District of Columbia Consumer Privacy Law

Primary law

The CPPA makes it a violation for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged.

It shall be a violation of this chapter for any person to engage in an unfair or deceptive trade practice, whether or not any consumer is in fact misled, deceived, or damaged thereby

See D.C. Code § 28-3904.

Primary law

The resident breach-notice duty applies to a person or entity conducting business in the District that owns or licenses covered electronic data and discovers a breach.

Any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any District of Columbia resident whose personal information was included in the breach.

See D.C. Code § 28-3852(a).

Primary law

The breach subchapter defines person or entity to include individuals, firms, corporations, and other private organizations, while excluding the District government and its agencies or instrumentalities.

"Person or entity" means an individual, firm, corporation, partnership, company, cooperative, association, trust, or any other organization, legal entity, or group of individuals. The term "person or entity" shall not include the District of Columbia government or any of its agencies or instrumentalities.

See D.C. Code § 28-3851(2A).

Primary law

The security-safeguards duty applies to a person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of a District resident.

To protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat, a person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of an individual residing in the District shall implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.

See D.C. Code § 28-3852.01(a).

Primary law

The vendor-contract duty applies when a person or entity discloses a District resident's personal information to a nonaffiliated third-party service provider under a written agreement.

A person or entity that uses a nonaffiliated third party as a service provider to perform services for a person or entity and discloses personal information about an individual residing in the District under a written agreement with the third party shall require by the agreement that the third party implement and maintain reasonable security procedures and practices

See D.C. Code § 28-3852.01(b).

Primary law

The destruction duty applies when a person or entity destroys records containing personal information of a consumer, employee, or former employee.

When a person or entity is destroying records, including computerized or electronic records and devices containing computerized or electronic records, that contain personal information of a consumer, employee, or former employee of the person or entity, the person or entity shall take reasonable steps to protect against unauthorized access to or use of the personal information

See D.C. Code § 28-3852.01(c).

Primary law

The CPPA is construed and applied liberally and establishes an enforceable right to truthful information from merchants about consumer goods and services.

This chapter shall be construed and applied liberally to promote its purpose. This chapter establishes an enforceable right to truthful information from merchants about consumer goods and services that are or would be purchased, leased, or received in the District of Columbia.

See D.C. Code § 28-3901(c).

Primary law

It is an unfair or deceptive trade practice to misrepresent a material fact with a tendency to mislead or to fail to state a material fact where the omission tends to mislead — the CPPA hooks for inaccurate privacy policies.

(e) misrepresent as to a material fact which has a tendency to mislead; (e-1) represent that a transaction confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law; (f) fail to state a material fact if such failure tends to mislead;

See D.C. Code § 28-3904(e)–(f).

Primary law

The CPPA directs courts to give FTC and federal-court interpretations of FTC Act § 5 due consideration and weight when construing an unfair or deceptive trade practice.

In construing the term "unfair or deceptive trade practice" due consideration and weight shall be given to the interpretation by the Federal Trade Commission and the federal courts of the term "unfair or deceptive act or practice," as employed in section 5(a) of An Act To create a Federal Trade Commission

See D.C. Code § 28-3901(d).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law

GLBA requires a financial institution to provide a notice that complies with 15 U.S.C. § 6803 before disclosing nonpublic personal information to a nonaffiliated third party.

a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title

See 15 U.S.C. § 6802(a).

Primary law

COPPA requires covered child-directed operators to provide website notice of what information is collected from children and how it is used and disclosed.

to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information

See 15 U.S.C. § 6502(b)(1)(A)(i).

Primary law

When personal information of a District resident is disclosed to a nonaffiliated third-party service provider under a written agreement, the agreement must require the provider to implement and maintain reasonable security procedures and practices.

A person or entity that uses a nonaffiliated third party as a service provider to perform services for a person or entity and discloses personal information about an individual residing in the District under a written agreement with the third party shall require by the agreement that the third party implement and maintain reasonable security procedures and practices that: (1) Are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and (2) Are reasonably designed to protect the personal information from unauthorized access, use, modification, and disclosure.

See D.C. Code § 28-3852.01(b).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a business-associate contract to establish permitted uses and disclosures and require safeguards, breach reporting, and subcontractor flow-down terms.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

See 45 C.F.R. § 164.504(e).

Primary law

Anyone who owns, licenses, maintains, handles, or possesses a District resident's personal information must implement and maintain reasonable security safeguards appropriate to the data and to the entity's nature and size.

To protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat, a person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of an individual residing in the District shall implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.

See D.C. Code § 28-3852.01(a).

Primary law

When destroying records containing personal information of a consumer, employee, or former employee, the person or entity must take reasonable steps to protect against unauthorized access to or use of the information.

