July 24, 2024
Texas’s Privacy Law: What You Need to Know
Texas has become the 10th state to pass its own comprehensive privacy law. Learn about the TX Data Privacy and Security Act and what it means for businesses.
Texas has emerged as an unexpected leader in data privacy enforcement among U.S. states. After announcing the creation of a privacy enforcement team within the attorney general’s office, the state has followed through in a meaningful way, including settling a $1.4B case against Meta related to the processing of Texans’ biometric data.
Now Texas has become the first state to file a formal lawsuit alleging violations of its comprehensive data privacy law, the Texas Data Privacy and Security Act (TDPSA), along with various other laws. The target of this enforcement action is the Allstate Corporation and a subsidiary named Arity.
What is the state’s case against Allstate and what could it mean for other businesses?
Note: This is ongoing litigation; the allegations should not be taken as true, but rather as offering insight into the attorney general’s approach to privacy enforcement.
Here is an overview of the facts of the case (as alleged by the state).
Allstate is an insurance provider that owns Arity, a tech-focused analytics company. Arity has created a software development kit (SDK) that can be integrated into mobile apps. Once added to an app, the SDK collects a wide variety of personal information from the user’s phone, including GPS coordinates, driving data (acceleration, speed, etc.), phone meta data, and even whether the user activated their phone during a trip.
Arity paid third parties to integrate the SDK into their apps, specifically targeting apps that already used a phone’s geolocation so that the SDK would not require additional permissions. Examples of apps that are alleged to have partnered with Arity include Routely, Life360, GasBuddy, and Fuel Rewards. Allstate also purchased driving data directly from car manufacturers.
Arity then used this data for a variety of purposes, including targeting advertising and creating profiles of users’ driving behavior. Allstate used these profiles to inform its insurance business, and also sold the data to insurance companies for similar purposes.
In November 2024, the attorney general’s office provided Arity with a 30-day cure notice, as required by law. The company did not take any action in response to that notice.
Texas has alleged that Allstate’s and Arity’s data practices violated the TDPSA in a number of ways.
The state alleges that app users were not given any notice about Arity’s data practices.
What’s interesting about this is that it seems as if the AG’s office is seeking to hold Arity responsible for the privacy notices in third-party apps, not just its own privacy notice.
The complaint states, “Pursuant to their agreements with app developers, Defendants had varying levels of control over the privacy disclosures and consent language that app developers presented to consumers.” If the state is ultimately successful with this theory, a lot of SaaS companies should take notice, because they may be held responsible for their customers’ privacy disclosures (or lack thereof).
The TDPSA requires controllers to obtain consumers’ consent before processing their sensitive data, and precise geolocation data is considered sensitive data. Texas alleges that the defendants failed to get that consent.
Similar to the section above, it appears that the state is looking to hold Arity responsible for the third-party apps’ failure to notify consumers and get valid consent for Arity’s use of sensitive data.
According to the complaint, Arity and Allstate sold data collected from the SDK to other companies, namely insurers. Neither the third-party apps’ privacy policies nor Arity’s own privacy policy disclosed this fact to consumers, as is required by the TDPSA. They also failed to include the explicit disclosure, “NOTICE: We may sell your sensitive personal data” that is required by the privacy law.
This could be interesting as the case progresses, as the defendants may claim that the TDPSA’s exemptions, such as for data covered by the Fair Credit Reporting Act and organizations that investigate insurance fraud, apply to these disclosures.
The TPDSA requires businesses to provide consumers a way to opt out of:
According to the complaint, Arity was doing all three of these but not offering a compliant opt-out method for any of them. Regarding profiling and data selling, Arity may contend that it wasn’t necessary, but the targeted advertising aspect should be of interest to other businesses.
Arity does acknowledge that it uses consumer personal data for targeted advertising, and it does have the prescribed opt-out link in its website footer, which leads the user to a “Your Privacy Choices” page. However, this page does not provide any way to make an opt-out request directly to Arity. Instead, it informs users of an external tool they can download onto their phone in order to submit an opt-out, as well as the phone settings they can change in order to limit the use of their data for targeted advertising.
Regulators have warned against opt-outs that cannot be submitted directly from the controller’s website/app, so it will be interesting to see how this issue plays out in the courts.
Texas’s first privacy lawsuit is still in the early stages and Allstate/Arity will surely have something to say about the allegations, but we can still learn a few things. (1) Texas is very serious about enforcing its privacy law. (2) It is aggressive in its interpretation of the law.
With that in mind, ignoring privacy compliance or offering up token gestures of compliance are increasingly risky strategies. Tackling data privacy rules head-on can save major headaches down the road.
TrueVault helps businesses catch up on years of privacy laws in a matter of hours. Create a data map, post privacy notices, respond to privacy requests, and more, all in one platform.
Contact our team to learn how TrueVault can help your business.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
