District of Columbia - Data Protection Overview
1.1. Constitutional protection
Section 4 of Article I of the Constitution for the State of New Columbia 1982 provides, in part, '[i]ndividual privacy with respect to personal bank accounts, health, academic, employment, communications, and similar records, the disclosure of which would constitute an invasion of the privacy of the individual concerned, is a right, the protection of which shall be provided by law.'
1.2. Common law tort for invasion of privacy
The District of Columbia ('DC') courts have "long recognized1" the common law tort for the invasion of privacy. As stated by the U.S. District Court for the District of Columbia ('the DC District Court') in 1948, "[a] person who unreasonably and seriously interferes with another's interest in not having his affairs known to others [...] is liable to the other2."
DC courts have adopted the Restatement (Second) of Torts to, "determin[e] the appropriate contours of a cause of action for invasion of privacy3." This involves an interplay of four torts under which a plaintiff may bring suit.
"The four constituent torts are:
- intrusion upon one's solitude or seclusion;
- public disclosure of private facts;
- publicity that places one in a false light in the public eye; and
- appropriating one's name or likeness for another's benefit4."
Courts have held that publication of a photograph of a non-public person without their consent is a violation of that right5.
1.3. Recent developments
In March 2020, the Mayor of DC signed into law the Security Breach Protection Amendment Act of 2020 ('the 2020 Breach Amendment'), which updated DC's breach notification law. The 2020 Breach Amendment, took effect in June 2020, and added several major changes to DC's breach notification law, codified under §28–3851 et seq. of Subchapter II of Chapter 38 of Title 28 of the Code of the District of Columbia ('D.C. Code') ('the Breach Notification Law'), first enacted in 2007. Those changes include:
- an expanded definition of personal information;
- required contents of a security breach notice;
- time frames for reporting breaches;
- required written notice of a breach to the Office of the Attorney General for the District of Columbia ('AG');
- cybersecurity requirements;
- an 18-month identity theft prevention service for individuals when a breach results in the release of social security or tax identification numbers; and
- the incorporation of personal information protection requirements under DC's consumer protection law.
These revisions, as well as statements by the AG, indicate that DC is interested in advancing privacy protections in the coming years.
2.1. The CPPA
One of the privacy law enforcement tools employed by the AG is Chapter 39 of Title 28 of the D.C. Code, referred to as the 'Consumer Protection Procedures Act' ('CPPA'). Similar to the Federal Trade Commission's ('FTC') practice of bringing enforcement actions against companies for violations of their privacy policies under the Federal Trade Commission Act of 1914, the AG is taking the same tack with similar enforcement actions, as with a 2018 complaint6.
The CPPA prohibits unfair and deceptive practices in connection with the offer, sale, and supply of consumer goods and services, and establishes an enforceable right to truthful information from merchants about consumer goods and services. Where a company makes representations to consumers, either express or implied, that it will protect the privacy of consumers' personal information, that company may be liable under the CPPA for any misrepresentations as unfair and deceptive trade practices. §28-3904(f)-(f-1) of the CPPA provides, 'It shall be a violation of this chapter for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby, including to […] fail to state a material fact if such failure tends to mislead [or] [u]se innuendo or ambiguity as to a material fact, which has a tendency to mislead.' As argued by the AG in his December 2018 complaint mentioned above, "[t]he CPPA is a remedial statute that is to be broadly construed."
The CPPA was also used recently by the AG in an enforcement action against an insurance company. The insurance company settled with the AG in October 2018, resolving the AG's claims that it had violated the CPPA by failing to protect consumers' confidential health information and deceiving consumers about the company's ability to safeguard their health information (see in further detail under section 3 below).
2.2. Consumer security breach notification
The Breach Notification Law went into effect in 2007 with the 2020 Breach Amendment taking effect in June 2020. The Breach Notification Law applies to any person or entity that conducts business in DC and, in the course of its business, owns or licenses computerised or other electronic data that include personal information. The 2020 Breach Amendment added a new definition of 'person or entity,' which is 'an individual, firm, corporation, partnership, company, cooperative, association, trust, or any other organization, legal entity, or group of individuals,' and excludes the DC Government and its agencies. In the event of a security breach, which is defined below, such an entity must notify any resident whose personal information was involved in the breach. The Breach Notification Law also applies to any person or entity who maintains, handles, or otherwise possesses computerised or other electronic data that includes personal information that they do not own. In the event of a security breach, such an entity must notify the owner or licensee of the personal information. In both scenarios, the entity must issue its notice 'in the most expedient time possible' (§28-3852(a)-(b) of the Breach Notification Law). Under the 2020 Breach Amendment, notice must also be provided to the AG's Office in instances where the breach affects 50 or more DC residents. This notice must also be made 'in the most expedient manner possible,' 'without unreasonable delay,' and no later than when notice is provided to residents (§28-3852(b-1) of the Breach Notification Law).
