Texas has initiated legal action against one of the country’s principal auto insurance firms asserting that it breached the privacy legislation by covertly gathering comprehensive location details on countless motorists and exploiting that data to support hikes in insurance rates.

The state’s attorney general, Ken Paxton, stated the suit targeting Allstate along with its subsidiary Arity represents the initial enforcement proceeding ever launched by a state attorney general to uphold a data privacy statute. This follows a lawsuit on fraudulent business conduct he initiated against General Motors, accusing the vehicle producer of deceiving patrons by acquiring and vending driver data.

“Our inquiry revealed that Allstate and Arity compensated mobile applications millions to integrate Allstate’s surveillance software,” Paxton declared in an announcement. “The personal information of countless Americans was sold to insurers absent their awareness or consent, transgressing the law. Texans deserve superior protection, and we will make sure these corporations are responsible.”

In 2015, Allstate crafted the Arity Driving Engine software development kit (SDK), a set of code that the corporation reportedly paid app creators to incorporate into their applications to amass a variety of private data from consumers’ devices. The SDK amassed geolocation data, accelerometer, and gyroscopic details, details about where phone users commenced and concluded their trips, alongside information about “driving habits,” such as whether individuals seemed to be speeding or driving inattentively, based on the lawsuit.

The applications that integrated the SDK involved GasBuddy, Fuel Rewards, and Life360, a renowned family tracking application, as per the lawsuit.

Paxton’s grievance mentioned that Allstate and Arity exploited the data collected by its SDK to formulate and market products to other insurance providers such as Drivesight, an algorithmic model that evaluated a driving risk score to people, and ArityIQ, which allowed other insurers to “[a]ccess actual driving behavior collected from mobile phones and connected vehicles to use at time of quote to more precisely price nearly any driver.”

Allstate and Arity promoted the offerings as delivering “driver behavior” insights, but since the details were gathered through mobile devices, the firms lacked a method to ascertain if the owner was genuinely driving, according to the lawsuit. “For instance, if a rider was on a bus, a cab, or in a friend’s car, and the vehicle’s motorist sped, braked harshly, or executed a sharp maneuver, Defendants would surmise that the passenger, not the genuine driver, demonstrated ‘bad’ driving conduct,” the lawsuit asserts.

Neither Allstate and Arity nor the app developers adequately informed users in their privacy policies about what data the SDK was amassing or how it would be utilized, according to the lawsuit.

Texas’s Data Privacy and Security Act is among numerous state privacy statutes enacted recently. Whereas other states have accused and negotiated settlements with firms for breaching their privacy laws, the Texas accusation against Allstate is noteworthy as the firm supposedly bypassed the chance to rectify its methods and avoid litigation.

Like numerous other state statutes, the Texas DPSA includes what is regarded as a right-to-cure provision, which stipulates that corporations informed that they’re contravening the law have a designated timeframe (30 days, in Texas’s case) to rectify the purported violations and avert an enforcement action. Allstate and Arity failed to do that, according to the lawsuit.

In its grievance, lodged in federal court, Texas requested that Allstate be mandated to pay a penalty of $7,500 per breach of the state’s data privacy statute and $10,000 per breach of the state’s insurance code, which would potentially reach millions considering the number of consumers reportedly affected.

The legal action further petitions the court to compel Allstate to erase all data it accumulated through actions that allegedly violated the privacy statute and to compensate fully to clients impacted by the firms’ conduct.