Hi CIPAWorld!
Judge Jeremy C. Daniel in the Northern District of Illinois recently issued a ruling in a consolidated class action against Allstate and its technology subsidiary, Arity. In re ALLSTATE & ARITY consumer privacy litigation, No. 25 CV 407, 2026 WL 594708 (N.D. Ill. Mar. 3, 2026). The plaintiffs allege the companies paid third party app developers to embed a software development kit (“SDK”) into applications like Drivewise, Life360, and Fuel Rewards to monitor phone location, speed, and usage. This data was allegedly used to score driving behavior and adjust auto insurance premiums. The court granted the defendants’ motion to dismiss in part and denied it in part, allowing the wiretapping, credit reporting, consumer protection, and privacy tort claims to proceed while dismissing computer hacking claims.
The plaintiffs sued under the Federal Wiretap Act, 18 U.S.C. § 2510 et seq., which imposes liability for the unauthorized interception of electronic communications. The complaint alleges “intercepted, in real time, contemporaneously, and as it was transmitted, the contents of electronic communications transmitted within and from [the p]laintiffs’ mobile devices, and diverted those communications to themselves without consent.” In their motion to dismiss, Allstate and Arity argued the interceptions were lawful under 18 U.S.C. § 2511(2)(d)’s “party exception,” which permits interception “where one of the parties to the communication has given prior consent to such interception.” The defendants claimed the third party applications consented to the interception by integrating the software code. The court agreed that the applications consented, but the plaintiffs successfully invoked the statute’s “crime/tort exemption.” This exemption nullifies the party consent defense if the interception is conducted for the purpose of committing an independent criminal or tortious act. The court ruled that because the plaintiffs plausibly alleged the data was intercepted to commit separate Fair Credit Reporting Act (“FCRA”) violations, the federal wiretap claims, along with analogous state wiretap claims, survived dismissal.
The plaintiffs also brought a claim under California’s pen register statute, Cal. Penal Code § 638.51, which restricts the use of devices that record outgoing routing data. The defendants’ sole argument for dismissing this count was that the plaintiffs consented to the collection. The court denied the motion to dismiss this claim, ruling that the factual disputes surrounding whether the apps’ terms of service provided adequate notice of the data collection could not be resolved at the pleading stage.
The FCRA, 15 U.S.C. § 1681 et seq., claims target Arity’s role as a consumer reporting agency. This statute penalizes consumer reporting agencies for furnishing consumer information that is patently incorrect or materially misleading. The plaintiffs alleged that Arity willfully reported inaccurate information to insurers by providing individual’s driving data without the important context that they were not driving. The defendants argued for dismissal on the grounds that the plaintiffs failed to identify an actual inaccuracy or plead a resulting injury. The court denied the motion, focusing on the allegation that the software only monitors phone movement and has no reliable way to verify if a person is actually driving. The software recorded data as driving behavior even if the user was riding as a passenger on a bus, in a taxi, or on a roller coaster. The judge ruled that providing this raw tracking data to insurers as definitive driving metrics without the context that the user might not have been driving is materially misleading and actionable under the statute.
The plaintiffs also brought computer hacking claims under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq., the California Computer Data Access and Fraud Act, Cal. Penal Code § 502, and 18 Pa. Cons. Stat. § 7611 for unlawful use of computer under Pennsylvania law. These statutes prohibit unauthorized access to computers and require plaintiffs to plead a specific damage or loss. The plaintiffs alleged the defendants unlawfully accessed their mobile devices to siphon data. The defendants moved to dismiss these counts by arguing the plaintiffs failed to allege any damage or loss. The court granted the dismissal of these claims. The judge noted that “loss” in this context “has been defined to encompass costs related to fixing a computer, lost revenue, or other consequential damages incurred due to an interruption of computer services.”
