Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

District of Columbia - Sectoral Privacy Overview

District of Columbia - Sectoral Privacy Overview

August 2022


1.1. Constitutional protection

§4 of Article I of the Constitution for the State of New Columbia 1982 provides, in part, that '[i]ndividual privacy with respect to personal bank accounts, health, academic, employment, communications, and similar records, the disclosure of which would constitute an invasion of the privacy of the individual concerned, is a right, the protection of which shall be provided by law'.

1.2. Common law tort for invasion of privacy

The District of Columbia ('DC') courts have "long recognized"1 the common law tort for the invasion of privacy. As stated by the U.S. District Court for the District of Columbia ('the DC District Court') in 1948, "[a] person who unreasonably and seriously interferes with another's interest in not having his affairs known to others [...] is liable to the other2".

DC courts have adopted the Restatement (Second) of Torts to, "determin[e] the appropriate contours of a cause of action for invasion of privacy3". This involves an interplay of four torts under which a plaintiff may bring suit.

"The four constituent torts are:

  • intrusion upon one's solitude or seclusion;
  • public disclosure of private facts;
  • publicity that places one in a false light in the public eye; and
  • appropriating one's name or likeness for another's benefit4".

Courts have held that publication of a photograph of a non-public person without their consent is a violation of that right5.

1.3. Recent developments

The most significant development in recent DC history occurred in 2020, with the passage of the DC's new data breach law. In March 2020, the Mayor of DC signed into law the Security Breach Protection Amendment Act of 2020 ('the 2020 Breach Amendment'), which updated DC's breach notification law. The 2020 Breach Amendment, took effect in June 2020, and added several major changes to DC's breach notification law, codified under §§28–3851 et seq. of Subchapter II of Chapter 38 of Title 28 of the Code of the District of Columbia ('D.C. Code') ('the Breach Notification Law'), first enacted in 2007. Those changes include:

  • an expanded definition of personal information;
  • required contents of a security breach notice;
  • time frames for reporting breaches;
  • required written notice of a breach to the Office of the Attorney General for the District of Columbia ('AG');
  • cybersecurity requirements;
  • an 18-month identity theft prevention service for individuals when a breach results in the release of social security or tax identification numbers; and
  • the incorporation of personal information protection requirements under DC's consumer protection law.

These revisions, as well as statements by the AG, indicate that DC is interested in advancing privacy protections in the coming years.

Other developments on the horizon include several proposed pieces of legislation to buttress DC's legal framework to protect individual's data privacy. The DC Council (the District's equivalent of a legislature), which is responsible for legislation in the District, is considering multiple bills that would add or amend key provisions in DC laws addressing privacy. Should these bills go forward, they will need to be approved by the District's mayor and the federal Congress (this legislative process is unique to the District). This means that the proposals are not current, but rather a forecast of the landscape of privacy protections for DC residents.

Uniform Personal Data Protection Act of 2021

In October of 2021, DC became the first jurisdiction in the US to introduce into their legislature the Uniform Personal Data Protection Act ('UPDPA'). The UPDPA is a model act adopted by the National Conference of Commissioners on Uniform State Law. It is the privacy law equivalent to other uniform codes, such as the Uniform Commercial Code, Uniform Trade Secrets Act, etc. The UPDPA was introduced as a way to adopt a modern privacy scheme that avoids high costs for compliance and enforcement. It also avoids the anticompetitive effects of other regulatory acts. The UPDPA was introduced to the DC legislature on 18 October 2021 as Bill 24-0451. The bill was referred to the Committee on Judiciary and Public Safety where it currently sits. If passed, this bill will be codified as §28-5501–28-5519 of the D.C. Code.

While the bill itself is quite extensive, the DC Council points out key characteristics of the bill as it pertains to privacy protection. The UPDPA divides data practice into three distinct categories: compatible data practices, prohibited data practices, and incompatible (but possible through an individual's consent) data practices.

The UPDPA applies to controllers and processors that conduct businesses or services in, or directed to, the DC area. For the law to apply, controllers and processors must also maintain personal data of more than 50,000 DC residents, or earn more than 50% of their income from maintaining DC residents' personal data. Outside of these requirements, the UPDPA also applies to companies maintaining personal data for incompatible or prohibited data practices.

The UPDPA gives data subjects (i.e. DC residents whose personal data is at issue) non-waivable rights. These rights include the right to a copy of the data and the right to have the collecting controller correct or amend their data.

