privacy policy states that it gathers and shares the data and the purposes for which it does so, Paxton’s office says that the company failed to give consumers “reasonably clear notice” of the types of data it is collecting or affirmatively obtain their consent to share it.  The Texas privacy law defines consent as a “clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement.”

Sirius XM did not respond to a request for comment.

MyRadar and Miles apps

On the same day that it sent Sirius the notice, Texas accused the weather app MyRadar and Miles — a travel rewards app that collects users’ movements, including on walks and bike rides — of failing to obtain consumer consent for data sharing, including of users’ locations. The companies are additionally accused of failing to notify consumers about how they can “exercise their rights” under the state’s privacy law.

MyRadar CEO and co-founder Andy Green told Recorded Future News via email that it is “currently working on addressing the letter’s concerns and making sure we’re square with their requirements, but at first glance it looks like they might not have actually used our app to see our consent screens.”

Green said MyRadar only shares anonymized analytics data with “very explicit, clear consent presented to the user before we’re even able to collect anything remotely sensitive, and it’s always opt-in, not opt-out.”

The producers of the Miles app did not respond to a request for comment.

Tapestri

On November 4, the office also accused Tapestri, Inc. — an app that rewards users for their information — of sharing sensitive data, including for location, without clear notification of how to exercise their rights and of failing to obtain consent. 

Tapestri did not respond to a request for comment.

Feeding data to insurers

The four companies’ privacy policies indicate they share and use the data for a wide array of purposes. All four say they collect and share location data that the Federal Trade Commission (FTC) has called highly sensitive and repeatedly targeted companies for sharing.

MyRadar collects a particularly expansive amount of data for analytics purposes, including phone number, email address, website URLs, profile pictures and IP address, according to its privacy policy. The policy says MyRadar collects and can share geolocation data for "monetization" purposes when users opt in.

The app also has a relationship with Arity, a company founded by the insurer Allstate. Arity calls itself a “mobility data and analytics company focused on improving transportation.” Insurers are among its primary customers.

Arity says it collects and analyzes “enormous amounts of data, using predictive analytics to build solutions with a single goal in mind: to make transportation smarter, safer and more useful for everyone.”

The data MyRadar shares with Arity includes driving event data, which it defines as including “speed, change in speed and other aspects of how, how much and where and when you drive,”  MyRadar’s privacy policy says.

Arity’s website tells insurers it can help them “price [potential customers] more accurately.” The company did not respond to a request for comment.

Other recent Texas actions

On November 15, the office also sent a “civil investigative demand,” or administrative subpoena, to National Public Data, the data broker whose August hack allegedly leaked as many as 2.9 billion records containing sensitive personal data belonging to up to 170 million residents of the U.S., U.K. and Canada.

That letter seeks all documents the company has sent to any regulator about the breach along with documents showing all of the people who provided the company with data and those who used its products.

Editor's Note: Story corrected 11:20 a.m. Eastern, December 10 to specify that MyRadar's privacy policy says the company collects and can share geolocation data for "monetization" purposes when users opt in.