When a person or entity is destroying records, including computerized or electronic records and devices containing computerized or electronic records, that contain personal information of a consumer, employee, or former employee of the person or entity, the person or entity shall take reasonable steps to protect against unauthorized access to or use of the personal information

See D.C. Code § 28-3852.01(c).

Primary law

An entity subject to and in compliance with the security requirements of GLBA, HIPAA, or the HITECH Act is deemed to be in compliance with the District's security-safeguards section.

A person or entity who is subject to and in compliance with requirements for security procedures and practices contained in Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C. § 6801 et seq .), or the Health Insurance Portability Accountability Act of 1996, approved August 21, 1996 (Pub. L. No. 104-191; 110 Stat. 1936), or the Health Information Technology for Economic and Clinical Health Act, approved February 17, 2009 (Pub. L. No.111-5; 123 Stat. 226), and any rules, regulations, guidance and guidelines thereto, shall be deemed to be in compliance with this section

See D.C. Code § 28-3852.01(d).

Primary law

A business that owns or licenses electronic data including personal information must promptly notify any District resident whose personal information was included in a breach, in the most expedient time possible and without unreasonable delay.

Any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any District of Columbia resident whose personal information was included in the breach. The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d) of this section, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

See D.C. Code § 28-3852(a).

Primary law

If a breach affects 50 or more District residents, the entity must promptly give written notice to the Office of the Attorney General, no later than when residents are notified.

In addition to giving the notification required under subsection (a) of this section, and subject to subsection (d) of this section, the person or entity required to give notice shall promptly provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia if the breach affects 50 or more District residents. This notice shall be made in the most expedient manner possible, without unreasonable delay, and in no event later than when notice is provided under subsection (a) of this section.

See D.C. Code § 28-3852(b-1).

Primary law

When a breach requires notification under § 28-3852(a) or (b) and includes or is reasonably believed to include a Social Security or taxpayer identification number, the entity must offer at least 18 months of no-cost identity-theft protection to each District resident whose Social Security number or taxpayer identification number was released.

When a person or entity experiences a breach of the security of the system that requires notification under § 28-3852(a) or (b) , and such breach includes or is reasonably believed to include a social security number or taxpayer identification number, the person or entity shall offer to each District resident whose social security number or tax identification number was released identity theft protection services at no cost to such District resident for a period of not less than 18 months. The person or entity that experienced the breach of the security of its system shall provide all information necessary for District residents to enroll in the services required under this section.

See D.C. Code § 28-3852.02.

Primary law

A breach of the security of the system is the unauthorized acquisition of computerized or other electronic data, or equipment storing such data, that compromises the security, confidentiality, or integrity of personal information.

"Breach of the security of the system" means unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.

See D.C. Code § 28-3851(1)(A).

Primary law

Personal information includes a name or other personal identifier combined with government ID numbers, financial-account access data, medical information, genetic information, health-insurance information, or biometric data.

An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person's information: (I) Social security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; (II) Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account; (III) Medical information; (IV) Genetic information and deoxyribonucleic acid profile; (V) Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information; (VI) Biometric data of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account;

See D.C. Code § 28-3851(3)(A)(i)(I)–(VI).

Primary law

Online-account credentials count as personal information on their own — a username or e-mail address combined with a password, security question and answer, or other authentication that permits access to the e-mail account.

A user name or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of sub-subparagraph (i) that permits access to an individual's e-mail account.

See D.C. Code § 28-3851(3)(A)(ii).

Primary law

The risk-of-harm exclusion applies only where the entity reasonably determines harm is unlikely after a reasonable investigation and consultation with the D.C. Attorney General and federal law enforcement — it cannot be invoked unilaterally.

Acquisition of personal information of an individual that the person or entity reasonably determines, after a reasonable investigation and consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies, will likely not result in harm to the individual.

See D.C. Code § 28-3851(1)(B)(iii).

Primary law

GLBA or HIPAA/HITECH breach notice can satisfy resident notice, but it does not eliminate any Attorney General notice required by § 28-3852(b-1).

The person or entity shall, in all cases, provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia as required under subsection (b-1) of this section.

See D.C. Code § 28-3852(g).

Primary law

The CPPA grants private-action paths to consumers, qualifying individual testers, nonprofit organizations, and public interest organizations, with tester, nonprofit, consumer-could-sue, and sufficient-nexus conditions.

