Glenn Hegar
Texas Comptroller of Public Accounts
Glenn Hegar
Texas Comptroller of Public Accounts
Skip navigation
Glenn Hegar
Texas Comptroller of Public Accounts
Skip navigation
Top navigation skipped

about

Privacy and Security Policy

Revised February 2025

The Comptroller of Public Accounts, its divisions, and its associated companies (CPA, "we", or “our”) values and protects the public's (“your”) privacy and places strict controls on the collection and use of sensitive information and confidential information (a.k.a. protected information). Protected information is not disclosed, made available, or otherwise used for purposes other than those specified at the time of collection, except with your consent or as authorized by law or regulation.

As a government agency that serves the public, we are required to make some information available to the public broadly through our transparency efforts via our websites or the Texas Data Portal, or to specific requestors in response to a request for public records (“open records request”) received in accordance with Texas Government Code Chapter 552 (a.k.a., the Texas Public Information Act or PIA). However, CPA understands the importance of maintaining your privacy and makes every attempt to maintain your trust and confidence regarding our collection, use, or storage of your non-public protected information.

Please read this policy carefully to understand our policies and practices regarding your information and how it is treated by CPA. By accessing or using our websites, you agree to this privacy and security policy, which may change from time to time. Your continued use of our website(s) is deemed to be acceptance of any changes, so please check the policy periodically for any updates. This policy is maintained in accordance with all applicable Texas and federal laws and regulations.


What Information is Collected?
Protected Information

Your voluntary disclosure of protected information (i.e., sensitive or confidential) to CPA, whether solicited or unsolicited, constitutes your consent to the collection, use, storage, or disclosure of the information by CPA for the purposes for which it was disclosed to CPA, as reasonably ascertained from the nature and terms of the disclosure, including for the purpose of validating your identity.

Web Analytics Data

CPA's websites collect and store certain non-personal and statistical information each time you access them to help us make them more accessible and useful to visitors. By browsing our sites and reading, printing, or downloading information, no protected information (i.e., sensitive or confidential) about you is collected unless specified below.

The information we collect when you visit CPA's sites may include:

  • The Internet Protocol (IP) address from which you are accessing the site(s), which may be considered protected information depending on your location or relationship to CPA.
  • The name of the Internet Service Provider (ISP) or wireless carrier you are using to access the site(s) (e.g., Comcast, Spectrum, Verizon, or Sprint).
  • The date and time you visited the site(s).
  • The web pages or services you accessed at the site(s).
  • The type, manufacturer, model, and operating system of the device you are using to access the site(s).
  • The Media Access Control (MAC) address of the device you are using to access the site(s), which may be considered protected information depending on your location or relationship to CPA.
  • Internet browser type and version used to access the site(s).

CPA primarily uses Google Analytics to measure traffic on our websites. Review the Google Analytics Terms of Use or learn more about how Google uses, collects, and processes analytics data. To prevent Google Analytics from recognizing return visits to our websites you may disable cookies in your Web browser.

Some CPA sites may also use JavaScript to collect site traffic and activity, as well as to measure the performance of our servers and network. These scripts do not collect protected information about you.

Biometric or Multifactor Authentication to Access CPA Sites/Applications

To better serve you and protect access to your information, CPA sites may use biometric or multifactor authentication (MFA) to enhance the security of your account(s)/information accessed via our sites. To register and use these authentication services, you may be required to supply biometric information, an email address, phone number, or express consent in order for us to verify your identity and deliver security verification codes, one-time passcodes, or push-notifications to you in the future. We will not disclose this information to third parties (except as permitted by law) without your express written consent.

Biometric and Geolocation Information

Except as described in the previous section, when you use our sites and services CPA does not actively collect, maintain, or disseminate biometric or geolocation information obtained from global positioning system technology, individual contact tracing, or biometric identifier collection technology.

Cookies, Pixels, and Other Digital Tracking Technologies

To better serve you, CPA sites may use limited cookies to enhance or customize your visit to our site(s). These cookies do not contain your protected information (i.e., sensitive or confidential).

We may also use third-party advertising companies to deliver advertisements on our behalf. These companies may use anonymous cookies or other technologies to track information regarding your browsing history on our site(s). Third-party advertising networks, such as Google AdWords and AdRoll, use this information to deliver ads to you on our behalf at other sites throughout the Internet, to track your response to advertisements, report on visitor interaction, and to measure the effectiveness of advertisements. We do not control these third parties' tracking technologies or how they may be used.

