On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

According to the AG, Allstate used its subsidiary Arity to pay third-party developers to embed software into various mobile apps, including GasBuddy, Fuel Rewards and Routely. The software allowed Allstate to track consumers’ location and movement in real time and to build up a database of consumer driving behavior. The company collected trillions of miles of location data from over 45 million consumers nationwide. When a consumer requested a quote or renewed their coverage, Allstate and other insurers would use that consumer’s data to justify increasing their car insurance premium or to drop them from coverage.

As a result of these practices, the AG charged Allstate with violations of the Texas Data Privacy and Security Act (“TDPSA”). The TDPSA requires clear notice regarding how a company uses consumers’ sensitive data, including precise geolocation data, and requires companies to obtain consumers’ informed consent to such practices. In its complaint, the AG alleged that Allstate failed to comply with these requirements.

The case represents the first enforcement action filed by a state Attorney General to enforce a comprehensive data privacy law. While the Texas AG opened an investigation in 2024 into several car manufacturers for unlawfully collecting and selling drivers’ personal data, the AG alleged violations of the Texas Deceptive Trade Practices – Consumer Protection Act, and not the TDPSA.