Court Allows Wiretap and FCRA Claims to Proceed in Allstate/Arity SDK Tracking Lawsuit
Key Takeaways
- ▸Federal court allows wiretapping and FCRA claims to proceed despite defendants' arguments that third-party app developers consented to SDK integration
- ▸Court invokes 'crime/tort exemption' to the wiretap consent defense, ruling that alleged FCRA violations nullify the party consent exception
- ▸FCRA claims survive dismissal because tracking software cannot distinguish between actual driving and passive movement, making driving metrics potentially materially misleading
Summary
A federal judge in the Northern District of Illinois has allowed wiretapping, Fair Credit Reporting Act (FCRA), and privacy tort claims to proceed in a consolidated class action lawsuit against Allstate and its technology subsidiary Arity. The plaintiffs allege that Allstate and Arity paid third-party app developers to embed tracking software development kits (SDKs) into popular applications like Drivewise, Life360, and Fuel Rewards to monitor users' phone location, speed, and usage data without proper consent.
The court ruled that while the third-party applications may have consented to the SDK integration through their terms of service, this consent defense is nullified under the Federal Wiretap Act's "crime/tort exemption" because the plaintiffs plausibly alleged the data interception was conducted to commit separate FCRA violations. Judge Jeremy C. Daniel found that the allegations of unauthorized real-time interception of electronic communications stated a viable claim under both federal and state wiretap statutes.
A key issue in the case concerns the accuracy of the driving data reported to insurers. The court found the FCRA claims viable, noting that the tracking software cannot reliably distinguish between actual driving and passive movement (such as riding in a taxi or bus), yet this data was allegedly provided to insurers as definitive driving metrics. The court determined this omission of critical context makes the reported information materially misleading and actionable under consumer protection laws.
- Court denies dismissal of California pen register claims, finding factual disputes about whether app terms of service provided adequate notice of data collection
Editorial Opinion
This ruling represents a significant setback for Allstate and Arity's SDK-based tracking practices and underscores the limits of consent-based privacy frameworks. The court's application of the crime/tort exemption suggests that companies cannot hide behind developer consent when the underlying data collection may itself violate consumer protection laws. The finding that location data cannot reliably serve as driving behavior metrics is particularly damaging to the defendants' position and raises important questions about the validity of algorithmic scoring systems that rely on incomplete or ambiguous data sources.
