Digital Data Destruction Regulations by State: The Definitive Enterprise Guide

Data destruction is not just an IT task—it’s a critical business risk. Across the United States, a complex patchwork of state laws, federal regulations, and industry standards governs how organizations must dispose of digital data at end-of-life. Failing to comply can result in severe financial penalties, regulatory action, and catastrophic data breaches. This guide provides a comprehensive overview of digital data destruction regulations by state, with actionable insights for enterprises seeking to protect sensitive information and maintain compliance.

Digital data and e-waste laws for all 50 united states

Why Secure Digital Data Destruction Matters

Simply deleting files or reformatting drives does not remove data. Residual data—known as data remanence—can be recovered by attackers, exposing organizations to regulatory fines and reputational damage. According to IBM’s 2025 Cost of a Data Breach Report, the average cost of a data breach in the U.S. has reached record highs, with improper disposal of IT assets a leading cause of incidents. (IBM 2025 Cost of a Data Breach Report)

State-by-State Digital Data Destruction Laws

The National Landscape

Common Legal Requirements

Most state data disposal laws require organizations to take “reasonable measures” to destroy or render unreadable any records containing personal information. For digital data, this means:

Applicability typically extends to businesses that own or license personal data, and in some states, government agencies. Penalties range from civil fines to litigation, with some states imposing penalties up to $100,000 per violation.

State-by-State Summary Table

Below is a summary of state digital data destruction laws. For a full, detailed table with statutes, penalties, and e-waste notes, download our comprehensive state-by-state data destruction compliance chart.

State Data Disposal Laws in the US

State Data Disposal Law? Statute/Citation Key Requirements

(Emphasis on Digital)

