It begins: Texas enforces new privacy law over driver behavior database

The Texas Attorney General (AG) has brought a lawsuit against insurance company Allstate and its subsidiaries under the Texas Data Privacy and Security Act (TDPSA).

The case relates to the “world’s largest driving behavior database”, which Allstate allegedly populated with data obtained from people’s mobile phones.

Here’s a look at what businesses can learn from the Texas AG’s first TDPSA enforcement case.

What is the Texas Data Privacy and Security Act (TDPSA)?

The TDPSA is one of the “comprehensive privacy laws” enacted across over 20 states in the past few years.

The Texas AG determined that Allstate and some of its subsidiaries, including Arity, were “controllers” under the TDPSA because they conduct business in Texas and “determine the purposes and means of the processing of personal data”.

Like most other comprehensive privacy laws, the TDPSA requires controllers to:

• Obtain consent before processing sensitive data
• Enable consumers to opt out of the sale of their personal data, targeted advertising, and certain forms of profiling
• Publish a privacy notice explaining how they collect, use, and sell personal data

The TDPSA is among the strictest comprehensive privacy laws, and it’s the first to see enforcement after the California Consumer Privacy Act (CCPA).

What happened with Allstate?

Part of Allstate’s business model is to collect personal data via a Arity Software Development Kit (SDK) developed by its subsidiary, Arity, which is integrated into various third-party apps.

The SDK can detect whether a person is in a vehicle, and allegedly collects data about their journey and inferred driving habits (acceleration, speed, braking, etc.). This data was used to populate Allstate’s driver behavior database.

The Texas AG also suggests that the SDK would record data about journeys during which the consumer was a passenger, rather than the driver, such as when travelling in a friend’s car, a taxi, or a bus.

The driver database also included data purchased from third-party car manufacturers, who would collect data directly from software installed in their cars.

The AG says insurance companies purchased access to Allstate’s database as part of their risk assessment and screening process. This reportedly affected the terms, prices, and availability of individual consumers’ insurance.

How to avoid TDPSA violations

Now, let’s consider some of the lessons learned from the Texas AG’s first enforcement case under the TDSPA:

Publish a privacy notice

As noted, the TDPSA requires controllers to publish a privacy notice detailing, among other things, the types of personal data and sensitive personal data they collect.

Although Arity published privacy disclosures on its website, the Texas AG alleges that consumers were “wholly unaware” that their sensitive data was being collected via the Arity SDK, in part because Arity failed to publish a TDPSA-compliant privacy notice.

Obtain consent for processing sensitive data

As noted, the TDPSA requires controllers to obtain consent for the processing of sensitive data.

The TDPSA defines “consent” as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”

“Processing” means an “operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”

“Sensitive data” includes precise geolocation data within a radius of 1,750 feet.

The Arity SDK was integrated into various third-party apps. Those apps would request permission to access the user’s location for the purposes of providing location-based services, such as displaying data about the user’s fuel economy.

However, the Texas AG alleges that consumers did not consent to the other ways in which their precise geolocation data was processed, i.e., for insurance purposes.

Provide the necessary disclaimers

One unique provision of Texas’ comprehensive privacy law is a requirement for certain controllers to include disclaimers in their privacy notices.

If a controller sells sensitive data, the TDPSA states that the controller must include the following disclaimer in its privacy notice: “NOTICE: We may sell your sensitive personal data”.

The AG determined that the defendants were selling sensitive data and did not have a TDPSA-compliant privacy notice. As such, they allegedly failed to publish the required disclaimers.

Enable consumers to opt out

The TDPSA offers consumers a range of rights over their personal data, including the right to opt out of the sale of their personal data, targeted advertising, and profiling affecting their access to goods and services.

The AG identified some of the defendants’ activities as constituting the sale of personal data and the enablement of targeted advertising and profiling. They were found not to have set up a mechanism for consumers to exercise their rights, as controllers are obliged to do under the TDPSA.

What happens next?

The Texas AG has asked the court to take the following actions against the defendants:

Issue civil penalties of up to $7,500 per violation (plus up to $10,000 per violation of two other Texas laws)

Injunctions requiring the deletion of any unlawfully collected data and a prohibition on further alleged TDPSA violations

Because a “violation” of the TDPSA could occur each time a controller collects sensitive data from a Texas consumer without consent, these civil penalties could add up to some very large sums.

The case also suggests that the Texas AG will be proactive in its enforcement of the TDPSA. Lawsuits in other states with comprehensive privacy laws may follow soon.