Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery;
  • Data owners are responsible for breach reporting and notifications;
  • Notification may be required to the consumer reporting agencies;
  • Violations may incur up to $100 per affected resident, injunctive relief, restitution, and civil suit by individual residents;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

Who Me?


District of Columbia breach and notification laws may apply if you are a person or entity who:

  • Conducts business in DC, and who, in the course of such business, owns or licenses computerized or other electronic data that includes PII;
  • Maintains, handles, or otherwise possesses computerized or other electronic data that includes PII you do not own.

 There are exemptions.

What is PII?


PII relevant to a breach includes an individual’s name, phone number or address with one or more of the following:

  • Social Security Number;
  • Driver license or state identification number;
  • Credit or debit card number.

PII is any other number or code or combination of numbers or codes, such as account number, security or access code, or password, that allows access to or use of an individual's financial or credit account



The statutes include, but are not limited to:

District of Columbia Official Code:

Division V. Local Business Affairs / Title 28. Commercial Instruments And Transactions / Subtitle II. Other Commercial Transactions / Chapter 38. Consumer Protections / Subchapter II. Consumer Security Breach Notification / § 28-3851 to § 28-3853


A few applicable statutes include, but are not limited to:

District of Columbia Official Code:

  • Title 28. Commercial Instruments and Transactions / Article 9. Secured Transactions / Part V. Filing / Subpart 2. Duties and Operation of Filing Office / § 28:9-522. Maintenance and destruction of records.
  • Title 47. Taxation, Licensing, Permits, Assessments, and Fees / Chapter 31A. Use of Consumer Identification Information / § 47–3153. Use of consumer identification information in connection with credit card payments.



For violations, the attorney general may petition the DC Superior Court for injunctive relief and restitution, in addition the AG may recover a civil penalty not to exceed $100 for each violation, the costs of the action, and reasonable attorney's fees. Each failure to provide a DC resident with notification may constitute a separate violation. Civil right of action, if authorized.



  • The combination of personal information breached;
  • The combination of personal information breached;
  • If the data was electronic;
  • If the data was encrypted or secure;
  • If it was acquired by an unauthorized person.


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient time possible and without unreasonable delay, unless law enforcement advises them it will interfere with an investigation.


Requires detailed information and potential provision of services

Disclosure may be made by written notice or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $50,000, or the persons to be notified exceeds 100,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR