Texas HOA Leasing Policies: PPI Collection Rules Post-SB 1588
A homeowner leases their property. Your board sends the tenant a form requesting their Social Security number, driver's license, employer information, and vehicle registrations. The tenant fills it out because they assume the HOA has the authority to demand it. Under §209.016, much of that form is now illegal — and every piece of protected personal information your association stores is a liability it may not be equipped to secure.
SB 1588 added §209.016 to the Texas Property Code, restricting what personal information a property owners association can collect from tenants and how that information must be handled. Before 2021, many associations collected whatever they wanted — Social Security numbers, background check authorizations, employer details — with no statutory limits and no data security obligations. §209.016 changed that equation for every Texas HOA that has rental properties in its community.
This article covers what your board can and cannot collect from tenants, how to handle the information you do collect, and how to update your leasing policies to comply with the current law.
What §209.016 restricts
§209.016 limits the collection and use of "protected personal information" (PPI) by property owners associations. The statute applies when a homeowner leases their property and the association requests information from or about the tenant.
Protected personal information under §209.016 includes:
- Social Security numbers
- Driver's license numbers
- Financial account numbers (bank accounts, credit card numbers)
- Government-issued identification numbers beyond what is necessary for identification
The association cannot require a tenant or homeowner to provide this information as a condition of occupancy. If your leasing registration form asks for a Social Security number, that field is now prohibited under §209.016.
The two lanes on tenant information collection
Lane 1: "We've been collecting Social Security numbers from every tenant." Your current tenant registration form predates SB 1588 and asks for information that §209.016 now prohibits. Every form on file with a tenant's Social Security number is a data security liability. The immediate fix: stop collecting prohibited information and determine how to handle what you've already stored.
Lane 2: "We want to set up a compliant tenant registration process." You're either newly self-managed or updating your policies. You need to know exactly what you can ask for, how to store it, and what to do when a homeowner notifies you of a new tenant.
What your board can collect from tenants
§209.016 restricts PPI but does not prevent the association from collecting basic information needed to manage the community. The association can request:
| Information | Permitted? | Purpose |
|---|---|---|
| Tenant's full legal name | Yes | Community directory, correspondence, violation notices |
| Tenant's contact information (phone, email) | Yes | Communication about association matters |
| Move-in date and lease term | Yes | Community records, occupancy tracking |
| Number of occupants | Yes | Compliance with occupancy limits in governing documents |
| Vehicle information (make, model, plate number) | Yes | Parking management, towing authorization |
| Emergency contact | Yes | Safety and emergency management |
| Tenant's Social Security number | No | Prohibited under §209.016 |
| Tenant's driver's license number | No | Prohibited under §209.016 |
| Financial account numbers | No | Prohibited under §209.016 |
| Background check authorization | Restricted | The association cannot require a background check as a condition of occupancy |
The permitted information serves legitimate community management functions — the association needs to know who lives in the community, how to reach them, and what vehicles they drive. The prohibited information serves no community management function and creates data security exposure.
How to handle information you've already collected
If your association has tenant registration forms on file that contain Social Security numbers, driver's license numbers, or other PPI collected before §209.016 took effect:
Stop collecting new PPI immediately. Update your tenant registration form to remove all prohibited fields. Do not collect another Social Security number or driver's license number from a tenant.
Audit existing files. Determine which tenant records contain PPI. This is typically every tenant registration form submitted before your policy was updated.
Securely destroy the PPI. Shred physical forms containing Social Security numbers and driver's license numbers. Delete digital records containing this information. If records are stored with a management company or in cloud storage, confirm that the PPI has been purged from all copies.
Retain the non-PPI information. Tenant names, contact information, vehicle details, and move-in dates can remain in your files. Only the protected fields need to be removed.
Document the purge. Record the date, the number of files reviewed, the number of files destroyed or redacted, and the board member or officer who supervised the process. This documentation is your Layer 3 proof that you took corrective action.
Leasing restrictions: what your board can and cannot do
Beyond PPI collection, boards frequently ask what leasing restrictions they can enforce. The answer depends on what your governing documents say — but §209.016 and the broader SB 1588 framework set limits:
What the board can do (if authorized by governing documents):
- Require the homeowner to notify the association when the property is leased, including the tenant's name and contact information
- Require the homeowner to provide the tenant with a copy of the governing documents
- Enforce community rules against tenants the same way they enforce them against homeowners (violations, fines, hearings — through the Chapter 209 process)
- Require that leases contain a clause acknowledging the tenant's obligation to comply with the governing documents
What the board cannot do:
- Require PPI from the tenant as a condition of occupancy (§209.016)
- Conduct background checks on tenants as a condition of occupancy unless specifically authorized by the governing documents — and even then, the practice is legally risky under §209.016
- Approve or deny individual tenants based on information the association is not permitted to collect
- Charge fees for tenant registration that are not authorized by the governing documents
| Board action | Status | Authority |
|---|---|---|
| Require homeowner notification of lease | Permitted | Governing documents |
| Collect tenant name and contact info | Permitted | §209.016 (non-PPI) |
| Collect tenant SSN or driver's license | Prohibited | §209.016 |
| Require tenant to follow community rules | Permitted | Governing documents + Chapter 209 |
| Charge unauthorized tenant registration fee | Prohibited | Governing documents control |
| Conduct background check as condition of occupancy | Restricted | §209.016 limits |
Data security obligations
Every piece of personal information your association collects — even the permitted information — creates a data security obligation. For self-managed boards, this is an area where the operational burden is often underestimated.