 Applicability Penalties E-Waste Law Notes
Alabama Yes Alabama Data Breach Notification Act (2018), Code of Alabama Title 8, Chapter 38; Solid Wastes and Recyclable Materials Management Act (2008) Notify individuals within 45 days of breach discovery; notify Attorney General if over 1,000 residents impacted. No specific digital requirements but breach notifications apply to electronic data. E-waste managed under universal waste rules (batteries, lamps) and hazardous waste regulations. Businesses & government Up to $5,000 per day, up to $500,000 per breach; fines for non-compliance with waste codes E-waste recycling integrated into solid waste programs; no dedicated e-waste law. Recent bills (HB381, SB264) promote recycling credits and facility reclassification. Hazardous waste authorization updated May 2025.
Alaska Yes AS 45.48, AS 18.13, AS 21.23, SB 134 Personal Information Protection Act (AS 45.48) requires breach notification; Genetic data protected under AS 18.13; Insurance Data Security Law (SB 134) effective 2025-2027 mandates ISPs for insurers. Entities with >10 employees or doing business in Alaska; insurers; entities handling personal info of state residents. Civil fines up to $500/resident (breaches), capped at $50,000 for governmental agencies; $3,000 per knowing violation under unfair trade practices laws; criminal penalties for genetic data violations. No mandatory statewide e-waste program; regulations under general solid waste and hazardous waste rules; local initiatives like Backhaul Alaska.
Arizona No A.R.S. § 18-552 Mandatory breach notification within 45 days for unencrypted personal info; no comprehensive consumer privacy law; sector-specific protections (e.g., genetic data); pending biometric privacy bill. Voluntary e-waste recycling programs; no landfill ban. Businesses & government Civil penalties up to $500,000 per breach series for willful violations. Voluntary certifications like R2 and e-Stewards; ADEQ promotes recycling events and toolkits; no mandatory recycling laws; federal rules apply to CRTs.
Kansas Yes K.S.A. 50-7a01 et seq., K.S.A. 75-7240, K.S.A. 50-6,139b Notification to affected residents in the event of a breach involving personal information; secure disposal of consumer information to prevent identity theft; no comprehensive consumer data privacy law. Businesses & government Enforcement for private sector breaches falls under the Attorney General via the Kansas Consumer Protection Act; insurance companies are regulated by the Insurance Commissioner. Kansas does not have statewide mandatory e-waste recycling laws or landfill bans for electronics; e-waste is managed under general solid waste regulations; some components qualify as universal waste.
California Yes Cal. Civ. Code §§ 1798.81, 1798.81.5, 1798.84; CCPA; Delete Act (SB 362); SAM 5365.3 Shred, erase, or modify personal info; NIST SP 800-88 compliance. CCPA/Delete Act grant deletion rights; irretrievable destruction required for retired assets. Businesses & government CCPA penalties up to $7,500/violation (intentional); civil litigation exposure. Yes; Electronic Waste Recycling Act (2003) bans landfill disposal; DTSC enforces strict handling; R2v3/e-Stewards certified recyclers required.
Colorado Yes Colo. Rev. Stat. § (Multiple citations related to Colorado Privacy Act, Electronic Recycling Jobs Act, and other related laws) Colorado Privacy Act (CPA) mandates consumer rights to access, correct, delete, and opt out of personal data sale or use. Key requirements include data protection assessments, opt-in consent for sensitive data, and breach notifications. Specific amendments address biometric data (HB24-1130), minors’ data (effective Oct 2025), and neural/biological data (HB24-1058). Businesses & government Enforcement by the Colorado Attorney General; civil penalties and fines for non-compliance. E-waste landfill ban since Jul 2013; Extended Producer Responsibility (EPR) programs for packaging and batteries. Producer Responsibility Program for Statewide Recycling (HB22-1355) and Battery Stewardship Act (SB25-163) with key compliance deadlines in 2025 and beyond.
Connecticut Yes Conn. Gen. Stat. § 36a-701b, Connecticut Data Privacy Act (CTDPA) Implement reasonable safeguards; erase to unreadable/undecipherable; NIST standards for data destruction. Encryption and secure disposal required for personal data. Businesses processing data of at least 35,000 consumers; applies to sensitive data sellers/processors Fines up to $5,000 per violation under the Unfair Trade Practices Act E-waste recycling law covers computers, printers, TVs, and monitors; manufacturers must fund recycling programs. New battery recycling law establishes extended producer responsibility.
Delaware Yes Del. Code Ann. tit. 6, ch. 12B; Del. Code Ann. tit. 6, ch. 12C (DPDPA) Destruction of personal data by erasure, destruction, or other means to make it unreadable/undecipherable. Businesses must obtain consent for sensitive data processing, provide opt-out options for data sales and targeted advertising, and implement data protection assessments. Breach notification required without unreasonable delay, no later than 60 days. Businesses & government entities processing personal data of at least 35,000 Delaware consumers or 10,000 consumers with over 20% revenue from data sales Civil fines up to $10,000 per violation; no private right of action. Breach notification requirements include providing affected residents with notice, and if applicable, one year of free credit monitoring if Social Security numbers are involved. E-waste managed through Universal Recycling Act (2010) and hazardous waste regulations; free drop-off locations for residents. Accepted items include computers, printers, TVs, and microwaves. Excludes appliances like refrigerators. Businesses pay for pick-ups.
Florida Yes Fla. Stat. § 501.171 (FIPA); Florida Digital Bill of Rights (FLDBOR) Reasonable measures to destroy/erase digital data. FIPA: 30-day breach notification (500+ residents). FLDBOR (2024): access, delete, correct rights; parental consent for minors <18. Businesses & government Civil penalties up to $500,000 per breach (FIPA). No mandatory e-waste law for individuals; businesses follow FLEHaz/EPA hazardous waste rules; hazardous e-waste cannot be landfilled. Fla. Stat. § 403.71851–52 incentivizes recycling.
