District of Columbia Data Privacy Laws: Breach Rules & Consumer Rights (2026)

Overview of Data Privacy in the District of Columbia

The District of Columbia has built a focused data privacy framework that addresses breach notification, consumer protection, student data, and health information. Unlike many states that have enacted comprehensive consumer privacy laws, DC relies on a combination of targeted statutes that together create meaningful protections for District residents.

DC occupies a unique position in the American legal landscape. As a federal district rather than a state, its residents live at the intersection of local DC Council legislation and federal regulatory authority. Federal agencies like the Federal Trade Commission, housed in DC itself, exercise direct oversight over privacy practices that affect District residents alongside the DC Attorney General's own enforcement powers.

The District's approach to data privacy has evolved significantly in recent years. The landmark Security Breach Protection Amendment Act of 2020 modernized DC's breach notification requirements, while ongoing legislative efforts continue to expand protections into areas like consumer health data.

DC Breach Notification Law: D.C. Code Sections 28-3851 Through 28-3853

The cornerstone of DC's data privacy framework is its Consumer Security Breach Notification law, found in Subchapter II of Chapter 38, Title 28 of the DC Code. Originally enacted in 2007, this law underwent a major overhaul with the Security Breach Protection Amendment Act of 2020.

What Qualifies as Personal Information Under DC Law

D.C. Code Section 28-3851 defines personal information broadly. The definition includes an individual's first name or first initial and last name, or any other personal identifier, combined with any of these data elements:

• Social Security number or Individual Taxpayer Identification Number
• Passport number or driver's license number
• DC identification card number or military identification number
• Other unique identification numbers issued on government documents commonly used to verify identity
• Financial account numbers, credit card numbers, or debit card numbers, in combination with any required security code, access code, or password
• Medical information, defined as any information about a consumer's dental, medical, or mental health treatment or diagnosis by a healthcare professional
• Health insurance information, including policy numbers, subscriber information numbers, or unique identifiers used by health insurers
• Biometric data generated by automatic measurements of biological characteristics such as fingerprints, voice prints, genetic prints, retina or iris images, or other unique biological characteristics used to authenticate identity
• Any combination of data elements that would enable a person to commit identity theft without reference to a person's first name or first initial and last name

The 2020 amendment notably expanded this definition beyond the original scope that focused primarily on Social Security numbers and financial account data. The inclusion of biometric data, medical information, and health insurance details reflected the growing range of sensitive data that organizations collect and store.

Who Must Comply

DC's breach notification law applies to any person or entity that owns, licenses, maintains, handles, or otherwise possesses computerized or other electronic data that includes the personal information of a DC resident. This broad scope captures businesses of all sizes, nonprofits, educational institutions, and other organizations.

One important exclusion exists: the District of Columbia government itself and its agencies or instrumentalities are not covered by this definition of "person or entity." However, DC government agencies are subject to separate data governance and privacy requirements under District policy.

Notification Requirements After a Breach

D.C. Code Section 28-3852 sets out the notification obligations that apply when a breach occurs. Any person or entity that discovers a breach of security involving personal information must notify affected DC residents in the most expedient time possible and without unreasonable delay.

The notice to affected individuals must include specific information about the breach, the types of personal information compromised, and steps the individual can take to protect themselves. The law requires clear, plain-language communication rather than legalistic disclosures.

Attorney General Notification

When a breach affects 50 or more District residents, the entity must also promptly provide written notice to the Office of the Attorney General for the District of Columbia. This notice must be made no later than when notice is provided to affected residents.

The written notice to the Attorney General must include:

• The name and contact information of the reporting entity
• The name and contact information of the entity that experienced the breach
• The nature of the breach of security
• The types of personal information compromised
• The number of District residents affected
• The cause of the breach, if known
• Remedial actions taken by the entity
• The date and time frame of the breach, if known
• The address and location of corporate headquarters, if outside the District
• Any knowledge of foreign country involvement in the breach

This detailed Attorney General notification requirement, added by the 2020 amendment, gives the DC government visibility into breach patterns and enables proactive enforcement.

Identity Theft Protection Services

When a breach includes or is reasonably believed to include a Social Security number or taxpayer identification number, the breached entity must offer identity theft protection services at no cost to each affected DC resident. These services must be provided for a minimum of 18 months, and the entity must supply all information necessary for residents to enroll.

This requirement, also added in the 2020 amendment, goes beyond simple notification and places an affirmative financial obligation on breached entities to help affected individuals protect themselves.

Security Requirements: D.C. Code Section 28-3852.01

The 2020 amendment added an entirely new section to DC law: D.C. Code Section 28-3852.01, which mandates proactive data security measures.

Any person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of a DC resident must implement and maintain reasonable security safeguards. These safeguards must include procedures and practices that are:

• Appropriate to the nature of the personal information being protected
• Appropriate to the nature and size of the entity or its operations
• Designed to protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat

The law uses a "reasonableness" standard rather than prescribing specific technical measures. This approach allows flexibility based on organizational size and the sensitivity of the data involved.

