Texas Takes Action: The State’s First Data Law Lawsuit

Introduction

In a groundbreaking move that has caught the attention of industries from mobile apps to in-car devices, Texas is taking a robust stance on data privacy enforcement. The Texas Attorney General’s Office, under the leadership of Attorney General Ken Paxton, initiated a landmark lawsuit against Allstate Corporation and its subsidiary, Arity. The lawsuit, announced on January 13, 2025, alleges that the companies unlawfully collected, used, and sold sensitive geolocation and movement data from over 45 million Americans, including Texans, without obtaining proper consent. This enforcement action alleges these companies violated the Texas Data Privacy and Security Act (TDPSA) by engaging in deceptive practices, processing sensitive personal data without proper consumer consent, and failing to provide an accessible privacy notice. The case highlights the state’s commitment to ensuring that companies adhere to Texas data privacy standards and safeguarding the sensitive data of over 45 million Americans living in and connected to the Lone Star State.

The lawsuit marks not only a pivotal moment in Texas data privacy enforcement but also signals a new era of accountability for companies that handle consumer data. The allegations focus on a variety of data collection practices, including the unauthorized transfer of behavioral data, precise geolocation information, accelerometer data, and other forms of sensitive data processed through mobile devices and integrated software. Furthermore, the case underscores the broader importance of comprehensive data privacy laws—similar in ambition to those championed by the California Privacy Protection Agency—in holding companies accountable for selling personal data and deploying software development kits without explicit consent. As Texas pushes forward with rigorous enforcement under its state data privacy law, businesses nationwide are taking note of the critical need for transparent data practices and informed consumer consent.

Texas Data Privacy Lawsuit: A New Era in Enforcement

The lawsuit filed by the Texas Attorney General’s Office against Allstate and Arity represents a historic escalation in the state’s efforts to enforce data privacy and security standards. Authorities allege that these companies installed Allstate’s tracking software on mobile devices and in-car devices without obtaining users’ explicit consent. This action, they contend, violates the spirit—and the letter—of the Texas Data Privacy and Security Act, which mandates clear consumer consent before collecting or processing sensitive personal data. The case not only focuses on data collection practices but also examines how behavioral data, driving data, and precise geolocation information are managed and shared with third-party apps, raising serious concerns about targeted advertising practices and data sales.

This enforcement action is part of a broader initiative by Texas AG Ken Paxton to ensure that companies are held accountable for transferring data in ways that undermine consumers’ knowledge or consent. The investigation revealed that Allstate and Arity potentially engaged in deceptive practices by failing to inform consumers about how their personal data was being used. With allegations that these companies did not provide a clear and accessible privacy notice as required under the state data privacy law, Texas AG’s Office is sending a strong message: companies must embed privacy by design in all aspects of their software development and data collection practices. This legal battle could have far-reaching consequences, setting a precedent for how sensitive information—including data collected via integrated software and third-party apps—is handled nationwide.

The Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) is a comprehensive data privacy law designed to empower consumers and protect sensitive personal data from unauthorized use. This legislation requires businesses to inform consumers about their data collection practices and provide a clear, conspicuous privacy notice. Under the TDPSA, companies must secure explicit consent before processing sensitive data, including precise geolocation information, behavioral data, and even accelerometer data generated by mobile devices and in-car devices. In essence, the TDPSA is not merely a set of rules; it is a commitment to data privacy and security that mandates companies to prioritize consumer consent and safeguard personal data.

Beyond its immediate regulatory impact, the TDPSA represents a strategic shift in how Texas—and potentially other states—will approach data privacy enforcement. It obliges businesses to implement robust mechanisms for obtaining informed consent, ensuring that consumers are fully aware of how their sensitive personal data is collected, processed, and even sold. This state data privacy law has parallels with other comprehensive frameworks, such as the Privacy and Security Act seen in California, yet it carries its own distinct mandates tailored to Texas’s unique legal landscape, including provisions influenced by the Texas Insurance Code and Texas Data Broker Law. With these measures, the law compels companies to rethink their data practices, ensuring that every element—from the installation of tracking software to the transfer of data via integrated software—is executed with full transparency and consumer approval.

Consequences of Non-Compliance with the TDPSA

Failure to adhere to the provisions of the TDPSA can result in significant repercussions for businesses, ranging from steep fines to lengthy litigation and long-term damage to reputation. Companies that neglect to obtain consumer consent before processing sensitive data may face enforcement actions designed to hold them accountable. The lawsuit against Allstate and Arity is a clear example of how non-compliance not only invites legal penalties but also erodes consumer trust—a key asset in today’s competitive market. With allegations centered on deceptive practices and the unauthorized selling of personal data, this case illustrates the financial and reputational risks inherent in ignoring the stringent requirements of state data privacy laws.

In addition to monetary fines and legal sanctions, non-compliance with the TDPSA can significantly undermine a company’s ability to maintain robust consumer data practices. The fallout from such violations is extensive: affected consumers may lose confidence in a company’s commitment to protecting their personal data, and industry-wide, there may be a ripple effect as regulators in Texas and beyond seek to hold companies accountable for data privacy and security breaches. The ramifications extend to all sectors, including mobile app developers, car manufacturers, and software developers who rely on integrated software and third-party apps for data collection. As Texas AG’s Office demonstrates through this enforcement action, companies must not only secure consumer consent but also provide an accessible privacy notice that clearly informs consumers about their rights—an essential step in safeguarding sensitive data and ensuring compliance with the Texas broker law and related statutes.

