Texas sues Allstate, alleging it violated data privacy rights of 45 million Americans

Editor’s Note: Story updated 9:20 a.m. Eastern on January 14 with statement from Allstate.

Texas’ attorney general is suing the insurance giant Allstate and its subsidiary Arity for allegedly illegally collecting, using and selling cell phone location and movement data belonging to more than 45 million Americans without their knowledge.

Allstate has harvested trillions of miles of that data from Americans’ cellphones through “secretly embedded” software Arity pays millions of dollars to place in mobile apps that track consumers’ driving data, state Attorney General Ken Paxton announced Monday.  

By failing to give consumers notice or get their consent for gathering and selling the sensitive data, Allstate violated Texas’ new Data Privacy and Security Act, a press release from Paxton said.

The lawsuit is the first enforcement action any state attorney general has ever filed to prosecute alleged violations of a state-level comprehensive data privacy law, according to the press release. 

Paxton also alleges that Arity and Allstate violated the state’s Data Broker Law — Arity, a data broker, did not register with the state — and the Texas Insurance Code’s ban on unfair and deceptive acts and practices.

The Texas data privacy law took effect July 1. Twelve states have such laws, but the only publicly known enforcement activity underway is limited to Texas and California.

Arity has been “licensing” its tracking software to app developers since at least 2017, Paxton alleges.

An Allstate spokesperson issued a statement saying that Arity “helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations.”

Multiple types of data

When a consumer downloads one of the participating mobile apps onto their phone, they also have “unwittingly downloaded” the Arity software, according to the complaint, which says that once the software is downloaded Arity and Allstate can “monitor the consumer’s location and movement in real-time.” 

The data Arity’s software captures includes not only a phone’s geolocation data, but also accelerometer data, magnetometer data and gyroscopic data, which tracks a phone’s altitude, longitude, latitude, bearing, GPS time and speed, the complaint says. 

The software also allegedly collects so-called trip attributes that show consumers’ movements, including their start and end locations and times as well as distance and duration of trips. Acceleration, speeding, hard braking, distracted driving and crash detection are also tracked by the software and reported back to Arity and Allstate, the complaint alleges.

Additionally, Arity’s software tracks “whether a consumer picked up or opened their phone while traveling at certain speeds,” the complaint says.

The apps using Arity’s software can capture data every 15 seconds or less, according to Paxton, citing Arity’s website.

While Arity and Allstate market the data to insurers as “driving behavior” data, its software is in reality only capable of tracking the movement of a mobile phone, meaning that consumers' insurance premiums can be raised because of the driving behavior of their taxi driver or a friend whom they are riding with, according to the complaint.

Arity and Allstate encourage the apps to install the software by creating “generous bonus incentives for increasing the size of their dataset,” the complaint says. 

After receiving the data from the mobile apps, Arity shares it with Allstate and sells access to other unnamed insurers, all of whom use it to raise individual consumers’ premiums and give inflated price quotes to prospective new customers, according to the press release and the complaint. It is unclear if Allstate paid Arity for access since it is the data broker’s parent company.

Arity allegedly collects the location and movement data directly from consumers’ phones via the mobile apps it pays to embed its software in. The participating apps separately send their users’ personally identifiable information — including name, address and mobile advertising ID — to Arity so that the data sets can be combined, making it possible for Arity to match specific individuals to the driving behavior data, according to the complaint.

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” Paxton said in a statement. “Millions of Americans were sold out to insurance companies without their knowledge or consent in violation of the law.”

Some 30.5 million people live in Texas, so Paxton’s office can safely assume that at least some of the 45 million Americans ensnared in Allstate’s alleged scheme are protected by the state’s privacy law.

The case illustrates how consumers' data privacy can be violated in ways they would never imagine when they sign up for mobile apps which share their data with third parties. Disclosures about third-party data sharing often omit specific details about who data is shared with — typically referring only to unnamed business partners — and are buried in dense privacy policies that most consumers don’t read. 

Automakers also allegedly sell drivers’ data to Arity and Allstate. Car manufacturers named in the complaint as having done so include Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati and Ram. They are not listed as defendants. 

None of the automakers has responded to a request for comment.

The world’s ‘largest driving behavior database’

Arity uses the data it purchases from the mobile apps and automakers to construct a product that it bills as the “world’s largest driving behavior database,” Paxton alleges. The company charges insurers to access that database, according to the complaint.

