Texas’ attorney general continues to aggressively and quietly enforce the state’s new comprehensive data privacy law, sending out four new violation notices to companies in recent weeks.
Attorney General Ken Paxton has accused satellite radio broadcaster Sirius I warned you that it appeared to be shared.
Although Paxton’s office has publicly stated its intention to strictly enforce the new law, it has not issued press releases or other materials in warning potential offenders. Recorded Future News obtained the notice through a public records request.
Texas’ large population of 30.5 million people guarantees that at least some of its residents will be customers of businesses and services available nationwide. Paxton’s office in October accused app companies GasBuddy, Life360 and Excentus Corporation of improperly sharing consumer data, including location information, without explicit notice or consent.
The following four companies were notified in November.
SiriusXM
On Nov. 20, the state sent a notice accusing SiriusXM of sharing sensitive user data, including location and vehicle data, with numerous groups, including “unrelated third-party business relationships.”
Sirius also allegedly does not tell consumers what categories of sensitive data it collects or obtain consent to share it.
Sirius’ privacy policy describes the data it collects and shares and the purposes for which it collects data, but Paxton’s office does not provide “reasonably clear information” to consumers about the types of data the company is collecting. The company stated that it had not given them “a proper notice” and had not proactively obtained their consent. to share it. The Texas Privacy Act defines consent as “an unequivocal affirmative act freely given by a consumer that indicates specific, informed, and unambiguous consent.”
SiriusXM did not respond to a request for comment.
MyRadar and Miles app
On the same day it sent the notice to Sirius, Texas slammed weather app MyRadar.
Miles is a travel rewards app that collects your journeys (such as walks and bike rides) due to our failure to obtain consumer consent for data sharing, including your location. The companies are also accused of failing to inform consumers about how to “exercise their rights” under state privacy laws.
MyRadar CEO and co-founder Andy Green told Recorded Future News in an email: Please check the consent screen using the app. ”
Green said MyRadar will only share anonymized analytics data “before collecting anything remotely sensitive and only if the user is provided with explicit and unambiguous consent and opts out. It’s always an opt-in, not an out.”
The creator of the Miles app did not respond to a request for comment.
tapestry
On November 4, the Bureau accused Tapestri, Inc., an app that rewards users for their information, of sharing sensitive data, including location information, without clear notice of how to exercise their rights and without obtaining consent. .
Tapestry did not respond to a request for comment.
Provide data to insurance companies
The privacy policies of the four companies indicate that they share and use data for a wide range of purposes. All four companies say they collect and share location data that the Federal Trade Commission (FTC) says is highly sensitive and repeatedly targets the companies it shares with.
According to its privacy policy, MyRadar collects large amounts of data, including phone numbers, email addresses, website URLs, profile pictures, IP addresses, and geolocation data, among other things for advertising, analytics, and “monetization” purposes. Collect.
The app also has ties to Arity, a company founded by insurance company Allstate. Arity describes itself as a “mobility data and analytics company focused on improving transportation.” Insurance companies are also one of its major customers.
Arity is using predictive analytics to build solutions with a single goal in mind: to make transportation smarter, safer, and more convenient for everyone. It says it is collecting and analyzing data.
The data that MyRadar shares with Arity includes driving event data, which, according to MyRadar’s privacy policy, includes “information about your speed, changes in speed, and when, how, how much, and where you drive. It is defined as including “other aspects”.
Arity’s website tells insurers that this will help them “more accurately price (for potential customers).” The company did not respond to requests for comment.
Other recent actions in Texas
On November 15, the bureau also announced that an August hack at National Public Data, the data broker that allegedly leaked 2.9 billion records containing sensitive personal data belonging to up to 170 million residents. A “civil investigative request,” or administrative subpoena, was sent. US, UK, Canada.
The letter asks for all documentation the company has sent to regulators regarding the violations, as well as documentation showing everyone who provided data to the company and used its products.