Facebook provides certain features and tools, such as pixels, SDKs (Software Development Kits), or APIs (Application Programming Interfaces) that sends your browsing data to Facebook, including pages you visit and actions you take on our site(s). This tool allows us to personalize our ads based on the content you viewed on our site. We may also use Facebook technology to deliver interest-based ads using lists of email addresses that we have collected on our site(s). We update these lists once a month so that we do not intentionally target our ads to users who have opted out of emails from CPA.

Email Address and Contents

If you communicate with CPA by sending us an email, your email address, the email itself, any and information you include in the body of the email or as an attached file or document may be retained and stored to process your request, communicate with you further, in accordance with our records retention policy or applicable law or regulation, or provided to other State Agencies to better serve your needs.

In addition, CPA collects the email addresses of those individuals who voluntarily provide their email address on our site(s) and on other platforms, such as Facebook. Email addresses and other volunteered information may be used by CPA to send news, notices, and other information to those who request it (i.e., opt-in) and may also be used to deliver interest-based ads on other services/platforms such as Facebook.

Social Media

In the spirit of transparent government, CPA makes use of social media tools (e.g., Facebook, Instagram, X/Twitter, YouTube, etc.) to keep the public informed of news, economic updates, and other announcements.

Any comments or posts made to a social media profile, page, persona, group, or forum maintained by or for CPA may be subject to retention and release to the public as required by the Texas Public Information Act (PIA) (Tex. Gov’t Code Ch. 552), our records retention schedule, or other laws or regulations.

Users of these social media services are bound by the terms of service and user agreements for the platform.

How is Information Used or Stored?
Purpose Limitations

CPA collects your information only for and through legitimate and lawful purposes and means. Any subsequent use, storage, or disclosure of your information is limited only to purposes consistent with the purpose(s) disclosed at the time of collection.

Public Disclosure

All information collected or maintained by CPA is subject to public disclosure unless specifically excepted from disclosure by the Texas Public Information Act (PIA) (Tex. Gov’t Code Ch. 552) or other applicable law or regulation. As such, CPA is required to disclose certain information broadly to the public through our transparency efforts or to specific requestors in response to an open records request under the PIA.

Disclosure to Third Parties

You are responsible for protecting the confidentiality of any user ID, password, or PIN used to access CPA websites, applications, or systems. If you give your user ID, password, or PIN to anyone else, they may be able to access your protected information (i.e., sensitive or confidential).

CPA does not sell your information to any third party and does not distribute or share your information with any non-governmental third party without your consent or as otherwise authorized by law or regulation. Employees only use information submitted by you on a need-to-know basis to provide information or services, or carryout our duties.

Further, we will not disclose information we collect from you to third parties without your permission except to:

  • Carryout our duties.
  • Fulfill an Open Records Request(s).
  • Fulfill your request(s) for services.
  • Protect ourselves from liability.
  • Verify or update information provided.
  • Comply with a law enforcement agency, self-regulatory organization, or an authorized civil, criminal, or regulatory investigation.
  • Prevent, detect, mitigate, and investigate actual or potential fraud and unauthorized transactions or claims.
  • Comply with a subpoena; summons; federal, state or local laws, rules and other legal requirements; or when connected with a company’s merger, acquisition, or liquidation.
Retention and Destruction

Information collected by or provided to CPA will be retained and maintained as required by law or regulation such as Texas Government Code Chapter 441, L. Different types of information are required to be kept for different periods of time.

CPA stores or uses protected information (i.e., sensitive or confidential) submitted by you only for the time necessary. Protected information is destroyed via purging, magnetic degaussing/erasing, shredding, and/or other means of authorized destruction when no longer required and to prevent unauthorized access or use of the data. Regularly scheduled archiving, purging, and proper disposal of records and information is a standard practice throughout CPA.

Read details on CPA's Records Retention Schedule as published on the Texas State Library and Archives Commission site.

Covered Applications and Prohibited Technology

In 2023, the Texas Legislature passed a law codifying and expanding a 2022 directive by the Governor banning potentially risky applications and technology (“Prohibited Technology” and “Covered Applications”) from state government devices and networks over concerns of foreign surveillance of Texans (Texas Government Code Chapter 620). See Glossary for defined terms.