The UPDPA also seeks to avoid conflict with established legal schemes. Like privacy frameworks in other US jurisdictions, the UPDPA provides that transactions covered under federal statutes are exempt from the requirements of the law. Furthermore, the UPDPA gives power to the AG to decide whether a certain transaction is to be covered by another jurisdiction. If the AG determines this to be the case, that transaction is exempt.

The UPDPA does not have its own enforcement scheme. Rather, it applies established consumer protection procedures. Finally, the UPDPA does not displace general causes of action such as defamation, invasion of the right of privacy, and intentional infliction of emotional harm.

Consumer Protection Procedures Amendment Act of 2022

The Consumer Protection Procedures Act ('CPPA') has been cited as one of the most effective tools for protecting consumers from deceptive and unfair conduct of businesses in the DC area. The CPPA is used by the AG as a privacy law enforcement tool. The proposed act to amend the CPPA arose from certain enforcement actions brought by the Office of the AG in which the AG identified areas that would benefit from clarification. The main purpose of the proposed amendments is to provide that clarification. The DC Council noted that these clarifications aim to provide enhanced remedies and provide OAG with additional tools to protect consumers. Below are listed some of the key amendments to the CPPA.

  • The definition section adds the word 'suppliers' into the definition of a merchant. This amendment is made to align the code with a recent case brought by a non-profit against Facebook. Facebook had claimed they were not a merchant under the CPPA because they were providing a free service (see §28-3901 of the D.C. Code).
  • The Department of Consumer and Regulatory Affairs no longer would be the principal consumer protection agency (see §28-3902 of the D.C. Code, repealed).
  • 'Unlawful practice' is added to the language of the statute as well as the addition of a subsection that prevents companies from retaliating against consumers that file complaints against them (§28-3904 of the D.C. Code).
  • A minimum financial penalty is added to deter companies from engaging in unfair practices (§28-3909 of the D.C. Code).
  • The AG would have the power to perform interrogatories in their in investigations (§28-39010 of the D.C. Code).

These amendments to the CPPA were introduced to the DC legislature on 9 February 2022, as Bill 24-0658. The bill was referred to the Committee of the Whole where it currently sits.

Revised Criminal Act of 2021

Bill 24-416 for the Revised Criminal Code Act of 2021states that the purpose of the proposed amendment to the criminal code is to modernise many of the criminal offenses covered in it. This would be the first amendment to the D.C. Codesince it was first adopted in 1901. The main section that is relevant to privacy is found in changes to the crime of identity theft.

These amendments to the D.C. Codewere introduced to the DC legislature on 1 October 2021. The bill was referred to the Committee on Judiciary and Public Safety and since, three public hearings have been held by the committee. As of April 2022, this bill still sits in the legislature.

This new bill would repeal the old identity theft statutes which are currently codified as §22-3227.02-.08 of the D.C. Code. The criminal elements of identity theft would now be codified under a single section §22A-3305 of the D.C. Code. Some notable changes include a clarification of the penalties section. The new section defines five different degrees of identity theft. The penalties section would be clarified by defining which class of felony or misdemeanour applies to each degree of identity theft.

Human Rights Enhancement Amendment Act of 2021

The Human Rights Enhancement Amendment Act of 2021 was introduced to the DC legislature on 29 April 2021, as Bill 24-0229. The bill was referred to the Committee on Government Operations and Facilities and since, one public hearing was held by the committee on 6 October 2021. As of April 2022, this bill still sits in the legislature.

These proposed amendments to the Human Rights Enhancement Act center around the growing homelessness issue affecting the US. In the summary paragraph above the amendments, the bill states the amendments are to 'protect individuals experiencing homelessness from discrimination, to provide training for law enforcement personnel on the impact of enforcement decisions on people experiencing homelessness and the protections against discrimination in this act, to prohibit employment discrimination against contractors, and to clarify and enhance protections against workplace harassment'.

As it pertains to privacy, the one relevant change would be the amendment to §2-1402.11 of the D.C. Code. This amendment would change the wording from 'credit information' to 'credit information or homeless status'. This means that the personal information on an individual's homeless status becomes a relevant piece of data for consumer protection proceedings.

In addition, the Office of the AG of the District of Columbia has been active in suing major online presences for alleged violations of individual's privacy. Certain actions are discussed below.


