
Keypoint: Texas files its first lawsuit enforcing its new state consumer data privacy law.
On January 13, 2025, Texas Attorney General’s Office filed its first lawsuit enforcing the Texas Data Privacy and Security Act (“TDPSA”). The law went into effect on July 1, 2024. The complaint also states claims under Texas’ data broker law and insurance code.
In the below post, we provide a brief summary of the complaint, including the factual allegations, causes of actions, and damages sought.
Factual Summary
The office filed the complaint against the Allstate Corporation and five of its subsidiaries, including three subsidiaries that share the name “Arity.”
The complaint alleges that the defendants developed a software development kit (SDK) that they licensed to third parties to integrate into their mobile applications. As explained in the complaint, “SDKs can provide app developers a helpful tool to build and develop their apps. SDKs usually consist of a set of tools (APIs, software, etc.) with preprogrammed functions that are integrated into an app and operate in the background.”

The defendants allegedly paid third parties millions of dollars to incentivize them to use the SDK. The defendants allegedly did this because they wanted to use the SDK to “harvest several types of data” including a mobile phone’s geolocation data, trip attributes, GPS points, derived events (e.g., acceleration, speeding, and distracted driving), and metadata. The complaint further alleges that, to avoid alerting consumers, the defendants specifically chose third-party apps that “contained features that relied on location information to function properly.” Ultimately, the defendants were able to collect information from over 45 million Americans, including millions of Texas residents.
The complaint alleges that this collection was done without notice or consent. According to the Attorney General, the “Defendants had varying levels of control over the privacy disclosures and consent language that app developers presented to consumers [but] neither Defendants, nor the apps on Defendants’ behalf, informed consumers that Defendants were collecting” the information.
After collecting the information, the Defendants allegedly did two things. First, they used it for their own purposes to support their car insurance business. Second, they sold the information to third parties, including other car insurance carriers. “If a consumer requested a car insurance quote or had to renew their coverage, Insurers would access that consumer’s driving behavior in Defendants’ database. Insurers then used that consumer’s data to justify increasing their car insurance premiums, denying them coverage, or dropping them from coverage.”
According to the Attorney General, even if a consumer was able to determine that the defendants were collecting information, the defendants’ online privacy policy failed to disclose that they were selling information (in fact, it stated the opposite) and the defendants did not provide consumers with a mechanism to stop it.
Claims
The complaint alleges five violations of the TDPSA by the three Arity defendants:
- Failure to provide consumers with a reasonably clear and accessible privacy notice indicating the sensitive data processed by the defendants.
The complaint alleges that the Arity defendants were a “controller in several respects” and were required by TDPSA to provide consumers with a privacy notice. However, consumers were “wholly unaware” that the Arity defendants were processing their sensitive data. The complaint also faults the third-party mobile apps for not providing consumers with a notice that the Arity defendants were collecting their information.
The Attorney General’s ability to prove the Arity defendants’ role – controller, processor or third party – will be important for establishing this violation (and the other violations).
- Processing sensitive consumer data (i.e., precise geolocation data) without obtaining consumer consent.
The complaint alleges that the Arity defendants “processed consumers’ sensitive data without obtaining their consent through a clear affirmative act signifying their freely given and informed agreement to permit [processing of] their sensitive data.”
- Failure to provide the required notice when engaging in the sale of sensitive personal data.
The TDPSA requires a controller engaging in the sale of sensitive data to post the following notice, which the Arity defendants did not do: “NOTICE: We may sell your sensitive personal data.”
- Failure to provide any disclosure of the Arity defendants’ sales of personal data or targeted advertising practices or a method to opt-out of either.
The TDPSA requires controllers selling personal data to third parties or processing personal data for targeted advertising to clearly and conspicuously disclose that processing and the manner in which a consumer can opt out. The Arity defendants allegedly failed to do so.
- Failure to supply a reasonably accessible privacy notice that included how consumers may exercise their rights under the TDPSA.
The Arity defendants failed to comply with the TDPSA’s requirement to provide consumers with a right to opt out of sale, targeted advertising and profiling. Of note, the Arity defendants told consumers that they could “[l]earn how to opt out of targeted advertising” by clicking a link. If a consumer clicked on that link they would be taken to a page that, “instead of offering them a way to submit a request, only provided them with links to several third-party websites” which explained how a consumer could turn off certain types of third party advertising. This violated the TDPSA.
The State also claims the Arity defendants violated the Texas Data Broker Law by failing to register with the Texas Secretary of State’s Office by March 1, 2024.
Finally, the State alleges that all defendants violated the Texas Insurance Code by engaging in “unfair or deceptive acts or practices” related to insurance.
Damages
The State claims entitlement to more than $1,000,000 in monetary relief, including not more than $7,500 per TDPSA violation, a $10,000 penalty for violation of the Texas Data Broker Law and $100 per day the Arity defendants were in violation of the registration requirement, a civil penalty of not more than $10,000 per violation of the Texas Insurance Code, and the Attorney General’s attorney’s fees and costs of court pursuant to the claim.
In addition to the monetary relief, the State seeks an injunction and requests defendants delete or otherwise destroy all data obtained (“including any data in the possession of any third party”), and make full restitution or restoration to all consumers who suffered a loss as a result of the acts and practices alleged.
Right to Cure
Of note, TDPSA required the Attorney General to provide a 30-day right to cure notice to the defendants. The complaint states that the Attorney General provided the notice but the Arity defendants did not cure the violation.