Operationalizing Compliance with Data Privacy Laws

In today’s data-driven landscape, operationalizing compliance with data privacy laws is more critical than ever. Companies must embed privacy into every facet of their operations, from the initial design of mobile apps to the development of robust software development kits that ensure all data collection practices are secure and transparent. Achieving compliance under the TDPSA means integrating privacy by design into system architectures, thereby allowing businesses to proactively manage sensitive personal data and uphold consumer consent standards. For instance, when installing Allstate’s tracking software or similar integrated software on mobile devices and in-car devices, companies are now required to explicitly inform consumers about the nature of the data being collected—be it behavioral data, precise geolocation information, or accelerometer data—and to secure explicit consent prior to any data processing.

Furthermore, implementing robust data privacy management solutions can help companies navigate the complex regulatory landscape. These solutions are designed to streamline the process of informing consumers, tracking data collection practices, and ensuring that any sensitive data processed is done so with informed consent. A clear and accessible privacy notice is not just a regulatory requirement—it is a vital tool for fostering consumer trust. Businesses must ensure that all collected data, whether related to driving data, mobile app usage, or even data broker activities, is handled in a manner that is both secure and transparent. By operationalizing these practices, companies can avoid the pitfalls of non-compliance and demonstrate to regulators, including the Texas Attorney General’s Office and Texas AG Ken Paxton, that they are committed to protecting personal data and upholding the integrity of the state’s comprehensive data privacy law.

The Future of Data Privacy Enforcement in Texas

The lawsuit against Allstate and Arity is more than an isolated enforcement action—it is a harbinger of what the future holds for data privacy enforcement in Texas. As state regulators, including the Texas Attorney General’s Office and Texas AG’s Office, continue to focus on holding companies accountable, businesses across various industries must prepare for a landscape where data privacy and security are paramount. This case is likely to serve as a catalyst for further investigations and enforcement actions, especially concerning mobile apps, third-party apps, and integrated software that process sensitive personal data without sufficient consumer consent. Moreover, it could set the stage for additional lawsuits involving car manufacturers, data brokers, and companies that sell data without providing consumers with accessible privacy notices.

Looking forward, Texas is poised to lead the charge in reinforcing robust data privacy and security standards, with potential implications that extend far beyond state lines. As companies strive to operationalize compliance with the TDPSA, they will need to invest in advanced privacy management tools and cultivate a culture of transparency regarding data collection practices. The outcome of this lawsuit could influence future amendments to the Texas Insurance Code and Texas Data Broker Law and even prompt comparisons with regulatory frameworks like the California Privacy Protection Agency. Ultimately, this evolving enforcement environment will require companies to balance innovation with accountability, ensuring that the collection, processing, and selling of personal data is conducted with explicit consent and in full compliance with the state’s rigorous standards. This new era of enforcement is set to transform how consumer data is handled, emphasizing that companies must not only comply with the letter of the law but also embrace its spirit to inform consumers and protect sensitive information effectively.

Conclusion

The landmark lawsuit filed by the Texas Attorney General’s Office against Allstate and Arity marks a pivotal moment in the evolution of data privacy enforcement in Texas. By targeting deceptive practices in data collection and processing sensitive personal data without proper consent, the state is sending a clear message: companies must adhere to comprehensive data privacy laws and be held accountable for every piece of consumer data they collect, process, or sell. This case, rooted in the mandates of the Texas Data Privacy and Security Act, underscores the importance of informed consent, clear privacy notices, and robust data management practices in an era when personal data is more valuable—and more vulnerable—than ever before.

As Texas continues to lead the charge in enforcing state data privacy law, businesses must re-examine their data practices to ensure compliance with both the TDPSA and emerging regulations like the Texas Data Broker Law. Whether it involves mobile apps, third-party apps, or integrated software solutions, the emphasis is on transparency, accountability, and the protection of sensitive personal data. With a future that promises even stricter enforcement and more detailed scrutiny of data practices—including the processing of driving data, behavioral data, and accelerometer data—companies must invest in privacy by design and prioritize consumer consent to avoid costly litigation and reputational damage. The evolving landscape of data privacy and security, now under the watchful eye of Texas AG Ken Paxton and his office, represents a new frontier where protecting the rights of 45 million Americans is paramount.

In summary, the state’s bold enforcement action serves as a wake-up call for all companies that handle consumer data. It is a call to embed privacy into every stage of the data lifecycle—from the initial collection and processing of sensitive information to the eventual sale or transfer of personal data. By adopting robust, transparent, and consumer-focused data practices, companies can not only avoid the pitfalls of non-compliance but also build long-lasting trust with their users. As Texas sets the tone for data privacy enforcement in 2025 and beyond, the message is clear: in this new era, there is no excuse for neglecting the fundamental rights of consumers, and any attempt to sidestep the requirements of the state’s comprehensive data privacy law will face relentless scrutiny from regulators and the courts alike.