District of Columbia Data Privacy Laws: Breach Rules & Consumer Rights (2026)

The District of Columbia does not have a comprehensive consumer privacy law. Breach notification obligations fall under D.C. Code Sections 28-3851 through 28-3853, expanded by the Security Breach Protection Amendment Act of 2020 (D.C. Law 23-98), with the DC Attorney General enforcing violations as unfair trade practices under the Consumer Protection Procedures Act.

Overview of Data Privacy in the District of Columbia

The District of Columbia has built a focused data privacy framework that addresses breach notification, consumer protection, student data, and health information. Unlike many states that have enacted comprehensive consumer privacy laws, DC relies on a combination of targeted statutes that together create meaningful protections for District residents.

DC occupies a unique position in the American legal landscape. As a federal district rather than a state, its residents live at the intersection of local DC Council legislation and federal regulatory authority. Federal agencies like the Federal Trade Commission, housed in DC itself, exercise direct oversight over privacy practices that affect District residents alongside the DC Attorney General's own enforcement powers.

The District's approach to data privacy has evolved significantly in recent years. The landmark Security Breach Protection Amendment Act of 2020 modernized DC's breach notification requirements, while ongoing legislative efforts in the 26th Council continue to expand protections into areas like consumer health data.

DC Breach Notification Law: D.C. Code Sections 28-3851 Through 28-3853

The cornerstone of DC's data privacy framework is its Consumer Security Breach Notification law, found in Subchapter II of Chapter 38, Title 28 of the DC Code. Originally enacted in 2007, this law underwent a major overhaul with the Security Breach Protection Amendment Act of 2020.

What Qualifies as Personal Information Under DC Law

D.C. Code Section 28-3851 defines personal information broadly. The definition includes an individual's first name or first initial and last name, or any other personal identifier, combined with any of these data elements:

• Social Security number or Individual Taxpayer Identification Number
• Passport number or driver's license number
• DC identification card number or military identification number
• Other unique identification numbers issued on government documents commonly used to verify identity
• Financial account numbers, credit card numbers, or debit card numbers, in combination with any required security code, access code, or password
• Medical information, defined as any information about a consumer's dental, medical, or mental health treatment or diagnosis by a healthcare professional
• Health insurance information, including policy numbers, subscriber information numbers, or unique identifiers used by health insurers
• Biometric data generated by automatic measurements of biological characteristics such as fingerprints, voice prints, genetic prints, retina or iris images, or other unique biological characteristics used to authenticate identity
• Any combination of data elements that would enable a person to commit identity theft without reference to a person's first name or first initial and last name

The 2020 amendment notably expanded this definition beyond the original scope that focused primarily on Social Security numbers and financial account data. The inclusion of biometric data, medical information, and health insurance details reflected the growing range of sensitive data that organizations collect and store.

Who Must Comply

DC's breach notification law applies to any person or entity that owns, licenses, maintains, handles, or otherwise possesses computerized or other electronic data that includes the personal information of a DC resident. This broad scope captures businesses of all sizes, nonprofits, educational institutions, and other organizations.

One important exclusion exists: the District of Columbia government itself and its agencies or instrumentalities are not covered by this definition of "person or entity." However, DC government agencies are subject to separate data governance and privacy requirements under District policy.

Notification Requirements After a Breach

D.C. Code Section 28-3852 sets out the notification obligations that apply when a breach occurs. Any person or entity that discovers a breach of security involving personal information must notify affected DC residents in the most expedient time possible and without unreasonable delay.

The notice to affected individuals must include specific information about the breach, the types of personal information compromised, and steps the individual can take to protect themselves. The law requires clear, plain-language communication rather than legalistic disclosures.

Attorney General Notification

When a breach affects 50 or more District residents, the entity must also promptly provide written notice to the Office of the Attorney General for the District of Columbia. This notice must be made no later than when notice is provided to affected residents.