Federal Law Safe Harbor

Entities that are subject to and in compliance with the security requirements of the following federal laws are deemed to satisfy D.C. Code Section 28-3852.01:

• The Gramm-Leach-Bliley Act (GLBA), governing financial institutions
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• The Health Information Technology for Economic and Clinical Health Act (HITECH)

This safe harbor provision avoids imposing duplicative requirements on organizations already meeting stringent federal data security standards. However, it only applies to the security requirement itself. These entities must still comply with DC's breach notification obligations.

Enforcement and Penalties

Classification as Unfair Trade Practice

D.C. Code Section 28-3853 establishes that any violation of the breach notification subchapter, or any rule issued under its authority, constitutes an unfair or deceptive trade practice under D.C. Code Section 28-3904.

This classification is significant because it brings the full weight of DC's consumer protection enforcement apparatus to bear on data privacy violations.

Civil Penalties

The DC Attorney General can seek civil penalties under D.C. Code Section 28-3909:

• Up to $5,000 per violation for a first offense
• Up to $10,000 per violation for subsequent offenses

Given that a single breach can affect thousands of DC residents, the per-violation penalty structure can result in substantial aggregate fines.

Additional Remedies

Beyond monetary penalties, the Attorney General can seek:

• Temporary or permanent injunctive relief prohibiting continued violations
• Orders requiring affirmative corrective action
• Restitution of money or property to affected consumers
• The Attorney General is not required to prove damages to obtain injunctive relief

D.C. Code Section 28-3852.02 further specifies that the rights and remedies available are cumulative, meaning they can be combined with each other and with any other rights and remedies available under law.

Recent Enforcement Actions

The DC Attorney General's Office has actively enforced data privacy protections. In 2024, Attorney General Brian Schwalb secured over $355,000 from software firm Blackbaud for deficient data security practices related to a 2020 ransomware attack. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices in addition to the monetary payment.

Since January 2023, the DC Office of the Attorney General has obtained nearly $50 million through consumer protection enforcement actions and settlements on behalf of District residents, demonstrating a robust enforcement posture.

DC Consumer Protection Procedures Act and Privacy

The DC Consumer Protection Procedures Act (CPPA), codified at D.C. Code Chapter 39 of Title 28, serves as the broader enforcement vehicle for privacy-related violations in the District.

How the CPPA Supports Privacy Enforcement

Originally enacted as D.C. Law 1-76, the CPPA establishes an enforceable right to truthful information from merchants about consumer goods and services. While not a privacy statute per se, the CPPA's broad prohibition on unfair or deceptive trade practices has become an essential tool for privacy enforcement.

The CPPA provides the procedural framework through which breach notification violations are prosecuted. When D.C. Code Section 28-3853 classifies breach notification failures as unfair trade practices, it plugs those violations directly into the CPPA's established enforcement machinery.

Powers of the Attorney General Under the CPPA

The Attorney General's investigatory powers under the CPPA are substantial. The Attorney General can:

• Issue subpoenas for documents and testimony during investigations
• Bring civil enforcement actions in DC Superior Court
• Seek injunctions, civil penalties, consumer restitution, and other equitable relief
• Accept assurances of voluntary compliance from businesses

These powers make the DC Attorney General a formidable enforcement authority for data privacy violations, even in the absence of a comprehensive state privacy law.

Private Right of Action

The CPPA also provides a private right of action for consumers harmed by unfair or deceptive trade practices. Individual DC residents can bring lawsuits against businesses that violate consumer protection standards, including data privacy requirements tied to the CPPA through D.C. Code Section 28-3853.

This private enforcement mechanism supplements the Attorney General's public enforcement and gives individual consumers a direct path to seek redress for privacy violations.

Protecting Students Digital Privacy Act of 2016

The Protecting Students Digital Privacy Act of 2016 (D.C. Law 21-218) addresses the growing use of technology in DC schools and the privacy implications for students. This law took effect on August 1, 2017.

Operator Obligations Under D.C. Code Section 38-831.02

D.C. Code Section 38-831.02 imposes specific obligations on operators of websites, online services, and applications used for pre-K through 12th grade educational purposes:

Data Security Requirements:

• Operators must implement and maintain reasonable security policies and procedures appropriate to the nature of personally identifiable student information
• Security measures must protect student data from unauthorized access, destruction, use, modification, or disclosure
• Operators must have provisions for notifying educational institutions and Local Education Agencies (LEAs) in the event of unauthorized access

Restrictions on Data Use:

• Operators cannot use personally identifiable student information for targeted advertising based on information acquired through educational use of the platform
• Operators cannot build profiles of students for non-educational commercial purposes
• Data use is limited to furthering pre-K through 12 educational purposes or improving platform operability

Data Control and Deletion:

• Personally identifiable student information provided to operators is considered under the control of the LEA, not the operator
• Operators must delete student data within a reasonable period after termination or completion of services, unless the LEA requests otherwise
• Any third-party data sharing must include requirements that recipients prohibit further use for other purposes and implement reasonable security measures

Student Device and Account Privacy

D.C. Code Section 38-831.04 provides direct protections for students' personal digital accounts and devices. Educational institutions and school-based personnel are prohibited from:

• Demanding or requesting that students disclose usernames, passwords, or other account authentication information for personal media accounts or personal devices
• Requiring students to access personal accounts in the presence of school personnel
• Compelling students to add school personnel or others to personal accounts
• Taking disciplinary action, including expulsion or prohibition from school activities, against students who refuse any of these requests

1-to-1 Device Programs

D.C. Code Section 38-831.03 addresses programs where schools provide individual devices to students for at-home use. Educational institutions operating 1-to-1 programs must provide written notice to parents and guardians about the types of data that may be collected, stored, or transmitted through the device, and any monitoring or tracking capabilities.