Physical records. Tenant registration forms stored in a file cabinet at the board president's house are not secure. If the forms contain names, phone numbers, and vehicle information, that data should be stored in a locked location with access limited to authorized board members.
Digital records. Tenant information stored in email inboxes, shared Google Drives, or spreadsheets on personal laptops is vulnerable. If the association collects tenant information digitally, it should be stored in a system with access controls — not in an unencrypted file attached to an email thread.
Retention periods. Do not store tenant information indefinitely. When a tenant moves out and the lease ends, the association's need for that tenant's contact information and vehicle data expires. Establish a retention policy — one year after the tenant moves out is a common standard — and purge records on schedule.
Breach notification. If tenant data is compromised (a laptop is stolen, an email account is hacked, a file is accidentally shared), the association may have notification obligations under Texas data breach law. Boards that collect only the minimum necessary information minimize the impact of a breach.
Every field on your tenant registration form is a question: do we need this information to manage the community, and can we secure it if we collect it? If the answer to either question is no, remove the field.
The Leasing Policy Compliance Checklist
| # | Requirement | Statute | What proof looks like |
|---|---|---|---|
| 1 | Tenant registration form does not collect Social Security numbers, driver's license numbers, or financial account numbers | §209.016 | Current registration form on file with no PPI fields |
| 2 | Existing records containing PPI have been audited and purged | §209.016 | Documented purge with date, scope, and supervising officer |
| 3 | Association collects only information necessary for community management (name, contact, vehicle, move-in date) | §209.016 | Registration form reviewed for minimum-necessary standard |
| 4 | Tenant information is stored securely with access limited to authorized board members | Best practice | Written data handling policy; physical files locked; digital files access-controlled |
| 5 | Homeowner is required to notify the association of a lease (if governing documents require it) | Governing documents | Notification log with homeowner confirmation |
| 6 | Leasing policy adopted at a properly noticed board meeting (144 hours) | §209.0051(e) | Meeting notice and minutes documenting adoption |
| 7 | Leasing policy posted on community website (if required under §209.005) | §209.005 | Updated policy on website with version date |
If your tenant registration form still has a Social Security number field, row 1 is broken. Fix it before the next tenant registers.
Enforcing community rules against tenants
When a tenant violates a community rule — parking violations, noise complaints, architectural modifications without approval — the enforcement process is the same Chapter 209 process that applies to homeowners. The association sends notice to the homeowner (not the tenant directly, unless the governing documents authorize direct notice to tenants), the cure period runs, and the hearing process applies if the violation persists.
The practical challenge for self-managed boards: the tenant receives a violation notice, ignores it, and the homeowner claims they did not know about the problem. The fix is structural — require the homeowner's lease to include a clause obligating the tenant to comply with the governing documents, and send violation notices to both the homeowner and the tenant (at the address on file from the registration form).
The enforcement path for tenant violations follows the same five-step sequence as any other violation: written notice with cure period (§209.006), reinspection, evidence packet 10 days before hearing (§209.007), hearing before the board, and written decision. The violation hearing process is covered in detail in the fine procedures article.
A quick word on what's not in this article
- Lease-cap restrictions. Some governing documents limit the percentage of units that can be leased at any time. Whether your association can enforce a lease cap depends on your specific governing documents and when the restriction was adopted. That is a document-specific question, not a Chapter 209 question.
- Short-term rental restrictions. Airbnb and VRBO rentals raise separate questions about the definition of "leasing" in your governing documents and local municipal ordinances. Short-term rental enforcement is covered in a separate article.
- Tenant eviction. The association does not have the authority to evict a tenant — only the property owner (landlord) can pursue eviction. The association's enforcement tools are fines, violation hearings, and, in extreme cases, lien enforcement against the property owner.
- Fair Housing Act compliance. Leasing policies must comply with federal and state fair housing laws. Policies that discriminate based on race, religion, national origin, familial status, or other protected characteristics are unlawful regardless of what the governing documents say.
FAQ
Can a Texas HOA require a tenant's Social Security number?
No. §209.016 prohibits the association from requiring tenants to provide Social Security numbers, driver's license numbers, or financial account numbers. The association can collect the tenant's name, contact information, vehicle details, and move-in date.
Can the HOA deny a tenant based on a background check?
Under §209.016, requiring a background check as a condition of occupancy is restricted. The association cannot use PPI that it is prohibited from collecting to conduct background checks. Even if the governing documents authorize tenant screening, the practice must comply with §209.016 limitations on what information can be collected and how it can be used.
Who is responsible for a tenant's violations — the tenant or the homeowner?
The homeowner is responsible to the association. Under Chapter 209, the association's enforcement relationship is with the property owner, not the tenant. The association sends violation notices to the homeowner, and fines are assessed to the homeowner's account. The homeowner's recourse against the tenant is through the lease agreement.
Can the HOA charge a tenant registration fee?
Only if authorized by the governing documents. If your CC&Rs or bylaws do not specifically authorize a tenant registration fee, the board cannot create one by resolution. Any authorized fee must be reasonable — a $500 tenant registration fee is likely to be challenged as unreasonable.
How long should the association retain tenant records?
Retain tenant records for one year after the tenant moves out. This provides a reasonable window for any post-tenancy issues (damage claims, final violation processing) while limiting the association's data security exposure. After the retention period, securely destroy the records.
Collect only what you need. Secure what you collect.
Or email [email protected] and tell us what your current tenant registration form looks like. We can flag which fields need to be removed.
This article is part of The Complete Texas HOA Board Compliance Guide. Companion pieces cover SB 1588 compliance, credit reporting rules, and security measure restrictions.