Texas Attorney General Ken Paxton is suing Allstate, accusing the company of “unlawfully collecting, using, and selling” driving data on more than 45 million Americans.

Allstate is one of the biggest automotive insurance companies in the US. Unfortunately, according to a press release, Allstate paid app developers to include tracking software in popular apps, such as Life360, so the company could track users’ driving habits and raise rates accordingly.

Allstate, through its subsidiary data analytics company Arity, would pay app developers to incorporate its software to track consumers’ driving data. Allstate collected trillions of miles worth of location data from over 45 million consumers nationwide and used the data to create the “world’s largest driving behavior database.” When a consumer requested a quote or renewed their coverage, Allstate and other insurers would use that consumer’s data to justify increasing their car insurance premium.

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software,” said Attorney General Paxton. “The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

Allstate’s Data Collection

The lawsuit goes on to accuse Allstate of building the “world’s largest driving behavior database.” The lawsuit also provides important details on exactly how Allstate achieved this.

Defendants, a series of companies owned by insurance giant, Defendant The Allstate Corporation, conspired to secretly collect and sell “trillions of miles” of consumers’ “driving behavior” data from mobile devices, in-car devices, and vehicles. Defendants used the illicitly obtained data to build the “world’s largest driving behavior database,” housing the driving behavior of over 45 million Americans. Defendants created the database for two main purposes: (1) to support Allstate Defendants’ car insurance business and (2) profit from selling the driving behavior data to third parties, including other car insurance carriers (“Insurers”). Millions of Americans, including Texans, were never informed about, nor consented to, Defendants’ continuous collection and sale of their data.

Defendants covertly collected much of their “trillions of miles” of data by maintaining active connections with consumers’ mobile devices and harvesting the data directly from their phone. Defendants developed and integrated software into third-party apps so that when a consumer downloaded the third-party app onto their phone, they also unwittingly downloaded Defendants’ software. Once Defendants’ software was downloaded onto a consumer’s device, Defendants could monitor the consumer’s location and movement in real-time.

Through the software integrated into the third-party apps, Defendants directly pulled a litany of valuable data directly from consumers’ mobile phones. The data included a phone’s geolocation data, accelerometer data, magnetometer data, and gyroscopic data, which monitors details such as the phone’s altitude, longitude, latitude, bearing, GPS time, speed, and accuracy.

How Allstate Monetized the Data

The only thing more disturbing than the quantity of data Allstate collected was how they collected it and what they did with the data.

To encourage developers to adopt Defendants’ software, Defendants paid app developers millions of dollars to integrate Defendants’ software into their apps. Defendants further incentivized developer participation by creating generous bonus incentives for increasing the size of their dataset. According to Defendants, the apps integrated with their software currently allow them to “capture[] [data] every 15 seconds or less” from “40 [million] active mobile connections.”

Once collected, Defendants found several ways to monetize the ill-gotten data, including by selling access to Defendants’ driving behavior database to other Insurers and using the data for Allstate Defendants’ own insurance underwriting. If a consumer requested a car insurance quote or had to renew their coverage, Insurers would access that consumer’s driving behavior in Defendants’ database. Insurers then used that consumer’s data to justify increasing their car insurance premiums, denying them coverage, or dropping them from coverage.

Defendants marketed and sold the data obtained through third-party apps as “driving” data reflecting consumers’ driving habits, despite the data being collected from and about the location of a person’s phone. More recently, however, Defendants have begun purchasing data about vehicles’ operation directly from car manufacturers. Defendants ostensibly did this to better account for their inability to distinguish whether a person was actually driving based on the location and movements of their phone. The manufacturersthat Defendants purchased data from included Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram. Allstate Defendants have used this data for their own insurance underwriting purposes.

Worst of all, customers had no idea they were being tracked, and no way of opting out.

Consumers did not consent to, nor were aware of Defendants’ collection and sale of immeasurable amounts of their sensitive data. Pursuant to their agreements with app developers, Defendants had varying levels of control over the privacy disclosures and consent language that app developers presented and obtained from consumers. However, Defendants never informed consumers about their extensive data collection, nor did Defendants obtain consumers’ consent to engage in such data collection. Finally, Defendants never informed consumers about the myriad of ways Defendants would analyze, use, and monetize their sensitive data.

Disturbing Allegations Underscore a Larger Issue

The allegations against Allstate are disturbing on multiple levels. The fact that a company collected an incredible amount of sensitive data from millions of customers without their knowledge is unconscionable. The fact that Allstate paid other app developers in order to collect data from their apps and then sold the data to third parties makes it even worse.

Unfortunately, despicable as its actions may be, Allstate serves as an example of a growing trend in multiple industries: collecting and monetizing data from paying customers.

When a company provides a service for free, it is completely understandable for that company to profit off of its customers’ data. That’s the trade-off for using a free service.

On the other hand, when a company is charging its customers for the service it provides, those customers have every reason to demand the company respect their privacy, not Hoover their data and sell it to third parties. After all, the company is already charging the customer—it is being paid in full for the service it provides. As a result, the customer’s data should be off-limits unless the customer gives their explicit permission.

If the allegations prove true, Allstate’s behavior is a despicable breach of trust, one they will hopefully pay dearly for at the hands of AG Paxton.