The Situation
A valet and parking management company operating across Houston and Dallas had grown steadily over several years, adding hotel properties, luxury residential buildings, and restaurant clients. With growth came complexity — the business now relied on a network of software vendors, payment processors, and communication platforms to manage operations across multiple locations.
None of those vendor relationships had Data Processing Agreements in place. The company had no documented privacy policy, no process for responding to consumer data requests, and no clear picture of what personal data it held or where it went.
This wasn't negligence — it was the natural result of a growing business prioritizing operations over compliance. But the risk exposure was real. Texas's Data Privacy and Security Act had taken effect, and the company's vendor ecosystem — touching guest payment information, employee records, and operational data — created liability that extended well beyond what the owners had considered.
The core risk: Under TDPSA and CCPA, a business is liable for how its vendors handle personal data — regardless of whether a contract addresses it. Without Data Processing Agreements, every vendor relationship is an unmanaged liability.
What We Found
The initial assessment identified four primary exposure areas:
- No vendor DPAs in place. The company worked with payment processors, scheduling software, a fleet management platform, and a customer communication tool — none had signed data processing agreements. Under Texas and California law, this creates direct controller liability for any vendor mishandling of personal data.
- No published privacy policy. The company's website collected contact information through inquiry forms but had no privacy notice disclosing data practices — a direct violation of FTC Act Section 5 and a requirement under TDPSA for any business processing Texas residents' data.
- No consumer rights process. With hotel and restaurant clients comes exposure to guests who may exercise their rights under state privacy laws — the right to know what data is held, the right to delete it, and the right to opt out of certain uses. There was no intake mechanism, no response process, and no timeline tracking.
- Payment data handled by third parties without documented controls. Valet operations routinely involve guest payment information passed through third-party point-of-sale systems. Without a data flow map or vendor agreements, the business had no visibility into how that data was being stored or shared downstream.
What We Did
The engagement ran in two phases over 30 days.
Phase 1 — Vendor inventory and risk tiering
We mapped every vendor that received, processed, or stored personal data. Each vendor was tiered by risk: Tier 1 for vendors with direct access to sensitive or high-volume data, Tier 2 for vendors with indirect or limited access. Payment processors, the scheduling platform, and the fleet management system all landed in Tier 1.
For Tier 1 vendors, we requested their standard DPA addenda — most major platforms have these available but don't proactively offer them. For two vendors without standard addenda, we drafted custom DPAs tailored to the specific data flows involved. All agreements were executed within the 30-day window.
Phase 2 — Policy and process build-out
We drafted a compliant privacy policy covering all applicable jurisdictions — Texas, California (due to hotel client exposure), and federal requirements under the FTC Act. The policy was published on the company's website with a footer link on all pages.
We then built a lightweight consumer rights intake process: a dedicated email address for privacy requests, a one-page internal SOP covering who receives requests, who fulfills them, and what timelines apply under each law, and a simple spreadsheet log for tracking requests and response dates.
Finally, we created a vendor register — a living document that maps every vendor to the data they access, the legal basis for sharing, the DPA status, and the review date. This becomes the foundation for ongoing compliance maintenance.
The Outcome
Within 30 days, the company moved from no formal privacy infrastructure to a defensible baseline that addresses its primary exposure areas under Texas and California law. The program was designed for the team's actual operational capacity — no outside legal counsel required for day-to-day management, no complex technology, and no ongoing subscription fees.
The vendor register and consumer rights log require roughly two hours of attention per quarter. The privacy policy is reviewed annually. The DPAs are in place and will be revisited when vendors are added or changed.
Key takeaway: Privacy compliance for a multi-location hospitality business doesn't require a law firm or a full-time hire. It requires a clear picture of your data, documented vendor relationships, and a process your team can actually run. Most businesses can get there in 30 days.
What This Looks Like for Your Business
If you operate in hospitality, food and beverage, or property management — or if you manage locations on behalf of other businesses — the exposure profile described above is likely familiar. You're processing guest data, passing payment information through third-party systems, and relying on vendors you've never had a formal data agreement with.
The good news is that the remediation is straightforward. The risk is real but the path to a defensible program is not complicated. It just requires someone who knows what to look for and how to structure the work.
Our Vendor Risk Review covers exactly this scenario — full vendor inventory, risk tiering, DPA execution, and a vendor register your team can maintain going forward.