In October 2021, the AG amended its 2018 lawsuit against Facebook to add CEO Mark Zuckerberg to the lawsuit. The case against Facebook had been originally brought by the AG in response to allegations against Facebook surrounding the Cambridge Analytica scandal, including allegations that Facebook was deceiving its consumers about the precautions it was taking to protect user data. A statement on the AG's website cites the review of thousands of pages of documents, depositions from directors and former employees, and Zuckerberg's public statements as the due diligence required to add Zuckerberg as a defendant. In the statement, the AG stated that evidence to date demonstrated that Zuckerberg was aware of the allegedly deceptive practices and even actively participated in the business decisions that lead to Cambridge Analytica's collection of Facebook user data. The AG also alleged that Zuckerberg made misrepresentations to Facebook users, government officials, and the public. These misrepresentations surround the security of Facebook user data and the role Facebook played in the use of user data.  The AG stated that based on the information the AG had gathered and reviewed, adding Zuckerberg to the lawsuit was warranted. This action, according to the AG, also sent a strong message to corporate leaders that they will be held accountable for their actions. The suit is still pending before the Superior Court of the District of Columbia.


In January 2022, AG Racine led a bipartisan coalition of four states' AGs to file suit against Google for 'deceiving and manipulating consumers to gain access to their location data, including making it nearly impossible for users to stop their location from being tracked'. The complaint alleged that these practices had been in place since 2014, and allegedly implemented in a way that effectively leaves no way for consumers of Google products to prevent the company from collecting, storing, and profiting from their location technologies.

In a press statement, Racine stated, "Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access". Racine went on to say that he hopes to hold Google accountable for the alleged deceptive practices..

The AG opened an investigation into Google's data practices in 2018 following a story released by the Associated Press. This investigation led to the discovery of actions that the AG claimed violated state consumer protection law, which includes DC's Consumer Protection Procedures Act. Specifically, the investigation found consumers were harmed by: (1) making it impossible for users to opt out of having their location tracked, (2) deceiving users about their ability to protect their privacy through account settings, (3) misleading Android users about their ability to protect their privacy through their device settings, and (4) relying on dark patterns to undermine users' informed choices.

The AG seeks an injunction to stop these alleged deceptive practices and damages in the form of disgorged profits based on the unlawful location tracking.



2.1. The CPPA

One of the privacy law enforcement tools employed by the AG is Chapter 39 of Title 28 of the D.C. Code, referred to as the Consumer Protection Procedures Act ('CPPA'). Similar to the Federal Trade Commission's ('FTC') practice of bringing enforcement actions against companies for violations of their privacy policies under the Federal Trade Commission Act of 1914, the AG is taking the same tactic with similar enforcement actions.

The CPPA prohibits unfair and deceptive practices in connection with the offer, sale, and supply of consumer goods and services, and establishes an enforceable right to truthful information from merchants about consumer goods and services. Where a company makes representations to consumers, either express or implied, that it will protect the privacy of consumers' personal information, that company may be liable under the CPPA for any misrepresentations as unfair and deceptive trade practices. §§28-3904(f) to (f-1) of the CPPA provide that 't shall be a violation of this chapter for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby, including to […] fail to state a material fact if such failure tends to mislead [or] [u]se innuendo or ambiguity as to a material fact, which has a tendency to mislead.' As argued by the AG in the December 2018 complaint mentioned above, "[t]he CPPA is a remedial statute that is to be broadly construed".

The CPPA was also used recently by the AG in an enforcement action against an insurance company. The insurance company settled with the AG in October 2018, resolving the AG's claims that it had violated the CPPA by failing to protect consumers' confidential health information and deceiving consumers about the company's ability to safeguard their health information (see in further detail under section 3 below).

2.2. Consumer security breach notification

The Breach Notification Law went into effect in 2007 with the 2020 Breach Amendment taking effect in June 2020. The Breach Notification Law applies to any person or entity that conducts business in DC and, in the course of its business, owns or licenses computerised or other electronic data that include personal information. The 2020 Breach Amendment added a new definition of 'person or entity', which is 'an individual, firm, corporation, partnership, company, cooperative, association, trust, or any other organization, legal entity, or group of individuals', and excludes the DC Government and its agencies.

In the event of a security breach, which is defined below, such an entity must notify any resident whose personal information was involved in the breach. The Breach Notification Law also applies to any person or entity who maintains, handles, or otherwise possesses computerised or other electronic data that includes personal information that they do not own. In the event of a security breach, such an entity must notify the owner or licensee of the personal information. In both scenarios, the entity must issue its notice 'in the most expedient time possible' (§28-3852(a) to (b) of the Breach Notification Law). Under the 2020 Breach Amendment, notice must also be provided to the AG's Office in instances where the breach affects 50 or more DC residents. This notice must also be made 'in the most expedient manner possible', 'without unreasonable delay', and no later than when notice is provided to residents (§28-3852(b-1) of the Breach Notification Law).

