Unpacking the Texas AG action against AllState

Texas AG Ken Paxton’s complaint against Allstate and its data subsidiary Arity marks a meaningful escalation in state privacy enforcement. The case centers on connected vehicle data — location and driving behavior collected via apps installed on consumers’ phones — being sold to insurers and used to raise premiums, deny coverage, and drop consumers at renewal. What makes this case stand out from earlier enforcement actions is the directness of the harm: unlike technical violations with abstract consumer impact, the Allstate complaint names a concrete financial consequence that any consumer can immediately understand. That shift in how harm is framed is likely to influence both how regulators prioritize cases and how juries and courts assess damages. The underlying legal theory connects privacy law back to its consumer protection roots: are disclosures about how data is used accurate and complete? Data collection marketed as potentially lowering premiums for safe drivers must also disclose that the same data can be used against consumers — increasing premiums or denying coverage. Privacy laws have codified that uses of data with significant consumer impact are material, and disclosing only the upside may be legally insufficient. Companies don’t need to enumerate every possible outcome in exhaustive detail, but the description of how data drives decisions must be honest enough that a reasonable consumer understands what they are agreeing to — not just the attractive framing. The Allstate action carries lessons for any sector that uses data to make consequential decisions about consumers. Enforcement is expanding in both volume and breadth: more inquiry letters, more notices of violation, and more states pursuing companies outside traditional big tech. The insurance sector, historically more accustomed to TCPA and marketing compliance scrutiny than privacy enforcement, faces new attention from state AGs armed with comprehensive privacy statutes. Retail and other data-intensive sectors should take note — enforcement is increasingly sector-agnostic, and the scrutiny of how data practices are disclosed to consumers is intensifying across the board.

**Colleen:** Lisa, how are you? Good to see you. **Alysa:** Hey. Last year, those sort of themes were popping up. One of those themes was automotive data. And just very recently, we saw the Texas AG with their complaint against Allstate and a third party data broker. Can you unpack that for us a little bit? **Colleen:** Sure. So we know that this has been a focus for Texas AG just in terms of being very active on the privacy enforcement bent. And so start off 2025 with a bang on really looking at the IoT context. I'll say whether it's connected cars or other types of online based technology, what data is being shared and what data is being sold, and whether that data is being used to make impactful decisions — legally significant or similarly significant decisions as to consumers. And is that disclosed? Are consumers aware? Do consumers have a choice around that? And in the insurance context with premiums, the argument is that that's actually pretty significant for consumers. And did Allstate or similarly situated companies, are they disclosing those data sale practices in a way that these new state laws require them to do? **Alysa:** What was fascinating to me was the outward facing marketing for this. Generally, an insurer would say, hey. We would collect this data because your premiums might go down, right, based on safe driving and all that kind of stuff. But what was specifically outlined in the complaint was like, well, this data was used to raise premiums, to deny coverage, to drop individuals seeking to renew their insurance coverage. Does that need to be disclosed in a privacy notice? The consequences of this data collection could be that your premium goes up. Do you see what I mean? Is that material disclosure? **Colleen:** Yeah. Right. I might simplify it. Privacy law started with consumer protection law, which is, are you disclosing material information accurately to consumers? What these privacy laws have done is that certain information is material. Right? Using data for purposes that may have a significant impact on a consumer, that is material. And so how you disclose that purpose needs to be accurate. If you only disclose the upside, I think there are real arguments that you've not sufficiently disclosed what the purpose is, and we are seeing Texas and other states really look line by line in these privacy notices. Are they truthful? Are they easy to understand by consumers? And the more important, the more impactful to the consumers, I think the more scrutiny you're gonna get on how you presented that purpose. And this is one of those examples. There's no benevolent dictator type defense. Right? You can talk about the good things, but if you are also using data to make things that could have potential downsides for the consumer, that needs to be thought through. It doesn't necessarily mean you need to, in a very granular way, say, here are the good things. Here are the bad things. But it might go to how you describe that purpose in the first instance in terms of how you use data to make certain types of decisions. **Alysa:** Fascinating. Right? Not to play it out too far, but for example, if you didn't wanna go detailed with the benefits and the detriment, you know, will companies just start to say, we will use this to determine premiums and not say it was good or bad. And I wonder if that's enough, if there are obvious detriments when you get into the detail. It's an interesting question. **Colleen:** It it is. We're always balancing don't have a forty five page privacy notice. Try to use pithy, concise, direct language. So can you do that in a way that really does communicate the most important things such that reasonable consumers can understand? We also have kind of the privacy police. That's not necessarily the regulators, but the media who are looking at these new disclosures and raising questions. And companies from a brand perspective are having to answer for how they use data in a way. What's interesting about this is that it was so easy to say, well, you'd be forgiven for thinking, oh, it's always Google and Facebook that's in trouble with regulators. They're never gonna go after a business that we know about. And here it is. It's Allstate. Right? It's a brand that everybody knows. And I wonder if there's more to come. And I wonder if there's other segments. Like, I think retail might be a place that folks look at next. **Alysa:** Not to interrupt, but — yeah. I think absolutely. I mean, if you've heard anything, what we have been saying is there is significantly more enforcement happening. There's more inquiry letters. There's more notice of violation letters across a number of states, and they are not just going after big tech. They're going after all different types of sectors. It's one of the first ones I've seen where it's directly talking about detriment to the consumer. Like, this could raise a premium. Like, the Sephora thing — you do all these conferences last year, and people would talk about Sephora. And someone in the audience would always say, yeah. But they didn't sell any less lipstick because of that enforcement. No one really cared. But this is different. Now we can see outlined in the complaint, your premiums are going up, coverage is being denied. You could have opted out. They could have disclosed better. It just feels like a whole different game. Right. Well, there's more to be there. That how the data is used, are those consequences in such a way that consumers — it's not abstract. It's not about whether they're gonna be tracked for advertising. It's whether they're gonna pay more, or be denied coverage. And I will just say the insurance sector has long been a focus and has been concerned about marketing, TCPA. Right? Texting. That's been where they've felt a decent amount of heat in the past. But they're not a focus of the FTC because of jurisdictional issues. They tend to be regulated much more by the state insurance bodies within each state who are not super active on the advertising and privacy standpoint. They might have those baked into those insurance rules. And I think what we've seen from the state AGs and the privacy laws is taking another pretty close look at the insurance sector in all different types of their data practices. So I think there's a broader lesson and point of reflection for that sector on this front. **Colleen:** Yeah. Gotcha. Alyssa, thanks as always. Good to talk with you.