DC as a Federal District: Unique Privacy Landscape

The District of Columbia's status as a federal district, rather than a state, creates a distinctive privacy regulatory environment that affects both residents and the many organizations headquartered or operating in the District.

Congressional Oversight

Unlike state legislatures that can freely enact legislation, the DC Council operates under a system where Congress retains ultimate authority over District affairs through the Home Rule Act. All DC legislation must go through a congressional review period before taking effect. The Security Breach Protection Amendment Act of 2020, for example, was transmitted to Congress for its review after passage by the DC Council.

This structure means that DC privacy laws exist within a framework of federal oversight that no state experiences. While Congress has rarely overturned DC legislation, this dynamic shapes the legislative process and timeline.

Concentration of Federal Agencies

DC is home to the primary federal agencies responsible for privacy enforcement nationwide:

• The Federal Trade Commission enforces privacy standards under Section 5 of the FTC Act and sector-specific federal privacy laws
• Federal financial regulators enforce GLBA privacy provisions from their DC headquarters
• The Department of Health and Human Services enforces HIPAA from Washington
• The Department of Education oversees FERPA compliance

DC-based organizations, particularly government contractors and entities doing business with federal agencies, often face heightened federal privacy requirements that layer on top of DC's local statutes.

Federal Preemption Considerations

DC's breach notification law includes a safe harbor for entities complying with federal security standards under GLBA, HIPAA, or HITECH. This reflects a practical acknowledgment that many DC-based organizations, especially those in healthcare and financial services, already operate under rigorous federal privacy regimes.

However, federal compliance does not exempt organizations from DC's breach notification requirements. Even entities that satisfy the security safe harbor must still provide notice to affected residents and the Attorney General when breaches occur.

Lobbying and Advocacy Organizations

DC hosts thousands of trade associations, advocacy organizations, and lobbying firms that collect and process personal data. These organizations may not be covered by sector-specific federal privacy laws like HIPAA or GLBA, making DC's Consumer Protection Procedures Act and breach notification requirements particularly relevant to their operations.

Emerging Privacy Legislation in DC

The District continues to develop its privacy framework. Several legislative initiatives reflect the direction of DC privacy law.

Consumer Health Information Privacy Protection Act

In 2024, Attorney General Brian Schwalb introduced the Consumer Health Information Privacy Protection Act (CHIPPA). This proposed legislation would:

• Require entities outside of HIPAA coverage, such as fitness app companies and patient support groups, to follow strengthened privacy provisions for consumer health data
• Mandate informed consent before collecting and sharing personal health data
• Give consumers the right to access their personal health information and choose how it is used
• Require companies to disclose exactly how and where collected data is shared

The legislation specifically addresses concerns about health data sharing by non-HIPAA-covered entities, including situations where data transfers could reveal information about mental health, medication history, or reproductive and gender-affirming care.

Previous Comprehensive Privacy Proposals

The District has previously considered broader comprehensive privacy legislation, including proposals modeled on other states' consumer data protection acts. While none have yet been enacted, the trend toward expanding privacy protections in the District mirrors the national movement toward stronger state and local privacy laws.

Compliance Checklist for Organizations Operating in DC

Organizations that handle personal information of DC residents should take these steps to ensure compliance with current DC privacy law:

Data Security:

• Implement and maintain reasonable security safeguards appropriate to the nature and sensitivity of personal information collected
• Document security policies, procedures, and practices
• Conduct regular security assessments and address identified vulnerabilities
• If subject to GLBA, HIPAA, or HITECH, maintain compliance with those federal standards to satisfy DC's security safe harbor

Breach Response Planning:

• Develop a written incident response plan that addresses DC's specific notification requirements
• Establish processes for quickly identifying when a breach affects DC residents
• Prepare templates for individual notification letters and Attorney General reports
• Identify vendors capable of providing 18-month identity theft protection services when Social Security numbers or taxpayer identification numbers are compromised

Notification Procedures:

• Notify affected DC residents in the most expedient time possible and without unreasonable delay
• Provide written notice to the DC Attorney General when 50 or more residents are affected
• Include all required elements in Attorney General notifications, including breach cause, remedial actions, and any foreign country involvement
• Offer free identity theft protection when Social Security or taxpayer identification numbers are involved

Student Data (for Educational Technology Operators):

• Limit use of student information to educational purposes
• Never use student data for targeted advertising
• Implement security measures for student information
• Delete student data after services end, unless the LEA requests retention
• Provide notice about data collection practices for 1-to-1 device programs