Subscribe
sad young ethnic lady arguing during video call

Permission Granted (But Not For That)

Remember when I said that if a product is free, you’re probably the actual product?1 The Texas Attorney General just launched a lawsuit showing how that works in practice.

In a groundbreaking lawsuit filed January 13th, Texas is taking Allstate and its subsidiary Arity to task for allegedly building “the world’s largest driving behavior database” by secretly collecting data from over 45 million Americans.2 The kicker? They did it through popular apps like GasBuddy and Life3603, using permissions granted for one purpose to collect data for something entirely different — including raising the insurance rates of app users.

The Technical Shell Game

Here’s how it worked: You downloaded some app like GasBuddy because you wanted to find cheaper gas. Naturally, you give it permission to use your location – after all, it needs to know where you are to show you nearby gas stations. What you didn’t know was that embedded in that app was Arity’s SDK, silently collecting:

  • Your exact location (down to latitude, longitude, and altitude)
  • How fast you were moving
  • Your acceleration patterns
  • The tilt and orientation of your phone
  • When and where your trips started and ended4

All this data was being collected at least every 15 seconds, according to the court filing.5 That’s not a typo. Every. Fifteen. Seconds.

From Data Points to Dollar Signs

But collecting the data was just the start. According to the lawsuit, Arity took this movement data and combined it with personal information licensed from the app publishers:

  • Names
  • Phone numbers
  • Addresses
  • Device IDs
  • Mobile advertising IDs6

The result? A detailed profile of your movements and behaviors that could be – and allegedly was – sold to insurance companies for use in underwriting decisions.7

The Technical Accuracy Problem

Arity was marketing this as “driving behavior data.”8 There’s just one small problem – your phone has no idea if you’re driving, riding as a passenger, taking the bus, or even riding a roller coaster. And yes, that last example comes straight from a real case where someone’s “driving score” was potentially dinged because they were on a roller coaster.9

Think about that for a moment. Insurance decisions are potentially being made based on data that can’t actually tell who’s driving or even if anyone’s driving at all.

The Privacy Problem

This case highlights everything wrong with current privacy implementations:

  1. Hidden Collection: The SDK’s presence wasn’t disclosed to most app users in any meaningful way.10
  2. Permission Abuse: Location permission granted for finding gas stations was used for continuous tracking.
  3. No Control: Users had no way to opt-out or delete their data.11
  4. Deceptive Marketing: Movement data was sold as “driving behavior” despite its obvious limitations.

Why This Matters Right Now

This isn’t just another privacy lawsuit. It’s the first major enforcement action under Texas’s new Data Privacy and Security Act, and it’s challenging practices that are unfortunately common across the mobile app ecosystem.

The implications go far beyond just these apps or even just location data. This case questions the entire practice of hiding SDKs in apps and using permissions granted for one purpose to collect data for completely different purposes.

The Technical Debt Comes Due

For years, many companies have treated privacy as a checkbox exercise – something to deal with through clever legal language rather than actual technical controls. This case suggests that approach’s expiration date has arrived.

The technical failings here aren’t subtle:

  • No disclosure of the SDK’s presence or purpose
  • No mechanism for users to consent to or opt out of data collection
  • No way for users to request the deletion of their data
  • No controls on how the collected data could be used or shared

Each of these represents privacy debt that’s now coming due with potential penalties of up to $7,500 per violation under the Texas law.

Making It Real

For those who are building and maintaining systems that handle personal data, this case offers several important lessons:

  1. Transparency Isn’t Optional: If you’re collecting data, you need to be clear about what you’re collecting and why. Hidden SDKs and undisclosed data collection are technical debt that will eventually come due.
  2. Permission Isn’t Consent: Having technical access to data doesn’t mean you have permission to use it for any purpose you want. Your privacy statement needs to match your actual practices, not just provide legal cover.
  3. Technical Accuracy Matters: If you’re making claims about what your data shows, those claims need to be technically sound and accurately represented. You can’t claim to be collecting “driving behavior” data if you can’t actually tell who’s driving.

Looking Forward

This case isn’t just about what happened in the past – it’s about what’s happening right now in countless apps on millions of phones. The Texas Attorney General’s office alleges that Arity has collected driving behavior data from “40 million active mobile connections” with data captured “every 15 seconds or less.”

For developers and privacy professionals, the message is clear: the era of collecting first and asking questions later is ending. We need to build systems that respect privacy by design and default, with clear disclosure, genuine consent, and robust user controls.

The technical debt of privacy shortcuts eventually comes due. The question is whether we’ll learn from cases like this and start building better systems now, or wait until more lawsuits force our hand.

Note: This analysis is based on allegations in legal filings and should not be construed as legal advice. For specific guidance on your privacy implementation, consult qualified legal counsel.

Footnotes

  1. Understanding Spam Folders | Arcana Podcast, (2024), https://www.youtube.com/watch?v=m0gTzP6Eiio (last visited Jan 15, 2025). ↩︎
  2. Attorney General Ken Paxton Sues Allstate and Arity for Unlawfully Collecting, Using, and Selling Over 45 Million Americans’ Driving Data to Insurance Companies | Office of the Attorney General, (2025), https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-allstate-and-arity-unlawfully-collecting-using-and-selling-over-45 (last visited Jan 15, 2025). ↩︎
  3. Texas v. Allstate Ins. Co., Original Petition at ¶ 34. ↩︎
  4. Id. at ¶ 3. ↩︎
  5. Id. at ¶ 4. ↩︎
  6. Id. at ¶ 83. ↩︎
  7. Jonathan Stempel, Texas Sues Allstate for Collecting Driver Data without Consent, Reuters, Jan. 13, 2025, https://www.reuters.com/technology/texas-sues-allstate-over-data-collection-cellphones-2025-01-13/ (last visited Jan 15, 2025). ↩︎
  8. Petition, at ¶ 89. ↩︎
  9. Chad Murphy, Sir, This Is a Roller Coaster. Car Insurance Dings Driving Score for Man Riding The Beast, The Enquirer, https://www.cincinnati.com/story/entertainment/2024/10/08/insurance-cuts-driving-score-man-riding-the-beast-kings-island/75554987007/ (last visited Jan 15, 2025). ↩︎
  10. Suzanne Smalley, Texas Sues Allstate, Alleging It Violated Data Privacy Rights of 45 Million Americans, The Record, https://therecord.media/texas-sues-allstate-data-privacy-cars (last visited Jan 15, 2025). ↩︎
  11. Petition, at ¶¶ 76-80. ↩︎
Picture of Mickey

Mickey

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.