Plaintiffs also brought various state consumer protection and deceptive trade practice claims, including under the California Unfair Competition Law. They alleged the defendants engaged in deceptive practices by concealing the data collection and using it to charge inflated premiums. The defendants attempted to use the filed rate doctrine to dismiss these claims entirely. The court defined this doctrine by stating that “any filed rate, a rate filed with and approved by the governing regulatory agency, is per se reasonable and cannot be the subject of a legal action against the private entity that filed it”. The defendants argued the doctrine applied because the complaint “challenge[s] how insurers calculated their rates”. The plaintiffs attempted to bypass this defense by arguing their claims targeted the defendants’ underlying conduct, specifically alleging that “but for [the d]efendants’ misuse and sale of [the p]laintiffs’ Personal Data, the amount charged by their insurer would have been lower”. The judge rejected the plaintiffs’ workaround and explained that “this argument is just a difference in semantics” and that “the plaintiffs’ allegation is that the defendants inflated their rates by improper means; that is a challenge to the rate.” However, the court saved the claims from total dismissal because the plaintiffs also sought alternative relief. The court ruled that “[w]here plaintiffs do not ‘seek[ ] damages tied to the amount of an alleged overcharge,’ such as statutory damages, the doctrine does not apply”. Therefore, the consumer protection claims survived only to the extent that statutory damages were available. The defendants also argued that several state consumer protection claims should be dismissed because the plaintiffs failed to comply with state-specific pre-suit notice requirements. The court rejected this and ruled that, under federal procedural rules, Rule 8 displaces contrary state requirements at the pleading stage.
Also, a statutory privacy claim was brought under New York’s Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, N.Y. Gen. Bus. Law §§ 899-aa, 899-bb. The defendants argued that the SHIELD Act does not provide a private right of action, meaning individuals cannot sue under it. The plaintiffs failed to respond to this argument in their briefing, which the court ruled constituted a waiver, resulting in the dismissal of the New York SHIELD Act claim.
The complaint also included additional state privacy tort claims for intrusion upon seclusion and invasion of privacy. The defendants moved to dismiss the plaintiffs’ claims under Illinois, California, and Pennsylvania law. To be successful on these claims, the plaintiffs are required to prove the intrusion violated a “reasonable expectation of privacy” and was “highly offensive.” The court found the plaintiffs met the first bar as they alleged “the defendants recorded detailed location tracking information.” The court defined a “highly offensive” intrusion as something “sufficiently serious and unwarranted so as to constitute an egregious breach of the social norms.” Refusing to dismiss the Illinois and California claims, the judge held: “Given the allegations that the defendants, without consent, collected detailed tracking information that was used to increase insurance premiums or deny coverage, the Court cannot conclude at this stage that no reasonable person would consider the alleged conduct highly offensive.” The court did, however, dismiss the Pennsylvania Invasion of Privacy claim because Pennsylvania law maintains a stricter standard. It requires facts showing the disclosed information “would have caused mental suffering, shame or humiliation to a person of ordinary sensibilities.” The judge dismissed the count, concluding: “None of the alleged disclosures are of this character. At worst, the information could stitch together information about an individual plaintiff that might cause shame or humiliation, such as particular locations visited, but there are no allegations to this effect.” Additionally, the plaintiffs brought a common law claim for unjust enrichment. The court allowed this claim to survive because the defendants included it in a section heading but failed to provide any actual argument outlining a basis for dismissing it.
Note that this federal decision follows a major enforcement action initiated by the State of Texas over a year earlier on January 13, 2025. Texas Attorney General Ken Paxton sued Allstate and Arity over the same tracking scheme, alleging the companies paid app developers millions to integrate the software, allowing them to harvest trillions of miles of location data and build a driving behavior database on over 45 million Americans. Texas sued under the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code §§ 541.001 et seq., claiming the companies illegally processed consumers’ sensitive precise geolocation data without providing a clear privacy notice or obtaining affirmative consent. The state also sued under its Data Broker Law, Tex. Bus. & Com. Code §§ 509.001 et seq., alleging Arity processed the personal data of over 50,000 individuals but failed to register with the Texas Secretary of State. Finally, Texas alleged the practice of marketing this tracking data to insurers as driving behavior, without verifying consumer consent, constituted an unfair or deceptive act under the Texas Insurance Code §§ 541.001 et seq.
The federal court’s decision in Illinois shows that using third-party app SDKs to gather consumer location data for insurance pricing creates massive legal exposure under the FCRA and wiretap statutes. Combined with the parallel enforcement action from the Texas Attorney General, these lawsuits demonstrate that courts and regulators are actively scrutinizing how mobile tracking data is collected and verified.
