Alston & Bird Privacy, Cyber & Data Strategy Blog

Texas AG Files Complaint Against Major Insurance Company Regarding Data Practices

By , and

The Texas Office of the Attorney General recently has become increasingly interested in the practices of organizations who collect and utilize consumer data. On January 13, 2025, the Attorney General of Texas, Ken Paxton, (the “Texas AG”) filed a complaint (the “Complaint”) against a large insurance entity and its subsidiary company (“Defendants”). The Complaint outlines alleged violations of the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code §§ 541.001 et seq. (“TDPSA”), Tex. Bus. & Com. Code §§ 509.001 et seq. (“Data Broker Law”), and Tex. Ins. Code §§ 541.001 et seq. (“Texas Insurance Code”).

The Complaint alleges that the Defendants “amassed the data of least 45 million Americans . . . ” without proper consumer consent. The Texas AG claims the Defendants gathered sensitive data such as a consumer’s geolocation and similar data monitoring details such as the phone’s altitude, longitude, latitude, bearing, GPS time, speed, and accuracy.

The Texas AG specifically alleged that Defendants:

  • Integrated software into third-party applications. When a consumer downloaded the third-party application onto their phone, the consumer unknowingly also downloaded the Defendants’ software. This software allowed the Defendant to monitor a consumer’s location and movement in real-time.
  • Marketed and sold the data obtained through third-party apps as “driving” data reflecting consumers’ driving habits.
  • Sold access to their database to other insurers as well as used the data for their own insurance underwriting.

The Texas AG emphasized throughout the Complaint the lack of consent from consumers. Further, the Complaint underscores that consumers were allegedly not informed about their data collection practices, never obtained consent to conduct such practices, and “never informed consumers about the myriad of ways Defendants would analyze, use, and monetize their sensitive data.”

The Texas AG is requesting:

  • multiple monetary civil penalties, and further directing Defendants to
  • delete or otherwise destroy all data obtained prior to the entry of judgement, including any data in the possession of any third party. The AG is also seeking full restitution or restoration to all consumers who allegedly suffered a loss.

This action underscores companies verifying data collection practices to align with applicable law, including verifying they are obtaining proper consent for the collection, maintenance, and sale of their personal and sensitive data.

LinkedIn
Jennifer Everett

About Jennifer Everett

Jennifer Everett focuses on regulatory compliance, enforcement, and transactions in data privacy, cybersecurity, health care, and emerging technologies. Jennifer offers strategic guidance to public and private companies across several sectors, including life sciences and health technology, when navigating state, federal, and international privacy regulations.

[Read Bio]

Avatar photo

About Kate Hanniford

Kate Hanniford is a partner with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Avatar photo

About Carson Kuck

Carson draws on his experience supporting federal and state offices to help clients find solutions to their cybersecurity and data privacy matters.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly