Don’t Mess with Texas: The First Lawsuit Under a State Data Privacy Law

“Don’t Mess with Texas.” 

It’s an evocative phrase, which is probably why it survived so long past its humble origins as a 1980s campaign slogan to discourage drivers from littering on Texan highways. 

Today, it’s as relevant as ever. Only this time, it’s not about cleaning up Texas roads, but stopping businesses from spying on Texan drivers.  

That’s the focus behind the recent lawsuit filed by the Texas Attorney General’s (AG’s) Office against Allstate and its subsidiaries, who are accused of using smartphones to surreptitiously collect users’ driving data.  

Whether your business serves Texan residents or doesn’t, the case has broad implications for data privacy management in the US—it could even be a sign of more data privacy enforcement to come. 

Texas Enforcement Action: The Basics 

The Texas Attorney General’s Office filed the suit against insurance provider Allstate and a number of subsidiaries, several of which go by the name Arity. 

The suit alleges that Allstate, Arity, and other subsidiaries developed a software development kit (SDK)—essentially a library of tools software engineers use to facilitate development—and then paid third-party mobile app developers to use the SDK. 

Allstate and its co-defendants didn’t pay developers millions of dollars to use their SDK out of the goodness of their heart. They did so because they were getting something in return. In addition to the useful development tools contained within their SDK, Allstate included data trackers that would harvest end-users' mobile phone data, including its geolocation and accelerometer data. 

Allstate sells insurance; with this information, it could determine whether one person’s premium would be higher than another’s, who may be at fault in an accident, and more. Allstate didn’t just keep this data for itself, either. It also transferred that data to third parties, further violating smartphone users’ privacy. 

Tellingly, Allstate specifically targeted mobile apps that would have already asked end users for their permission for geolocation data, such as the Life360 app. This effectively camouflaged the alleged data collection. 

TDPSA Requirements & Allstate’s Violations 

Like other state privacy laws, the Texas Data Privacy and Security Act (TDPSA) requires businesses to notify consumers of data collection and give them a chance to opt out of that collection if the data is to be “sold” (which the law defines as any transfers “for monetary or other valuable consideration”) to a third party. 

The TDPSA has other requirements, but the lawsuit hinges on violations of these core requirements. Specifically, the suit alleged that Allstate: 

1. Failed to provide a clear and accessible privacy notice indicating the sensitive data processed. 
2. Processed sensitive data without consumer consent. 
3. Failed to post a disclosure regarding the sale of sensitive data. 
4. Did not provide a disclosure regarding the sale of personal data, targeted advertising practices, or consumers’ opt-out rights. 
5. Failed to provide a method for consumers to exercise their data subject rights, including their rights to opt out. 

Under the TDPSA, businesses also have 30 days to address their violation upon notice from the AG. This is known as a cure period. Some data privacy laws temporarily offer a cure period that will sunset at a future date as a way to give businesses time to adapt to their new compliance requirements. Texas’s cure period does not sunset. However, addressing TDPSA violations in 30 days isn’t always possible. Allstate was not able to do so. 

What’s the Damage? 

As of this writing, the lawsuit is still on-going. But if Allstate is found liable, their penalty could reach an eye-watering figure. 

The suit alleges violations of three laws: 

• The TDPSA, which features penalties up to $7,500 per violation 

• The Texas Broker Law, which features a $10,000 criminal penalty per violation in a 12-month period 

• The Texas Insurance Code, which features a civil penalty of up to $10,000. 

Generally, a single violation relates to a single instance where a requirement was broken in respect to a given individual. Given that the suit alleges Allstate violated multiple rights for 45 million Americans... let’s just say it’s not looking good. 

What This Means 

Texas’s Bite Matches Its Bark 

The most obvious takeaway? Texas isn’t screwing around when it comes to data privacy enforcement. 

The Texas Attorney General’s Office has issued a number of warnings against industries and organizations that have flirted with violating data privacy laws, launched investigations, and overall made it clear it intends to enforce these laws. With this lawsuit, the Texas AG has made it clear that its bite is equal to its bark. 

Consider the timeline of events: 

• June 2024: The Texas AG creates a team dedicated to enforcing privacy violations. 

• July 2024: The TDPSA goes into effect. 

• October 2024: The Texas AG’s Office requests mobile app agreements from Allstate. 

• Nov 29, 2024: The Texas AG’s Office issues a notice of violation, kicking off the 30-day cure period. 

• January 13, 2025: After Allstate failed to cure its violations, the AG’s Office filed this lawsuit. 

With just about six months from the effective date of the TDPSA to this lawsuit, it's clear that the Texas AG’s Office has made privacy enforcement a priority. 

The Start of Enforcement One-Upmanship? 

This enforcement action is the first in the US outside of California. And of course, if anyone’s going to try to outdo California, it’s Texas. 

But California and Texas aren’t the only states with data privacy laws—they’re just two of 19 as of this writing. No state wants to be seen as the jurisdiction that lets big tech walk all over its residents.  

Eight of the recently enacted US data privacy laws go into effect in 2025. Will their respective Attorneys General prioritize enforcement to the same extent as Texas? If so, 2025 could turn into the year that the US got serious about data privacy. 

Privacy By Design & Operationalizing Compliance Is Key 

This case highlights why embedding privacy into your systems and projects from the ground-up is essential. The practice of considering privacy first (that is, before you get sued by the Attorney General) is known as privacy by design. 

Privacy by design can cover a lot of ground, but here are some of the activities and processes relevant to this case: 

• Privacy Impact Assessments (PIAs): Had Allstate conducted a PIA at the outset of their data collection project, they would have immediately recognized that it was non-compliant. A PIA could have helped them identify ways to make their collection compliant, such as by notifying end users of the purpose of data collection and providing them a means of opting out, including to opt out of the third-party data transfers. Allstate likely could have still collected some personal information—just not surreptitiously. 

• Universal Consent Management: You’re probably familiar with cookie consent. In the privacy world, when you manage consent for non-cookie-based data collection, it’s known as universal consent management. Universal consent management solutions help you provide notice and opt-in or –out consent across channels like mobile apps, as was needed in this enforcement case. 

• Privacy Policy Management: The defendants in this case failed to notify consumers about the nature of their data collection practices. A privacy policy would have been the place to do that. Allstate and its co-defendants had privacy policies in place, but they didn’t mention any third-party data transfers (in fact, they asserted that no such transfers took place). By assessing their actual data processing policies and accurately reporting those in their privacy policy, the defendants could have mitigated their violations. 

There are a lot more actions that Allstate could have taken to reduce their risk and even avoid a penalty altogether, but describing the process of building out an entire privacy program is outside the scope of this article.  

It can be overwhelming—that’s why privacy management software solutions like Osano exist.  

To find out how Osano can help you carry out assessments, manage consent, manage your privacy policies, and more, book a demo with one of our experts.