The 2020 Breach Amendment provides additional notice requirements. Notice to residents must include, to the extent possible (§28-3852(a-1) of the Breach Notification Law):

  • a description of the categories of information reasonably believed to have been compromised, including elements of personal information;
  • specified contact information for the person or entity making the notice;
  • specified contact information for major consumer reporting agencies and a statement of the resident's right to obtain security freeze free of charge and how to request a security freeze; and
  • specified contact information for the FTC and AG, and a statement on how to obtain information from these sources on identity theft.

Notice to the AG must include (§28-3852(b-1) of the Breach Notification Law):

  • name and contact information for the person or entity reporting the breach;
  • name and contact information of the person or entity that experienced the breach;
  • nature of the breach;
  • types of personal information compromised;
  • number of DC residents impacted;
  • cause of the breach;
  • remedial action taken;
  • date and time frame of the breach;
  • address and location of the corporate headquarters if the headquarters are located outside of DC;
  • knowledge of foreign involvement in the breach; and
  • a sample notice to DC residents.

Notice must also be provided to consumer reporting agencies where more than 1,000 individuals must be notified (§28-3852(c) of the Breach Notification Law).

Persons or entities that maintain notification procedures pursuant to requirements under the Gramm-Leach-Bliley Act of 1999 ('GLBA'), the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), or the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH'), and provide notice to impacted DC residents, will be deemed in compliance with the law's notification requirements, provided they also notify the AG's Office (§28-3852(g) of the Breach Notification Law).

The definition of personal information was expanded significantly under the 2020 Breach Amendment, and is now defined as (§28-3851(3)(A) of the Breach Notification Law):

  • an individual's first name or first initial and last name, or any other personal identifier, which, in combination with any of the following can be used to identify a person or a person's information:
    • any unique government-issued identification number, including social security number, taxpayer identification number, passport number, driver's license number, DC identification card number, or military identification number;
    • any number, code, or combination, including security or access code, allowing access to or use of an individual's financial or credit account, including account number, credit card number, or debit card number;
    • medical, genetic and deoxyribonucleic acid, health insurance, or biometric data (medical and genetic information are separately defined in the statute); or
    • any combination of data elements identified in the statutory definition that would allow a person to commit identity theft without reference to a person's first name or first initial and last name or other independent identifier; and
  • a username or email address in combination with a password, security question and answer, or other means of authentication, or combination of the elements identified in the statutory definition that would allow access to an individual's email account.

A 'security breach' is defined under the law as the 'unauthorised acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia'. There are exceptions for 'good-faith' acquisition of personal information, acquisition of data rendered unusable by unauthorised third parties (unless the information may compromise security protection), and acquisition of personal data reasonably determined unlikely to result in harm to the individual after consultation with the AG's Office (§28-3851(1)(B)(iii) of the Breach Notification Law).

The 2020 Breach Amendment added a new section to the Breach Notification Law on remedies, in particular §28-3852.02 of the Breach Notification Law, and also revised the statute's enforcement provisions. These Sections provide for identity theft protection and civil remedies under DC's consumer protection laws. When a data breach is reasonably believed to include DC residents' social security numbers or taxpayer identification numbers, the breached entity must offer impacted DC residents identity theft protections at no cost for at least 18 months (§28-3852.02 of the Breach Notification Law). Violations of the Breach Notification Law may be considered 'unfair and deceptive trade practice[s]' under DC law, subjecting entities to pay consumers treble damages or $1500 per violation, as well as actual damages (§28-3853 of the Breach Notification Law).


The 2020 Breach Amendment added new categories of personal information to be covered under the Breach Notification Law. These new categories include genetic information, medical information, health insurance information, and biometric data (§28-3851 of the Breach Notification Law). The 2020 Breach Amendment also added new security requirements for personal information (discussed below). Since the Breach Notification Law now requires 'reasonable security safeguards' for personal information, including 'procedures and practices that are appropriate to the nature of the personal information', persons or entities that own, license, maintain, handle, or otherwise possess health data are now required to implement reasonable security requirements to protect that data. The D.C. Code includes a number of other healthcare-based provisions that incorporate privacy standards. These include:

In addition, the CPPA has been used to protect DC residents against unfair or deceptive practices in the use and maintenance of their health information. For instance, and as referenced in section 2.1. above, the AG settled an action against an insurance company in October 2018 for the company's alleged mishandling of protected health information and improper disclosures of patients' HIV status. According to the AG, the company 'revealed consumers' HIV status by mailing notices in envelopes with large transparent windows that allowed the words 'HIV medications' to be seen in the enclosed document.' The AG alleged that the company's actions violated both HIPAA and the CPPA.


