Lawsuits target use of driver data by insurers, automakers

Several recent lawsuits allege driver data from embedded auto technology and mobile phone apps that track driving habits is being used unethically and illegally, including being shared with consumer reporting agencies that use the data for credit scoring, underwriting, marketing, and other purposes.

These cases, and several others, exemplify the growing importance of consumer rights to privacy and ethical data use by insurers and automakers, as technology becomes a key tool for underwriting and risk management. Many drivers are aware of the technology that tracks their driving habits as a means to obtain discounts on their auto insurance premiums.

FTC, GM settle case

In one case that was settled recently, the Federal Trade Commission said General Motors and its subsidiary, OnStar, violated consumer privacy laws by sharing sensitive geolocation and driver behavior data without obtaining the consent of drivers. OnStar provides connected vehicle services, such as roadside assistance, navigation, and vehicle diagnostics. These services involve collecting geolocation data and driver behavior data, such as driving speed, braking patterns, and more.

The FTC said GM and OnStar violated privacy rights by not receiving consent from drivers that their information would be shared with third-party companies. In the settlement, GM and OnStar agreed to a five-year prohibition on disclosing geolocation and driver behavior data to consumer reporting agencies. The settlement might signal the FTC’s increasing scrutiny of companies collecting and sharing sensitive data through the use of connected technology.

Allstate accused of misusing data

Meanwhile, in Texas, Allstate is accused of unlawfully accessing and misusing personal driving data from millions of policyholders through software embedded in third-party apps. In a lawsuit filed recently, the state’s Attorney General Ken Paxton said the data was used without proper disclosure or consent to adjust premiums, deny claims, or even cancel insurance policies. He said Allstate embedded tracking software into third-party apps unrelated to its own operations.

Allstate was also hit this week with a proposed class action for allegedly violating California and federal wiretapping and privacy laws related to data collection practices. The complaint, filed Tuesday in the US District Court in the Northern District of Illinois, said the company conspired to secretly collect and sell “trillions of miles” of consumers’  “driving behavior” data from mobile devices, in-car devices, and vehicles to illicitly obtain data to build the “world’s largest driving behavior database,” housing the driving behavior of over  45 million Americans. The suit said Allstate created the database to support its car insurance business and profit from selling the information to third parties including other car insurance companies.

The suit names Allstate’s subsidiaries and Arity LLC, a mobility data and analytics company founded by Allstate.

Allstate defends its practices

In a statement to InsuranceNewsNet, Allstate defended its practices and the use of its tracking application, called Arity.

“Arity helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations,” the company said.

The cases highlight the growing tension between the insurance industry’s use of technology (such as telematics or app-based data collection) and consumers’ rights to privacy and transparency. Insurers increasingly rely on driving data to personalize policies, and that is unlikely to change. But oversight and regulation might increase.

The Illinois suit, filed by a California customer of Allstate, claims the company paid app
developers “millions of dollars to integrate Defendants’ software into their apps” and “further incentivized developer participation by creating generous bonus incentives for increasing the size of their dataset.”

The apps currently allow Allstate to capture data every 15 seconds or less from 40 million active mobile connections, the suit says.

“Because  Defendants did not disclose their conduct, consumers were wholly unaware that Defendants were collecting the Arity SDK Data from their phone or that Defendants would use the Arity SDK Data to create and sell several different products and services to third parties, including Insurers,” the lawsuit states. “Defendants  did  not  provide consumers with any sort  of notice of  their  data and privacy  practices,  nor  did  the  mobile  apps  notify  consumers  about  Defendants’  practices  on Defendants’  behalf.”

Along with the lawsuits, regulators, particularly in the U.S. and the European Union, have been increasingly active in overseeing data privacy in the automotive and insurance industries. Laws like the EU’s General Data Protection Regulation and the California Consumer Privacy Act are now being applied to driving data. Cases involving hacking or breaches of connected vehicle systems have exposed personal driving data, leading to several lawsuits against companies for failing to implement adequate data security measures.

© Entire contents copyright 2025 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

Doug Bailey is a journalist and freelance writer who lives outside of Boston. He can be reached at [email protected].