“Access actual driving behavior collected from mobile phones and connected vehicles to use at time of quote to more precisely price nearly any driver,” Arity’s website tells insurers, referring to its Arity IQ product.

Arity’s data has been a treasure trove for insurers. While the full list of insurance companies it supplied data to other than Allstate is not yet publicly known, press releases found online show that the CSAA Insurance Group and Google Cloud’s Analytics Hub insurance marketplace have partnered with Arity.

Arity also partners with Connected Analytic Services, LLC (CAS), a Toyota affiliate, to share driving data from connected cars with auto insurers, according to Arity’s website.

In June, the New York Times reported that CAS data is provided to Progressive.

Paxton warned Arity it was unlawfully collecting, sharing and selling sensitive consumer data without proper notice or consent in November.

Arity misrepresents its practices, Paxton alleges, citing several examples of deceptive or untrue language in its privacy disclosures, including its assertion that it does not “sell personal information for monetary value.” 

The complaint also notes that Arity did not offer consumers a way to opt out of having their data sold.

In addition to monetary damages, Paxton’s office is asking a judge to require the data broker to delete the data it has collected, stop collecting and selling the data in violation of Texas law and “make full restitution or restoration to all consumers who suffered a loss as a result of the acts and practices alleged.”

The mobile apps

Last fall, Texas also warned six apps listed on Arity’s website as apparent partners that they were violating the state’s data privacy law. Those apps are: GasBuddy, Life360, Miles, MyRadar, SiriusXM and Tapestri. 

A seventh company sent a notice of violation in the fall — Excentus Corporation, which runs the Fuel Rewards program app — is not named on the Arity website or in press releases as an Arity partner, however, it is named in the complaint filed Monday against Arity.

Press releases or company website announcements documenting Arity partnerships with GasBuddy, Life360, MyRadar and Tapestri are available online..

The complaint names four mobile apps as participants in the alleged scheme. Texas has previously sent data privacy violation notices to three of those participants. They are Fuel Rewards, Life360 and GasBuddy. 

A fourth, Routely, is a telematics app produced by Arity and billed to consumers as a product which will help them understand their driving behavior, the complaint says.

Meanwhile, Arity markets Routely to insurers as “telematics in a box,” the complaint says. Arity’s website describes its Routely offering as allowing insurers to “more accurately identify drivers with riskier driving profiles based on actual driving data, provide personalized discounts or surcharges at renewal, promote safer driving habits, and improve retention of your safer drivers.”

Mobile apps partnering with Arity do not tell consumers about the embedded Arity software or how the data it collects will be used and monetized, the complaint says.

The complaint does not name the other apps that received notices of violation in the fall as participants in the Arity data harvesting program, though it notes that GasBuddy, Fuel Rewards and Life360 are just a subset of the apps Arity partners with.

Despite the complaint’s contention, one app, MyRadar, discloses its relationship with Arity in its privacy policy. Its CEO Andy Green previously told Recorded Future News that the company only shares anonymized analytics data with “very explicit, clear consent presented to the user before we’re even able to collect anything remotely sensitive, and it’s always opt-in, not opt-out.”

The app’s privacy policy says it collects a vast array of location and driving data but asserts that the data it shares with Arity will not impact user insurance pricing.

The Fuel Rewards privacy policy does not mention selling sensitive data to Arity or Allstate. It does note that it “may sell your precise geolocation information in a manner that identifies you.”

Life360’s privacy policy says that it may disclose precise geolocation and movement data along with other information gleaned from technology embedded in users’ mobile devices. Data it says it shares with unspecified business partners includes information generated by a device’s gyroscope, accelerometer, compass and Bluetooth connection; its IP address; its contact information; and any driving event data.

It does not mention Arity or selling data to insurers.

GasBuddy’s privacy policy says it sells precise geolocation data to business partners but does not mention Arity or insurers.

None of the mobile apps has responded to a request for comment.

Monday’s announcement follows on the heels of an August lawsuit Paxton filed against General Motors alleging false, deceptive and misleading business practices. That lawsuit accused the lawmaker of unlawfully collecting 1.8 million Texans’ driving data, which it then allegedly sold to insurers.

GM allegedly pressured drivers to sign up for features that collected their data. It then allegedly sold that data to other companies. Two of those companies used the data to create “driving scores” which were then sold to insurers, Paxton said at the time.

GM has said it is reviewing the complaint.

“We share the desire to protect consumers’ privacy,” a statement released when the lawsuit was announced said.