DC law contains a statutory provision barring identity theft. The law focuses on the theft of personal information with the intent to fraudulently obtain property, and DC law defines 'identity theft' to include (§22–3227.02 of Subchapter III-C of Chapter 32 of Title 22 of the D.C. Code):

  • using personal identifying information belonging to or pertaining to another person to obtain, or attempt to obtain, property fraudulently and without that person's consent; and
  • obtaining, creating, or possessing personal identifying information belonging to or pertaining to another person with the intent to:
    • use the information to obtain, or attempt to obtain, property fraudulently and without that person's consent; or
    • give, sell, transmit, or transfer the information to a third person to facilitate the use of the information by that third person to obtain, or attempt to obtain, property fraudulently and without that person's consent.

Penalties include civil fines and restitution. DC courts are authorised under law to order relevant DC agencies to correct official records on an expedited basis when an individual has been the victim of identity theft and petitions a court to correct a DC public record that is incorrect due to such identity theft (§22–3227.05 of the D.C. Code).


The Fair Credit in Employment Amendment Act of 2016 amended the Human Rights Law, codified under Unit A of Chapter 14 of Title 2 of the D.C. Code, to include 'credit information' as the law's 20th protected trait. The Human Rights Law bars employers, employment agencies, and labour organisations in DC from discriminating against an employee or an applicant based on their credit information, in addition to other protected classes, including race, colour, religion, national origin, sex, age, marital status, personal appearance, sexual orientation, gender identity or expression, family responsibilities, genetic information, disability, matriculation, and political affiliation (§2-1402.11 of the Human Rights Law).

Subchapter I of Chapter 13B of Title 32 of the D.C. Code prohibits employers with more than ten employees in DC from asking applicants about their criminal history on an initial job application, subject to very limited exceptions, until after making a conditional job offer. Once a conditional offer of employment has been extended, employers may ask only about criminal convictions. Once a conditional offer of employment has been made, employers may only withdraw the offer of employment or take adverse action in limited circumstances (§32-1342 of the D.C. Code).

DC employment law also addresses privacy issues in the area of employment services agencies licensing and regulation. In particular, §32-409 of Chapter 4 of Title 32 of the D.C. Code requires express written authorisation of a job-seeker before disclosing his/her name, home address, or telephone number to any person other than to the Mayor of DC or their representative, pursuant to an investigation.


DC's Protecting Students Digital Privacy Act of 2016 ('the Student Privacy Act'), codified under Chapter 8B of Title 38 of the D.C. Code, went into effect in February 2017. The Student Privacy Act applies to website, online service, online application, or mobile application providers for pre-K-12 services. In general, it requires those providers to implement and maintain appropriate security measures to protect students' personal information. It prohibits those providers from using students' personal information for targeted advertisings. Further, the Student Privacy Act prohibits those providers from disclosing students' personal information, except in limited circumstances. Educational institutions that provide devices to their students are prohibited, under the law, from accessing or tracking devices or activity on the device, except in limited circumstances. Educational institutions are also prohibited from searching or compelling students and prospective students to make accessible their personal media accounts and personal devices.

'Personally identifiable student information' is defined under the Student Privacy Act as data that 'alone or in combination with other data is linked to a specific student that would allow a reasonable person, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty'. The Student Privacy Act lists, by way of example, the following categories of data (§38-831.01(14) of the Student Privacy Act):

  • student's name;
  • name of a student's parent or other family member;
  • the address of a student or student's parent or other family member;
  • a photograph, video, or audio recording that contains the student's image or voice; and
  • indirect identifiers, including:
    • a student's social security number;
    • student number;
    • telephone number;
    • credit card account number;
    • insurance account number;
    • financial services account number;
    • customer number;
    • geolocation information;
    • persistent unique identifier;
    • email address;
    • social media address;
    • online username; or
    • other personal electronic identifier.