The 2020 Breach Amendment provides additional notice requirements. Notice to residents must include, to the extent possible (§28-3852(a-1) of the Breach Notification Law):
- a description of the categories of information reasonably believed to have been compromised, including elements of personal information;
- specified contact information for the person or entity making the notice;
- specified contact information for major consumer reporting agencies and a statement of the resident's right to obtain security freeze free of charge and how to request a security freeze; and
- specified contact information for the FTC and AG, and a statement on how to obtain information from these sources on identity theft.
Notice to the AG must include (§28-3852(b-1) of the Breach Notification Law):
- name and contact information for the person or entity reporting the breach;
- name and contact information of the person or entity that experienced the breach;
- nature of the breach;
- types of personal information compromised;
- number of DC residents impacted;
- cause of the breach;
- remedial action taken;
- date and time frame of the breach;
- address and location of the corporate headquarters if the headquarters are located outside of DC;
- knowledge of foreign involvement in the breach; and
- a sample notice to DC residents.
Notice must also be provided to consumer reporting agencies where more than 1,000 individuals must be notified (§28-3852(c) of the Breach Notification Law).
Persons or entities that maintain notification procedures pursuant to requirements under the Gramm-Leach-Bliley Act of 1999 ('GLBA'), the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), or the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH'), and provide notice to impacted DC residents, will be deemed in compliance with the law's notification requirements, provided they also notify the AG's Office (§28-3852(g) of the Breach Notification Law).
The definition of personal information was expanded significantly under the 2020 Breach Amendment, and is now defined as (§28-3851(3)(A) of the Breach Notification Law):
- an individual's first name or first initial and last name, or any other personal identifier, which, in combination with any of the following can be used to identify a person or a person's information:
- any unique government-issued identification number, including social security number, taxpayer identification number, passport number, driver's license number, DC identification card number, or military identification number;
- any number, code, or combination, including security or access code, allowing access to or use of an individual's financial or credit account, including account number, credit card number, or debit card number;
- medical, genetic and deoxyribonucleic acid, health insurance, or biometric data (medical and genetic information are separately defined in the statute); or
- any combination of data elements identified in the statutory definition that would allow a person to commit identity theft without reference to a person's first name or first initial and last name or other independent identifier;
- a username or email address in combination with a password, security question and answer, or other means of authentication, or combination of the elements identified in the statutory definition that would allow access to an individual's email account.
A 'security breach' is defined under the law as the 'unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.' There are exceptions for 'good-faith' acquisition of personal information, acquisition of data rendered unusable by unauthorised third parties (unless the information may compromise security protection), and acquisition of personal data reasonably determined unlikely to result in harm to the individual after consultation with the AG's Office (§28-3851(1)(B)(iii) of the Breach Notification Law).
The 2020 Breach Amendment added a new section to the Breach Notification Law on remedies, in particular §28-3852.02 of the Breach Notification Law, and also revised the statute's enforcement provisions. These sections provide for identity theft protection and civil remedies under DC's consumer protection laws. When a data breach is reasonably believed to include DC residents' social security numbers or taxpayer identification numbers, the breached entity must offer impacted DC residents identity theft protections at no cost for at least 18 months (§28-3852.02 of the Breach Notification Law). Violations of the Breach Notification Law may be considered 'unfair and deceptive trade practice[s]' under DC law, subjecting entities to pay consumers treble damages or $1500 per violation, as well as actual damages (§28-3853 of the Breach Notification Law).
The 2020 Breach Amendment added new categories of personal information to be covered under the Breach Notification Law. These new categories include genetic information, medical information, health insurance information, and biometric data (§28-3851 of the Breach Notification Law). The 2020 Breach Amendment also added new security requirements for personal information (discussed below). Since the Breach Notification Law now requires 'reasonable security safeguards' for personal information, including 'procedures and practices that are appropriate to the nature of the personal information,' persons or entities that own, license, maintain, handle, or otherwise possess health data are now required to implement reasonable security requirements to protect that data. The D.C. Code includes a number of other healthcare-based provisions that incorporate privacy standards. These include:
- §7-1231.04 of Chapter 12A of Title 7 of the D.C. Code, regarding conditions of mental health service delivery;
- §31-1606(d)(2) of Chapter 16 of Title 31 of the D.C. Code, regarding the confidentiality of AIDS testing for insurance purposes; and
- §44-504(e-1)(3) of Chapter 5 of Title 44 of the D.C. Code, regarding conditions of nursing facility care.