A consumer may bring an action seeking relief from the use of a trade practice in violation of a law of the District. (B) An individual may, on behalf of that individual, or on behalf of both the individual and the general public, bring an action seeking relief from the use of a trade practice in violation of a law of the District when that trade practice involves consumer goods or services that the individual purchased or received in order to test or evaluate qualities pertaining to use for personal, household, or family purposes. (C) A nonprofit organization may, on behalf of itself or any of its members, or on any such behalf and on behalf of the general public, bring an action seeking relief from the use of a trade practice in violation of a law of the District, including a violation involving consumer goods or services that the organization purchased or received in order to test or evaluate qualities pertaining to use for personal, household, or family purposes. (D) (i) Subject to sub-subparagraph (ii) of this subparagraph, a public interest organization may, on behalf of the interests of a consumer or a class of consumers, bring an action seeking relief from the use by any person of a trade practice in violation of a law of the District if the consumer or class could bring an action under subparagraph (A) of this paragraph for relief from such use by such person of such trade practice. (ii) An action brought under sub-subparagraph (i) of this subparagraph shall be dismissed if the court determines that the public interest organization does not have sufficient nexus to the interests involved of the consumer or class to adequately represent those interests.

See D.C. Code § 28-3905(k)(1)(A)–(D).

Primary law

CPPA plaintiffs sue in D.C. Superior Court and may recover treble damages or $1,500 per violation, attorney's fees, punitive damages, and an injunction; for § 28-3904(kk), the damages remedy is actual damages, excluding dignitary damages.

Any claim under this chapter shall be brought in the Superior Court of the District of Columbia and may recover or obtain the following remedies: (A) (i) Treble damages, or $1,500 per violation, whichever is greater, payable to the consumer; (ii) Notwithstanding sub-subparagraph (i) of this subparagraph, for a violation of § 28-3904(kk) a consumer may recover or obtain actual damages. Actual damages shall not include dignitary damages, including pain and suffering. (B) Reasonable attorney’s fees; (C) Punitive damages; (D) An injunction against the use of the unlawful trade practice;

See D.C. Code § 28-3905(k)(2).

Primary law

An Attorney General action under § 28-3909 stays overlapping public-interest-organization or general-public private claims, and those plaintiffs must notify OAG within 10 days after filing.

Commencement of an action by the Attorney General under § 28-3909 , including the maintenance of an action previously commenced and pending as of [October 1, 2021], shall serve to stay until the resolution of the Attorney General's action any civil action that includes any claim that is: (i) Made pursuant to this subsection by a public interest organization or on behalf of the general public; and (ii) Based in whole or in part on any matter complained of in the action commenced by the Attorney General. (B) A plaintiff that is a public interest organization or is acting on behalf of the general public shall provide notice to the Office of the Attorney General within 10 days of the filing of an action that includes a claim made under this subsection.

See D.C. Code § 28-3905(k)(7).

Primary law

A violation of the security-breach subchapter — including the notification and security-safeguards duties — is an unfair or deceptive trade practice under the CPPA.

A violation of this subchapter , or any rule issued pursuant to the authority of this subchapter , is an unfair or deceptive trade practice pursuant to § 28-3904(kk)

See D.C. Code § 28-3853(b).

Primary law

The CPPA's enumerated violations expressly include violating any provision of the security-breach subchapter — the receiving end of the § 28-3853(b) bridge.

violate any provision of subchapter 2 of Chapter 38 of this title

See D.C. Code § 28-3904(kk).

Primary law

A CPPA administrative case begins with a complaint filed with the Department of Licensing and Consumer Protection plainly describing the trade practice.

A case is begun by filing with the Department a complaint plainly describing a trade practice and stating the complainant’s (and, if different, the consumer’s) name and address, the name and address (if known) of the respondent, and such other information as the Director may require.

See D.C. Code § 28-3905(a).

Primary law

The Attorney General for the District of Columbia represents the Department in CPPA enforcement proceedings.

The Attorney General for the District of Columbia shall represent the Department in all proceedings described in this subsection.

See D.C. Code § 28-3905(i)(4).

Primary law

The breach subchapter's rights and remedies are cumulative with each other and with any other rights and remedies available under law, so public and private enforcement can proceed in parallel.

The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.

See D.C. Code § 28-3853(c).

Primary law

An Attorney General action under § 28-3909 stays overlapping public-interest-organization or general-public private claims, and those plaintiffs must notify OAG within 10 days after filing.

Commencement of an action by the Attorney General under § 28-3909 , including the maintenance of an action previously commenced and pending as of [October 1, 2021], shall serve to stay until the resolution of the Attorney General's action any civil action that includes any claim that is: (i) Made pursuant to this subsection by a public interest organization or on behalf of the general public; and (ii) Based in whole or in part on any matter complained of in the action commenced by the Attorney General. (B) A plaintiff that is a public interest organization or is acting on behalf of the general public shall provide notice to the Office of the Attorney General within 10 days of the filing of an action that includes a claim made under this subsection.

See D.C. Code § 28-3905(k)(7).