DC has several laws in place to protect consumers from unwanted commercial communications. While DC does not maintain a separate state do-not-call database, DC residents may register on the FTC's National Do Not Call Registry, which protects them from unsolicited telemarketing calls (with certain exceptions for existing business relationships and prior consent).

Under §22-3226.15 of Subchapter III-B of Chapter 32 of Title 22 of the D.C. Code, within the first 30 seconds of a telephone solicitation call, the caller must disclose the caller's true first and last name, the company on whose behalf the solicitation is being made, and the goods or services to be sold. DC law prohibits the use of an automated call with a pre-recorded or synthesised voice message to make solicitation calls, unless the calling party has a prior business relationship with the called party and the call concerns the same type of products or services (§34–1701 of Chapter 17 of Title 34 of the D.C. Code).

DC requires telephone solicitors to file and maintain a registration with the DC Government, with certain exceptions (§22–3226.02 of the D.C. Code). Further, DC law declares certain acts that impact consumer privacy as 'abusive telemarketing practices'. These acts include (§22–3226.08 of the. D.C. Code):

  • causing a telephone to ring more than 15 times in an intended telephone solicitation call;
  • initiating a telephone solicitation call to a consumer after the same consumer has expressly stated that they do not wish to receive solicitation calls from that seller; or
  • engage in telephone solicitation to a consumer's residence at any time before 8:00 a.m. and after 9:00 p.m. local time at the place where the consumer is called. Remedies include civil and criminal penalties, and a private right of action.

DC follows the majority 'one party' consent rule for recording telephone calls (§23-542(b)(3) of Subchapter III of Chapter 5 of Title 23 of the D.C. Code). Thus, as long as one party to the caller consents, such as the party who is recording the telephone call, the call may be recorded.


While DC law does not provide for specific content or notice requirements for entities' privacy policies, as noted above, the AG has investigated companies for their failure to adhere to their privacy policies. The AG has initiated these actions under the CPPA. Consumers also may bring private actions under the CPPA. However,  issues of standing (and injury in fact) have barred their success in DC courts. For example, in Austin-Spearman v. AARP & AARP Servs. Inc., 119 F. Supp. 3d 1 (D.D.C. 2015), the court held that even if a website violated its own privacy policy prohibiting it from sharing personally identifiable information with third parties, a user whose information was shared after they purchased membership to the website lacked an economic injury as a result, and thus suffered no injury-in-fact, as required for Article III standing to bring putative class action against the website owner for breach of contract and violation of the CPPA. The court found that the promises made in the website's privacy policy were offered to members and non-members alike, so were not part of the user's binding membership contract, and the user had received all membership benefits or services for which they had paid.


There are currently two legal frameworks for addressing data security under DC law, namely, the CPPA and the Breach Notification Law. These statutes are discussed in sections 1 and 2 above. Both laws allow for regulatory enforcement and a private right of action for failure by an entity to adhere to its privacy policy and terms of use, or failure by an entity to adhere to statutory notice requirements in the event of a breach, as well as security requirements as set forth under the Breach Notification Law. Private rights of action have not been successful to date. While the DC District Court recently acknowledged that a plaintiff may establish standing in a data breach case by virtue of having their sensitive data breached, that plaintiff's suit was nonetheless dismissed for failure to state a claim7.

The 2020 Breach Amendment added a new section for security requirements (§28-3852.01 of the Breach Notification Law). DC law now requires entities that handle the personal information of DC residents to 'implement and maintain reasonable security safeguards' that are 'appropriate to the nature of the personal information and the nature and size of the entity or operation' (§28-3852.01(a) of the Breach Notification Law). The law also requires that entities ensure service providers undertake appropriate security measures reasonably designed to protect the personal information, and which need to be set forth in a written agreement (§28-3852.01(b) of the 2020 Breach Amendment). Finally, the law now requires that entities undertake security measures when destroying records that contain personal information (§28-3852.01(c) of the Breach Notification Law). Persons or entities that maintain security procedures in compliance with the GLBA, HIPAA, or HITECH will be deemed in compliance with the law's security requirements.


The 2020 Breach Amendment added 'biometric data' as a category of 'personal information' under the statute (§28-3851(3)(A) of the Breach Notification Law). Biometric data is defined as data 'of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account'. Since the law now requires, 'reasonable security safeguards' for personal information, including 'procedures and practices that are appropriate to the nature of the personal information', (see section 9 above) persons or entities that own, license, maintain, handle, or otherwise possess biometric data are now required to implement reasonable security requirements to protect that data.