The written notice to the Attorney General must include:

• The name and contact information of the reporting entity
• The name and contact information of the entity that experienced the breach
• The nature of the breach of security
• The types of personal information compromised
• The number of District residents affected
• The cause of the breach, if known
• Remedial actions taken by the entity
• The date and time frame of the breach, if known
• The address and location of corporate headquarters, if outside the District
• Any knowledge of foreign country involvement in the breach

This detailed Attorney General notification requirement, added by the 2020 amendment, gives the DC government visibility into breach patterns and enables proactive enforcement.

Identity Theft Protection Services

When a breach includes or is reasonably believed to include a Social Security number or taxpayer identification number, the breached entity must offer identity theft protection services at no cost to each affected DC resident. These services must be provided for a minimum of 18 months, and the entity must supply all information necessary for residents to enroll.

This requirement, also added in the 2020 amendment, goes beyond simple notification and places an affirmative financial obligation on breached entities to help affected individuals protect themselves.

Security Requirements: D.C. Code Section 28-3852.01

The 2020 amendment added an entirely new section to DC law: D.C. Code Section 28-3852.01, which mandates proactive data security measures.

Any person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of a DC resident must implement and maintain reasonable security safeguards. These safeguards must include procedures and practices that are:

• Appropriate to the nature of the personal information being protected
• Appropriate to the nature and size of the entity or its operations
• Designed to protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat

The law uses a "reasonableness" standard rather than prescribing specific technical measures. This approach allows flexibility based on organizational size and the sensitivity of the data involved.

Federal Law Safe Harbor

Entities that are subject to and in compliance with the security requirements of the following federal laws are deemed to satisfy D.C. Code Section 28-3852.01:

• The Gramm-Leach-Bliley Act (GLBA), governing financial institutions
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• The Health Information Technology for Economic and Clinical Health Act (HITECH)

This safe harbor provision avoids imposing duplicative requirements on organizations already meeting stringent federal data security standards. However, it only applies to the security requirement itself. These entities must still comply with DC's breach notification obligations.

Enforcement and Penalties

Classification as Unfair Trade Practice

D.C. Code Section 28-3853 establishes that any violation of the breach notification subchapter, or any rule issued under its authority, constitutes an unfair or deceptive trade practice under D.C. Code Section 28-3904.

This classification is significant because it brings the full weight of DC's consumer protection enforcement apparatus to bear on data privacy violations.

Civil Penalties

The DC Attorney General can seek civil penalties under D.C. Code Section 28-3909:

• Up to $5,000 per violation for a first offense
• Up to $10,000 per violation for subsequent offenses

Given that a single breach can affect thousands of DC residents, the per-violation penalty structure can result in substantial aggregate fines.

Additional Remedies

Beyond monetary penalties, the Attorney General can seek:

• Temporary or permanent injunctive relief prohibiting continued violations
• Orders requiring affirmative corrective action
• Restitution of money or property to affected consumers
• The Attorney General is not required to prove damages to obtain injunctive relief

D.C. Code Section 28-3852.02 further specifies that the rights and remedies available are cumulative, meaning they can be combined with each other and with any other rights and remedies available under law.

Recent Enforcement Actions

The DC Attorney General's Office has actively enforced data privacy and consumer protection laws. In December 2022, then-AG Karl Racine secured a $9.5 million settlement from Google for deceptive location tracking practices that manipulated consumers into sharing location data against their wishes.

In December 2023, AG Brian Schwalb announced a $700 million multistate settlement with Google over anticompetitive practices in Android app distribution and in-app payment processing. The court gave the settlement preliminary approval on November 20, 2025.

In 2024, AG Schwalb secured over $355,000 from software firm Blackbaud for deficient data security practices related to a 2020 ransomware attack. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices in addition to the monetary payment.

The DC AG's Cambridge Analytica case against Meta, originally filed by AG Racine in 2018, was dismissed by DC Superior Court in June 2023. The DC Court of Appeals revived the case in August 2025. As of May 2026, a DC Superior Court judge denied Mark Zuckerberg's motion to dismiss the companion personal suit, finding the District alleged sufficient facts to show Zuckerberg directly contributed to misrepresentations about privacy and data sharing. That case continues toward trial.