In addition, the CPPA has been used to protect DC residents against unfair or deceptive practices in the use and maintenance of their health information. For instance, and as referenced in section 2.1. above, the AG settled an action against an insurance company in October 2018 for the company's alleged mishandling of protected health information and improper disclosures of patients' HIV status. According to the AG, the company 'revealed consumers' HIV status by mailing notices in envelopes with large transparent windows that allowed the words 'HIV medications' to be seen in the enclosed document.' The AG alleged that the company's actions violated both HIPAA and the CPPA.
DC law contains a statutory provision barring identity theft. The law focuses on the theft of personal information with the intent to fraudulently obtain property, and DC law defines 'identity theft' to include (§22–3227.02 of Subchapter III-C of Chapter 32 of Title 22 of the D.C. Code):
- using personal identifying information belonging to or pertaining to another person to obtain, or attempt to obtain, property fraudulently and without that person's consent;
- obtaining, creating, or possessing personal identifying information belonging to or pertaining to another person with the intent to:
- use the information to obtain, or attempt to obtain, property fraudulently and without that person's consent; or
- give, sell, transmit, or transfer the information to a third person to facilitate the use of the information by that third person to obtain, or attempt to obtain, property fraudulently and without that person's consent.
Penalties include civil fines and restitution. DC courts are authorised under law to order relevant DC agencies to correct official records on an expedited basis when an individual has been the victim of identity theft and petitions a court to correct a DC public record that is incorrect due to such identity theft (D.C. Code §22–3227.05).
The Fair Credit in Employment Amendment Act of 2016 amended the Human Rights Law, codified under Unit A of Chapter 14 of Title 2 of the D.C. Code, to include 'credit information' as the law's 20th protected trait. The Human Rights Law bars employers, employment agencies, and labour organisations in DC from discriminating against an employee or an applicant based on their credit information, in addition to other protected classes, including race, colour, religion, national origin, sex, age, marital status, personal appearance, sexual orientation, gender identity or expression, family responsibilities, genetic information, disability, matriculation, and political affiliation (§2-1402.11 of the Human Rights Law).
Subchapter I of Chapter 13B of Title 32 of the D.C. Code prohibits employers with more than ten employees in DC from asking applicants about their criminal history on an initial job application, subject to very limited exceptions, until after making a conditional job offer. Once a conditional offer of employment has been extended, employers may ask only about criminal convictions. Once a conditional offer of employment has been made, employers may only withdraw the offer of employment or take adverse action in limited circumstances (D.C. Code §32-1342).
DC employment law also addresses privacy issues in the area of employment services agencies licensing and regulation. In particular, §32-409 of Chapter 4 of Title 32 of the D.C. Code requires express written authorisation of a job-seeker before disclosing his/her name, home address, or telephone number to any person other than to the Mayor of DC or their representative, pursuant to an investigation.
DC's Protecting Students Digital Privacy Act of 2016 ('the Student Privacy Act'), codified under Chapter 8B of Title 38 of the D.C. Code, went into effect in February 2017. The Student Privacy Act applies to website, online service, online application, or mobile application providers for pre-K-12 services. Generally speaking, it requires those providers to implement and maintain appropriate security measures to protect students' personal information. It prohibits those providers from using students' personal information for targeted advertisings. Further, the Student Privacy Act prohibits those providers from disclosing students' personal information, except in limited circumstances. Educational institutions that provide devices to their students are prohibited, under the law, from accessing or tracking devices or activity on the device, except in limited circumstances. Educational institutions are also prohibited from searching or compelling students and prospective students to make accessible their personal media accounts and personal devices.
'Personally identifiable student information' is defined under the Student Privacy Act as data that 'alone or in combination with other data is linked to a specific student that would allow a reasonable person, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.' The Student Privacy Act lists, by way of example, the following categories of data (§38-831.01(14) of the Student Privacy Act):
- student's name;
- name of a student's parent or other family member;
- the address of a student or student's parent or other family member;
- a photograph, video, or audio recording that contains the student's image or voice; and
- indirect identifiers, including:
- a student's social security number;
- student number;
- telephone number;
- credit card account number;
- insurance account number;
- financial services account number;
- customer number;
- geolocation information;
- persistent unique identifier;
- email address;
- social media address;
- online username; or
- other personal electronic identifier.
