Case Study · TDPSA Privacy Gap Analysis · Premium Valet & Hospitality

Navigating the Texas privacy landscape: turning compliance into a contract-winning asset

A premium Texas valet and hospitality operator believed the small-business exemption put TDPSA compliance out of scope. One provision said otherwise. We closed the gaps and engineered the fix into an RFP asset that won elite hotel contracts.

100%

TDPSA compliance verified

Vendor contract gaps remaining

Multi-Year

Hotel contracts won

180 Days

Auto-purge policy deployed

72 Hours

Vendor breach-alert window

$7,500

Max per-violation penalty avoided

The challenge

A luxury hotel property at its peak generates hundreds of vehicle handoffs a day, each one a micro-transaction carrying a guest's identity, vehicle details, mobile number, and the precise coordinate of where their car was placed. For a premium valet operator serving Texas's most prestigious hotels, that data stream is continuous, high-value, and deeply personal.

When the Texas Data Privacy and Security Act took effect on July 1, 2024, the company did what most small Texas operators did: confirmed its revenue sat below the SBA small-business threshold and concluded the compliance burden applied to someone else. That was a legally defensible read of the general obligations. But TDPSA § 541.107(b) does not care about the exemption. It prohibits any small-business controller from selling sensitive personal data without prior opt-in consent, with no carve-out. Precise parking-bay coordinates meet the statute's 1,750-foot geolocation threshold, and those coordinates were streaming to hotel loyalty systems through a paid commercial integration.

The more immediate danger was the vendor contract. The entire data operation ran through a cloud valet platform governed by a 2022 SaaS license that addressed uptime and payment terms but contained not a single provision governing the vendor's use of customer data: no ownership clause, no breach-notification duty, no security standards, no deletion terms. Four years of guest records sat on that infrastructure with zero contractual protection.

What we did

NPA ran a full-scope Privacy Gap Analysis structured around the four pillars of the data lifecycle: Collection, Retention, Third-Party Sharing, and Vendor Management. The vendor contract was Priority One. We drafted and negotiated a comprehensive Data Processing Agreement, deliberately non-negotiable on its critical provisions, and ran it to execution. In parallel, we engineered the backend data-minimization architecture and the consumer-facing disclosures.

Vendor platform breach exposure — contained

A full Data Processing Agreement executed with the cloud valet vendor: 72-hour breach notification, mandated security standards (AES-256 at rest, TLS 1.3 in transit), absolute data-ownership provisions, and audit rights. The company now has contractual visibility into any platform incident within three days.

Indefinite retention liability — eliminated

A 180-day automated truncation protocol hashes phone numbers, masks plates, nulls VINs, and reduces parking coordinates below the TDPSA geolocation threshold, bounding any future breach-notification obligation to the most recent six months instead of years of records.

TDPSA § 541.107(b) exposure — addressed

A privacy notice was appended to the SMS ticket workflow, and the hotel API integration was restructured to exclude precise geolocation from outbound data, moving the transmission outside the statute’s sensitive-data definition.

Hotel audit vulnerability — closed

DPA, retention policy, privacy notice, and geolocation classification were assembled into a structured compliance profile. All five standard hotel-vendor audit criteria now produce affirmative, documented responses.

The commercial payoff

Most compliance engagements end at documentation. We added a fourth stage: commercialization. The compliance profile was engineered from the start to function as a market instrument, a document that belongs in an RFP response, not just a compliance folder.

Premium hospitality contracts are maintained at the hotel's confidence, and institutional owners now run rigorous vendor-data reviews. The company now attaches a four-page Vendor Compliance Profile to its bids: the 180-day purge policy, the executed DPA, the SMS privacy notice, and the geolocation classification. In a market where operational capabilities are roughly equal across qualified operators, that documentation is the differentiator, and it cannot be replicated quickly by a competitor who hasn't done the work. The company came to us with a compliance question. It left with a competitive advantage and multi-year contracts at properties it could not have credibly bid on before.

If a state privacy law or a vendor contract is your blind spot

Know where you stand, then make it an advantage.

A Privacy Gap Analysis from a CIPP/US certified advisor: every lifecycle gap found, every consequence traced, and a fix built to survive scrutiny and win business.

Book a Free Consultation

See the Privacy Gap Analysis service → · More case studies →