The DC AG 2025 Impact Report reported $906.8 million in total savings and benefits secured for DC residents, reflecting an aggressive enforcement posture across consumer protection, antitrust, and data security matters.

DC Consumer Protection Procedures Act and Privacy

The DC Consumer Protection Procedures Act (CPPA), codified at D.C. Code Chapter 39 of Title 28, serves as the broader enforcement vehicle for privacy-related violations in the District.

How the CPPA Supports Privacy Enforcement

Originally enacted as D.C. Law 1-76, the CPPA establishes an enforceable right to truthful information from merchants about consumer goods and services. While not a privacy statute per se, the CPPA's broad prohibition on unfair or deceptive trade practices has become an essential tool for privacy enforcement.

The CPPA provides the procedural framework through which breach notification violations are prosecuted. When D.C. Code Section 28-3853 classifies breach notification failures as unfair trade practices, it plugs those violations directly into the CPPA's established enforcement machinery.

Powers of the Attorney General Under the CPPA

The Attorney General's investigatory powers under the CPPA are substantial. The Attorney General can:

• Issue subpoenas for documents and testimony during investigations
• Bring civil enforcement actions in DC Superior Court
• Seek injunctions, civil penalties, consumer restitution, and other equitable relief
• Accept assurances of voluntary compliance from businesses

These powers make the DC Attorney General a formidable enforcement authority for data privacy violations, even in the absence of a comprehensive state privacy law.

Private Right of Action

The CPPA also provides a private right of action for consumers harmed by unfair or deceptive trade practices. Individual DC residents can bring lawsuits against businesses that violate consumer protection standards, including data privacy requirements tied to the CPPA through D.C. Code Section 28-3853.

This private enforcement mechanism supplements the Attorney General's public enforcement and gives individual consumers a direct path to seek redress for privacy violations.

Protecting Students Digital Privacy Act of 2016

The Protecting Students Digital Privacy Act of 2016 (D.C. Law 21-218) addresses the growing use of technology in DC schools and the privacy implications for students. This law took effect on August 1, 2017.

Operator Obligations Under D.C. Code Section 38-831.02

D.C. Code Section 38-831.02 imposes specific obligations on operators of websites, online services, and applications used for pre-K through 12th grade educational purposes:

Data Security Requirements:

• Operators must implement and maintain reasonable security policies and procedures appropriate to the nature of personally identifiable student information
• Security measures must protect student data from unauthorized access, destruction, use, modification, or disclosure
• Operators must have provisions for notifying educational institutions and Local Education Agencies (LEAs) in the event of unauthorized access

Restrictions on Data Use:

• Operators cannot use personally identifiable student information for targeted advertising based on information acquired through educational use of the platform
• Operators cannot build profiles of students for non-educational commercial purposes
• Data use is limited to furthering pre-K through 12 educational purposes or improving platform operability

Data Control and Deletion:

• Personally identifiable student information provided to operators is considered under the control of the LEA, not the operator
• Operators must delete student data within a reasonable period after termination or completion of services, unless the LEA requests otherwise
• Any third-party data sharing must include requirements that recipients prohibit further use for other purposes and implement reasonable security measures

Student Device and Account Privacy

D.C. Code Section 38-831.04 provides direct protections for students' personal digital accounts and devices. Educational institutions and school-based personnel are prohibited from:

• Demanding or requesting that students disclose usernames, passwords, or other account authentication information for personal media accounts or personal devices
• Requiring students to access personal accounts in the presence of school personnel
• Compelling students to add school personnel or others to personal accounts
• Taking disciplinary action, including expulsion or prohibition from school activities, against students who refuse any of these requests

1-to-1 Device Programs

D.C. Code Section 38-831.03 addresses programs where schools provide individual devices to students for at-home use. Educational institutions operating 1-to-1 programs must provide written notice to parents and guardians about the types of data that may be collected, stored, or transmitted through the device, and any monitoring or tracking capabilities.

DC Recording and Wiretap Law: D.C. Code § 23-542

DC is a one-party consent jurisdiction for recording conversations. D.C. Code § 23-542 prohibits the willful interception, disclosure, or use of wire or oral communications without consent, but carves out a key exception for participants to a communication.

The One-Party Consent Rule

Under § 23-542(b)(3), a person not acting under color of law may lawfully intercept a wire or oral communication when that person is a party to the communication, or when one of the parties to the communication has given prior consent. This means a DC resident can record a phone call or in-person conversation they are participating in without telling the other parties, as long as the recording is not made for the purpose of committing a crime, tortious act, or other injurious act.

The tortious-purpose exception is significant. If a recording is made to facilitate harassment, blackmail, or another civil wrong under DC or federal law, the one-party consent defense does not apply.

Penalties for Illegal Recording

Criminal penalties under § 23-542 include a fine not more than the amount set forth in D.C. Code § 22-3571.01 or imprisonment not more than five years, or both. Civil liability for illegal interception, disclosure, or use is the greater of actual damages, $100 per day for each day of violation, or $1,000, plus punitive damages, attorney's fees, and litigation costs.

How the Wiretap Statute Intersects with Privacy Law

DC's one-party consent rule shapes the privacy expectations of District residents in ways that go beyond simple recording scenarios. Employers monitoring employee communications, landlords recording common areas, and journalists recording sources are all subject to § 23-542's framework. Organizations subject to DC's data breach notification law that collect audio or communications data should also assess whether their collection and storage practices implicate § 23-542 and the CPPA's broader unfair trade practices prohibition.

For more on DC's recording consent rules across specific scenarios, see the District of Columbia recording laws spoke on this site.

DC as a Federal District: Unique Privacy Landscape and Federal Overlay

The District of Columbia's status as a federal district, rather than a state, creates a distinctive privacy regulatory environment that affects both residents and the many organizations headquartered or operating in the District.

Congressional Oversight

Unlike state legislatures that can freely enact legislation, the DC Council operates under a system where Congress retains ultimate authority over District affairs through the Home Rule Act. All DC legislation must go through a congressional review period before taking effect. The Security Breach Protection Amendment Act of 2020, for example, was transmitted to Congress for its review after passage by the DC Council.

This structure means that DC privacy laws exist within a framework of federal oversight that no state experiences. While Congress has rarely overturned DC legislation, this dynamic shapes the legislative process and timeline.

Concentration of Federal Agencies

DC is home to the primary federal agencies responsible for privacy enforcement nationwide:

• The Federal Trade Commission enforces privacy standards under Section 5 of the FTC Act and sector-specific federal privacy laws
• Federal financial regulators enforce GLBA privacy provisions from their DC headquarters
• The Department of Health and Human Services enforces HIPAA from Washington
• The Department of Education oversees FERPA compliance

DC-based organizations, particularly government contractors and entities doing business with federal agencies, often face heightened federal privacy requirements that layer on top of DC's local statutes.

The TAKE IT DOWN Act (Pub. L. 119-12): FTC Enforcement Live May 2026

The TAKE IT DOWN Act, signed into law with bipartisan support and codified as Pub. L. 119-12, is the first comprehensive federal law addressing nonconsensual intimate imagery (NCII) on online platforms. The Act criminalizes the publication of nonconsensual intimate visual depictions, including AI-generated deepfakes. The platform compliance deadline was May 19, 2026, at which point FTC enforcement went live.

Covered platforms must: (1) establish a process for victims to request removal of NCII; (2) provide clear notice of that process; and (3) remove flagged content within 48 hours of receiving a valid request. The FTC may impose civil penalties of up to $53,088 per violation.

DC residents who are victims of NCII can now request removal from covered platforms directly under federal law, with FTC enforcement available for platforms that fail to comply. This federal protection applies on top of any available DC consumer protection remedies.

Federal Preemption Considerations

DC's breach notification law includes a safe harbor for entities complying with federal security standards under GLBA, HIPAA, or HITECH. This reflects a practical acknowledgment that many DC-based organizations, especially those in healthcare and financial services, already operate under rigorous federal privacy regimes.

However, federal compliance does not exempt organizations from DC's breach notification requirements. Even entities that satisfy the security safe harbor must still provide notice to affected residents and the Attorney General when breaches occur.