DC has several laws in place to protect consumers from unwanted commercial communications. While DC does not maintain a separate state do-not-call database, DC residents may register on the FTC's National Do Not Call Registry, which protects them from unsolicited telemarketing calls (with certain exceptions for existing business relationships and prior consent).
Under §22-3226.15 of Subchapter III-B of Chapter 32 of Title 22 of the D.C. Code, within the first thirty seconds of a telephone solicitation call, the caller must disclose the caller's true first and last name, the company on whose behalf the solicitation is being made, and the goods or services to be sold. DC law prohibits the use of an automated call with a pre-recorded or synthesised voice message to make solicitation calls, unless the calling party has a prior business relationship with the called party and the call concerns the same type of products or services (§34–1701 of Chapter 17 of Title 34 of the D.C. Code).
DC requires telephone solicitors to file and maintain a registration with the DC Government, with certain exceptions (D.C. Code §22–3226.02). Further, DC law declares certain acts that impact consumer privacy as 'abusive telemarketing practices.' These acts include (D.C. Code §22–3226.08):
- causing a telephone to ring more than 15 times in an intended telephone solicitation call;
- initiating a telephone solicitation call to a consumer after the same consumer has expressly stated that they do not wish to receive solicitation calls from that seller; or
- engage in telephone solicitation to a consumer's residence at any time before 8:00 a.m. and after 9:00 p.m. local time at the place where the consumer is called. Remedies include civil and criminal penalties, and a private right of action.
DC follows the majority 'one party' consent rule for recording telephone calls (§23-542(b)(3) of Subchapter III of Chapter 5 of Title 23 of the D.C. Code). Thus, as long as one party to the caller consents, such as the party who is recording the telephone call, the call may be recorded.
The 2020 Breach Amendment added a new section for security requirements (§28-3852.01 of the Breach Notification Law). DC law now requires entities that handle the personal information of DC residents to, 'implement and maintain reasonable security safeguards,' that are, 'appropriate to the nature of the personal information and the nature and size of the entity or operation' (§28-3852.01(a) of the Breach Notification Law). The law also requires that entities ensure service providers undertake appropriate security measures reasonably designed to protect the personal information, and which need to be set forth in a written agreement (§28-3852.01(b) of the 2020 Breach Amendment). Finally, the law now requires that entities undertake security measures when destroying records that contain personal information (§28-3852.01(c) of the Breach Notification Law). Persons or entities that maintain security procedures in compliance with the GLBA, HIPAA, or HITECH will be deemed in compliance with the law's security requirements.
The 2020 Breach Amendment added 'biometric data' as a category of 'personal information' under the statute (§28-3851(3)(A) of the Breach Notification Law). Biometric data is defined as data, 'of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account.' Since the law now requires, 'reasonable security safeguards' for personal information, including 'procedures and practices that are appropriate to the nature of the personal information,' (see section 9 above) persons or entities that own, license, maintain, handle, or otherwise possess biometric data are now required to implement reasonable security requirements to protect that data.
1. Vassiliades v. Garfinckel's, Brooks Bros., 492 A.2d 580, 587 (D.C. 1985), noting the right of a privacy personality and emotional security. Afro-Am. Pub. Co. v. Jaffe, 366 F.2d 649, 653 (D.C. Cir. 1966).
2. Peay v. Curtis Pub. Co., 78 F.Supp. 305, 309 (D.D.C.1948).
3. Doe v. Bernabei & Wachtel, PLLC, 116 A.3d 1262, 1266 (D.C. 2015), citing Budik v. Howard Univ. Hosp., 986 F.Supp.2d 1, 11 (D.D.C.2013) and Vassiliades v. Garfinckel's, Brooks Bros., 492 A.2d 580, 587 (D.C.1985).
4. Id., citing Wolf v. Regardie, 553 A.2d 1213, 1217 (D.C. 1989).
5. Vassiliades, 492 A.2d at 587 citing Peay v. Curtis Publishing Co., 78 F.Supp. 305, 309 (D.D.C.1948).
6. District of Columbia v. Facebook Inc., 2018 CA 008715 B, District of Columbia Superior Court (Washington). The AG filed suit against Facebook for allegedly violating the CPPA. The case was brought in response to the Cambridge Analytica scandal. In the suit, the AG alleged that Facebook failed to safeguard DC users' personal data by allowing the UK consulting firm to mine individuals' data for the 2016 US presidential campaign. The court rejected Facebook's attempts to dismiss the court and the case is pending as of May 2020.
7. See Attias v. CareFirst, Inc., No. 15-CV-00882 (CRC), 2019 WL 367984, at *16 (D.D.C. Jan. 30, 2019).