District of Columbia Biometric Privacy Laws: Collection, Consent & Penalties (2026)
The District of Columbia protects biometric data through its breach notification framework rather than a dedicated biometric privacy law. If your fingerprint, facial scan, or iris image is compromised in a data breach, DC law requires the organization holding that data to notify you and the Attorney General. But DC does not require businesses to get your permission before collecting biometric data in the first place.
This guide explains how DC law defines and protects biometric information, what rights you have when a breach occurs, how enforcement works, and where the District stands compared to states with stronger biometric privacy protections. For the full picture of DC privacy rules, see the parent guide on [District of Columbia Data Privacy Laws](/us-laws/data-privacy-laws/district-of-columbia-data-privacy-laws).
How DC Law Defines Biometric Data
DC Code 28-3851 defines biometric data as information "generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account."
That definition covers a range of identifiers:
- Fingerprints and palm prints
- Retina and iris scans
- Voice prints
- Genetic prints
- Other unique biological characteristics used for authentication
One important limitation: the definition applies only to biometric data used "to uniquely authenticate" an individual's identity. Biometric data collected for purposes other than authentication, such as emotion detection or gait analysis, may fall outside this definition.
Biometric data is classified as "personal information" under the statute. That means it receives the same breach notification protections as Social Security numbers, driver's license numbers, and financial account information.
Breach Notification Requirements for Biometric Data
The Security Breach Protection Amendment Act of 2020 (D.C. Law 23-98), which took effect on June 17, 2020, significantly strengthened DC's breach notification requirements. Under DC Code 28-3852, any person or entity that conducts business in DC and discovers a breach involving biometric data must:
Notify affected residents. The notification must happen "in the most expedient time possible and without unreasonable delay." The notice must describe the categories of information compromised, provide contact details for the notifying entity, and include information about consumer reporting agencies, credit freezes, the FTC, and the DC Attorney General.
Report to the Attorney General. If the breach affects 50 or more DC residents, the entity must send written notice to the Office of the Attorney General at the same time it notifies residents.
Alert consumer reporting agencies. When 1,000 or more individuals are notified, the entity must also inform nationwide consumer reporting agencies about the breach timing and scope.
Security Requirements for Biometric Data
DC Code 28-3852.01 requires any entity that possesses personal information of DC residents, including biometric data, to "implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information."
This standard applies broadly:
- Entities must assess the sensitivity of the data they hold and apply proportionate safeguards
- Third-party service providers must be bound by written agreements requiring them to maintain reasonable security procedures
- When destroying records containing biometric data, organizations must take reasonable steps to prevent unauthorized access, considering the sensitivity of the records, business size, available technology, and cost
Entities that comply with federal data security regulations under HIPAA, the HITECH Act, or the Gramm-Leach-Bliley Act are deemed to satisfy DC's security requirements under a safe harbor provision.
Enforcement and Penalties
DC Code 28-3853 classifies any violation of the breach notification subchapter as an unfair or deceptive trade practice under DC Code 28-3904. This classification opens two enforcement paths.
Consumer lawsuits. Individuals harmed by a breach notification violation can sue and recover treble damages or $1,500 per violation, whichever is greater. For violations of the data security requirements specifically (Section 28-3852.01), consumers may recover actual damages.
Attorney General enforcement. The DC Attorney General can bring actions in DC Superior Court seeking injunctive relief and restitution without having to prove damages. The AG's office has actively pursued data breach enforcement, including a settlement of over $350,000 against software firm Blackbaud in a multistate action involving a breach that affected nonprofits and schools.
The rights and remedies are cumulative, meaning consumers can pursue claims under both the breach notification statute and other applicable laws simultaneously.
What DC Law Does Not Cover
Unlike Illinois, Texas, and Washington, the District of Columbia does not have a standalone biometric privacy statute. This means DC law currently has no requirement for:
- Informed consent before collection. Businesses can collect fingerprints, facial geometry, or iris scans from DC residents without notice or consent, as long as no breach occurs.
- Written biometric data policies. There is no obligation to publish a retention schedule or destruction policy for biometric data.
- Purpose limitations. Organizations face no restrictions on how they use biometric data once collected.
- Sale or sharing restrictions. DC law does not prohibit selling biometric data to third parties.
- Private right of action for collection. You cannot sue a company simply for collecting your biometric data without permission. Legal action is available only after a breach or a failure to notify.
For DC residents, this gap means that the law kicks in after something goes wrong, not before.
Employer Use of Biometric Data in DC
DC employers increasingly use fingerprint scanners, facial recognition, and other biometric tools for timekeeping and building access. Because the District lacks a dedicated biometric privacy statute, employers have broad latitude to implement these systems.
No DC-specific law requires employers to:
- Inform employees before collecting biometric data
- Obtain written consent for fingerprint or facial recognition use
- Publish a biometric data retention and destruction policy
- Limit the use of collected biometric data to stated purposes
However, employers must still maintain reasonable security safeguards for any biometric data they hold under DC Code 28-3852.01. A breach of employee biometric data would trigger the same notification obligations and potential penalties as any other breach of personal information.
Employers subject to federal regulations such as HIPAA in healthcare settings may face additional biometric data obligations beyond DC law.
Pending Legislation and Future Outlook
The DC Council has shown interest in expanding data privacy protections beyond breach notification. The Personal Health Data Security Amendment Act of 2025 (Bill 26-0525), introduced in December 2025, would require consent before collecting personal health data, establish deletion rights, and prohibit geofencing around health care facilities. While this bill focuses on health data rather than biometrics specifically, its consent and deletion framework signals a potential direction for future DC privacy legislation.
As of March 2026, the bill had progressed to a roundtable hearing in the DC Council. No standalone biometric privacy bill has been introduced in the current (26th) Council session.
The national trend is moving toward stronger biometric protections. Over a dozen states now have comprehensive privacy laws that cover biometric data, and dedicated biometric privacy statutes continue to proliferate. DC residents and businesses should monitor the Council for future legislation that may impose consent requirements, retention limits, or a private right of action for biometric data collection.
This article provides general legal information about District of Columbia biometric privacy laws and is not legal advice. Biometric privacy law is evolving rapidly at the state and federal level. Consult a licensed attorney in DC for guidance on your specific situation.
Sources and References
- DC Code 28-3851 - Definitions (biometric data definition)(code.dccouncil.gov).gov
- DC Code 28-3852 - Notification of security breach(code.dccouncil.gov).gov
- DC Code 28-3852.01 - Security requirements(code.dccouncil.gov).gov
- DC Code 28-3852.02 - Remedies(code.dccouncil.gov).gov
- DC Code 28-3853 - Enforcement(code.dccouncil.gov).gov
- DC Code 28-3904 - Unfair or deceptive trade practices(code.dccouncil.gov).gov
- Security Breach Protection Amendment Act of 2020 (D.C. Law 23-98)(code.dccouncil.gov).gov
- DC Attorney General - Consumer Alert: Online Privacy(oag.dc.gov).gov
- AG Schwalb secures over $350,000 from Blackbaud for data breach(oag.dc.gov).gov
- Personal Health Data Security Amendment Act of 2025 (B26-0525)(legiscan.com)