Lobbying and Advocacy Organizations

DC hosts thousands of trade associations, advocacy organizations, and lobbying firms that collect and process personal data. These organizations may not be covered by sector-specific federal privacy laws like HIPAA or GLBA, making DC's Consumer Protection Procedures Act and breach notification requirements particularly relevant to their operations.

Emerging Privacy Legislation in DC

The District continues to develop its privacy framework. As of May 2026, DC has no comprehensive consumer privacy law. Several bills in the current and prior Council sessions reflect the direction of DC privacy legislation.

Consumer Health Information Privacy Protection Act (CHIPPA): 25th Council, Did Not Pass

In 2024, Attorney General Brian Schwalb introduced CHIPPA, Bill B25-0930, to protect health data held by entities outside HIPAA's scope, including fitness app companies and patient support groups. The bill received a public hearing before the DC Council Committee on Health on October 17, 2024. EPIC and the ACLU of DC testified in support. CHIPPA did not pass in the 25th Council (2023-2024) session and died in committee at the end of that legislative term.

CHIPPA's key proposed protections included: requiring consent before collecting or sharing consumer health data; granting consumers the right to access and delete their health data; prohibiting geofencing around health service provider locations; and mandating disclosure of how health data is shared with third parties.

26th Council: Active Health Privacy and Government Data Privacy Bills

In the current 26th Council session (2025-2026), two relevant bills are pending:

B26-0525 (Personal Health Data Security Amendment Act of 2025) was introduced December 1, 2025 and referred to the Committee on Health. A roundtable hearing was held March 23, 2026. The bill would prohibit geofencing around health facilities, require consent before collecting or sharing personal health data, establish rights to access and deletion, and mandate clear privacy policies. As of May 2026, the bill remains in committee and has not passed.

B26-0670 (District of Columbia Government Data Privacy and Protection Act of 2026) was introduced April 27, 2026 and referred to the Committee on Public Works and Operations. As of May 2026, the bill is in early introduction stage.

Both bills signal continued legislative momentum toward expanded privacy protections in DC, though neither has been enacted.

Federal Comprehensive Privacy Legislation

At the federal level, the SECURE Data Act (HR 8413) was introduced in April 2026 by House Energy and Commerce Committee members. The bill would establish a uniform national consumer privacy standard and preempt state comprehensive privacy laws, though it remains in early legislative stages. DC residents and organizations should monitor this legislation, as federal preemption would significantly affect the state-by-state privacy landscape.

Compliance Checklist for Organizations Operating in DC

Organizations that handle personal information of DC residents should take these steps to ensure compliance with current DC privacy law:

Data Security:

• Implement and maintain reasonable security safeguards appropriate to the nature and sensitivity of personal information collected
• Document security policies, procedures, and practices
• Conduct regular security assessments and address identified vulnerabilities
• If subject to GLBA, HIPAA, or HITECH, maintain compliance with those federal standards to satisfy DC's security safe harbor

Breach Response Planning:

• Develop a written incident response plan that addresses DC's specific notification requirements
• Establish processes for quickly identifying when a breach affects DC residents
• Prepare templates for individual notification letters and Attorney General reports
• Identify vendors capable of providing 18-month identity theft protection services when Social Security numbers or taxpayer identification numbers are compromised

Notification Procedures:

• Notify affected DC residents in the most expedient time possible and without unreasonable delay
• Provide written notice to the DC Attorney General when 50 or more residents are affected
• Include all required elements in Attorney General notifications, including breach cause, remedial actions, and any foreign country involvement
• Offer free identity theft protection when Social Security or taxpayer identification numbers are involved

TAKE IT DOWN Act (for platform operators):

• Establish and publish a process for users to request removal of nonconsensual intimate imagery
• Build a 48-hour removal workflow for valid NCII requests
• Review FTC guidance on compliance; civil penalties reach $53,088 per violation

Student Data (for Educational Technology Operators):

• Limit use of student information to educational purposes
• Never use student data for targeted advertising
• Implement security measures for student information
• Delete student data after services end, unless the LEA requests retention
• Provide notice about data collection practices for 1-to-1 device programs