In accordance with this directive and statute, CPA prohibits all full and part-time employees including contractors, paid or unpaid interns, and users of our state systems and networks from downloading, installing, using any application, website, service, or technology included in any directive from the Governor and/or listed on DIR’s website. This includes on any state-owned or issued devices and on approved employee-owned personal devices authorized to securely connect to select CPA applications and services as part of our Bring Your Own Device (BYOD) Program.

How is Information Protected?
CPA Sites, Applications, and Systems

CPA's public-facing (i.e., “external") and internal websites, applications, and systems have reasonable security measures in place to protect against the loss, misuse, and alteration of your data and information under our control. Interactive applications and forms that collect transaction payments or protected information (i.e., sensitive or confidential) are encrypted using privacy and security safeguards and routinely evaluated for and updated to protected against known vulnerabilities or flaws.

Appropriate multi-level application, computer, network, and Internet technical security controls are implemented enterprise-wide across CPA to prevent unauthorized access to your information and our systems. These security controls include PINs, password, and other user identity verification such as biometrics or MFA; data encryption; secure/confidential transmissions; secure storage areas; and audit trails. CPA employees are educated regarding the requirements of working with protected information as well as the consequences of misuse.

Communicating with and Information Provided to CPA

As possible and appropriate, CPA protects all avenues of communication from the public (e.g., phone, email, fax, postal mail, Internet systems) to the best of our ability. However, certain methods of communication and how you provide information to CPA are inherently more secure than others due to the level of control we have over the communication/information channel and the transfer of information between you and CPA. For instance, submission of information to CPA using one of our public-facing systems (e.g., WebFile, CAPPS, or ClaimItTexas.gov) guarantees end-to-end encrypted and secure submission of information to/from CPA.

Email and fax communications to CPA are not inherently encrypted in transit (i.e., on their way into) and are only properly secure and encrypted, if the sender (you) understands and follows appropriate practices to secure the communication. As such, DO NOT send any protected information (e.g., social security number – SSN or personally identifiable information - PII) via fax or in the body of, or as an attachment to, an electronic mail message unless you have verified the fax, email, or attachment containing the protected information is adequately encrypted and secured.

When sending protected information to CPA via inherently unsecure methods, including email or fax, you understand and assume any risk that may exist based on your method of submission as the sender and presumed owner or authorized representative. Where CPA has provided an alternate method of submission, you are not required to send protected information via email or fax. For more security, you may submit your information via postal mail or the online system provided by CPA.

Does CPA Use Any Generative Artificial Intelligence (“Gen AI”) Technologies?

CPA recognizes the value and potential of modern (e.g., Generative) Artificial Intelligence (AI) technology as a tool to support and complement work processes. When leveraging AI technology for agency purposes our users must ensure final decisions are made by qualified humans, considering the output and recommendations provided by AI systems, and must not provide AI with protected information (i.e., sensitive or confidential) unless explicitly authorized by management and via appropriate agency approval processes.

What Can I Do With My Information?

With few exceptions, you have the right to request, receive, review, and correct any information about you in our possession. To request your information from CPA for review, please submit your request via one of the methods listed below and ensure your request includes enough description and detail so we may accurately identify and locate your information.

By email:
Open Records
Online:
FYI Open Records Tool
By mail:
Open Records Section
Comptroller of Public Accounts
P.O. Box 13528
Austin, TX 78711-3528
By FAX:
512-475-1610
In person:
Open Records Section
Comptroller of Public Accounts
111 E. 17th St.
LBJ State Office Bldg., Third Floor
Austin, TX 78701
Request a Correction

To request a correction of incorrect information about yourself, submit your request via one of the methods listed above or directly via our site for common changes listed below.

For filing taxes:

Does the Texas Data Privacy and Security Act Apply to CPA?

No, the Texas Data Privacy and Security Act, which went into effect July 1, 2024, does not apply to State Agencies such as CPA. This and other applicability exceptions are outlined in the Act (Texas Business and Commerce Code Section 541.002). For further information refer to the Texas Attorney General’s website on the Act or the Act (Tex. Bus. & Comm. Code Ch. 541).

Non-CPA Website Links Disclaimer

CPA's websites contain links to other websites for your information and convenience. CPA has no control over the privacy practices or the content of such other websites. Please review the privacy information provided by these sites.

The responsibility for the content and accuracy of information on sites accessed by linking from our websites rests with the entities providing the information. This includes any responsibility for updating information upon which visitors may rely.

The inclusion of links from our sites to others does not imply any endorsement by CPA of any product, service, or vendor. Any mention of products, services, or vendors is for informational purposes only.

Read details on CPA's Link Policy.

Policy Disclaimer and Limitation of Liability

The information provided in this privacy policy should not be construed as giving business, legal, or other advice, or warranting as fail proof the security of information provided through our websites.

Information on CPA's sites is public domain and may be copied and used as permitted by law, with the exception of pictures, official symbols, and registered service marked names and logos. While CPA attempts to maintain a high degree of accuracy, we will not be held liable for errors or omissions that may occur.

CPA is not an operator of websites or online services directed at children under 13 years of age and does not knowingly collect protected information (i.e., sensitive or confidential) from children without parental consent. Users are cautioned, however, that the collection of protected information via an interactive application or email will be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access. CPA strongly encourages parents and teachers to be involved in children's Internet activities, and to provide guidance whenever children are asked to provide protected information online.

Glossary
Application Programming Interface (API)
A set of subroutine definitions, protocols, and tools for building application software. In general terms, it is a set of clearly defined methods of communication between various software components.
Confidential Information
Information typically excepted from public disclosure, whether specified in law or through a decision by the Open Records Division of the Texas Attorney General's office. This includes Sensitive Personal Information (SPI), as defined by Tex. Bus. & Comm. Code Ch. 521.
Cookie
A small piece of data sent from a website and stored in the user's web browser while the user is browsing it. Cookies can be disabled by adjusting the browser settings. If the cookies are disabled in the browser, certain parts of our website might not be accessible.
Covered Application
The social media service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited, or a social media application or service specified by proclamation of the Governor. ~ Tex. Gov’t Code § 620.001(1)
Government Entity
A department, commission, board, office, or other agency in the executive or legislative branch of state government created by the constitution or a statute, including an institution of higher education; the supreme court, the court of criminal appeals, a court of appeals, a district court, or the Texas Judicial Council or another agency in the judicial branch of state government; or a political subdivision of this state, including a municipality, county, or special purpose district. ~ Tex. Gov’t Code § 620.001(1)
Internet Protocol (IP) Address
A unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.
Internet Service Provider (ISP)
An organization that provides services for accessing, using, or participating on the Internet.
JavaScript
An object-oriented computer programming language commonly used to create interactive effects within web browsers.
Multifactor Authentication (MFA)
More than one factor of authentication i.e., something you know (e.g., a User ID in combination with a password), something you have (e.g., an ID badge or a cryptographic key), something you are (e.g., a fingerprint or other biometric data).
Prohibited Technology(ies)
A social media application or service determined to pose a risk to the state of Texas by proclamation of the Governor or by DIR or DPS and published in a list on DIR’s website.
Protected Information
Information including both sensitive information and confidential information.
Public Information
Information available to the public freely and without reservation. Such information requires no authentication and is freely distributable by all agency personnel.
Regulated Information
Information typically controlled by federal or state regulation or other third-party agreement. This information may be protected or public, but is subject to additional controls regarding its protection or disclosure.
Sensitive Information
Information that may be subject to public release under an open records request. The information should be vetted and verified before release. This includes Personal Identifying Information (PII), as defined by Tex. Bus. & Comm. Code Ch. 521.
Software Development Kit (SDK)
A set of software development tools that allows the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar development platform.
State Agency
A department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of the State of Texas, including a university system or institution of higher education as defined by Tex. Educ. Code § 61.003. ~ Tex. Bus. & Comm. Code § 541.001(30)

Contact Us

If you have questions, comments, or concerns about CPA's Privacy and Security Policy, please email the Information Security Division's Privacy Office.

Or mail us at:

Information Security
Comptroller of Public Accounts
P.O. Box 13528, Capital Station
Austin, TX 78711-3528

If you require special accommodation pursuant to the Americans with Disabilities Act, please contact our Workplace Accommodations Coordinator at 512-475-3560.