Georgia Yes O.C.G.A. § 10-1-910 et seq., O.C.G.A. § 10-1-912 Breach notification required without unreasonable delay (and no later than 45 days for large breaches); immediate reporting of suspected breaches; risk assessments and employee training mandated. No comprehensive consumer privacy law. Businesses & government No private right of action, but the Attorney General can enforce penalties. No dedicated statewide e-waste recycling law; regulated under general solid waste and hazardous waste rules; voluntary recycling encouraged through grants and local programs.
Hawaii Yes HRS Chapter 487N, 339D Breach notification required without unreasonable delay; destroy records by secure methods (e.g., shredding, erasing to unreadable/undecipherable). Encryption not explicitly mandated but secure practices encouraged. Manufacturers must fund and operate e-waste recycling programs. Businesses & government Civil penalties up to $2,500 per violation; actual damages to injured parties, plus reasonable attorney fees. E-waste recycling law (Chapter 339D) requires manufacturers to fund and operate recycling programs for covered devices, including computers, printers, monitors, and TVs. Act 162 (2025) expands covered devices and goals.
Idaho Yes Idaho Code §§ 28-51-104 through 28-51-107 Destroy records by prompt investigation of breaches; notify affected residents without unreasonable delay; agencies notify AG within 24 hours. No specific digital destruction methods mandated but breach notification required for unencrypted computerized personal info. Businesses & government Up to $25,000 per breach; misdemeanor penalties (up to $2,000 fine and/or 1 year jail) for governmental employees disclosing non-public info. No statewide mandatory e-waste recycling laws; relies on voluntary recycling, federal hazardous waste rules, and local initiatives. Some e-waste components fall under universal waste regulations.
Illinois Yes 815 ILCS 530/, 215 ILCS 215/, 415 ILCS 151/ Destroy data to be “unreadable, unusable, and undecipherable”; NIST SP 800-88 compliance recommended. Physical destruction or certified data wiping required for hard drives and other IT media. Businesses, government agencies, and insurance sector entities Penalties under Illinois Consumer Fraud and Deceptive Business Practices Act; breach notification required. E-waste recycling mandated; certain electronics banned from landfills. Manufacturers must fund recycling infrastructure. As of 2025, extended producer responsibility and new recordkeeping/reporting rules.
Indiana Yes IC 24-4.9, IC 24-15, IC 13-20.5 Destroy records by reasonable security measures, including erasure to unreadable/undecipherable; breach notification required within 45 days. Encryption and data protection assessments mandated. Businesses, government agencies, and entities owning/licensing personal data of residents Civil fines up to $150,000 per breach; $5,000 per deceptive act (failure to disclose); $7,500 per violation of INCDPA E-waste is recyclable material; households, small businesses, and schools prohibited from disposing covered electronic devices in landfills or by incineration since 2011; manufacturers must register and recycle at least 60% of household-sold video display devices annually.
Iowa Yes Iowa Code Chapter 715C, Senate File 262 (Iowa Consumer Data Protection Act), Chapter 507F Destroy records by implementing reasonable data security practices; breach notification required without unreasonable delay; encryption and secure disposal (e.g., shredding) recommended. ICDPA requires controllers to implement data security practices, conduct assessments for high-risk processing, and provide privacy notices. Businesses & government; controllers processing 100,000+ residents’ data or 25,000+ with 50% revenue from sales; insurance licensees Civil penalties up to $7,500 per violation; breach notification required without unreasonable delay; AG enforcement. No statewide landfill ban for general e-waste; appliances must be demanufactured before disposal; recycling encouraged. Iowa DNR oversees permits and programs; local options vary by county or city.
Kansas Yes Kan. Stat. §§ 50-7a01, 50-7a03 Destroy records by shredding, erasing (digital). Businesses & government Not specified in source excerpt. No statewide e-waste law.
Kentucky Yes KRS 365.732, KRS 61.933, KCDPA (Kentucky Consumer Data Protection Act) Breach notification required without unreasonable delay for unencrypted personal info; security practices via reasonable measures; data protection assessments for high-risk processing. Notification methods include written, electronic, or substitute (website posting and media notification). Businesses & government Civil penalties; Attorney General enforcement (up to $7,500/violation, 30-day cure); no private action. No statewide mandatory e-waste recycling laws or landfill bans; household e-waste can be landfilled but recycling encouraged; business e-waste treated as hazardous under federal RCRA.
Louisiana Yes RS 51:3071 et seq. Implement reasonable security procedures; destroy unneeded records containing personal information; notify affected residents following a breach without unreasonable delay, but no later than 60 days from discovery. Persons/agencies conducting business or owning/licensing data with personal information Civil actions for actual damages; fines up to $5,000 per violation/day for AG non-compliance. No statewide mandatory e-waste recycling law, producer responsibility program, or landfill ban for electronics; management falls under general solid waste regulations.
Maine Yes 10 MRS §1347-1349, Title 10, Chapter 210-B; 38 MRS §1610 Destroy records by ensuring reasonable security measures, including disposal by shredding, erasing to unreadable/undecipherable; breach notification required without unreasonable delay (max 30 days if no law enforcement delay). Entities conducting business in Maine owning/licensing personal info, including businesses & government Penalties up to $500 per violation; AG enforcement; no credit monitoring mandate but private actions allowed under unfair trade. E-waste recycling law under 38 MRS §1610; producer responsibility program for covered electronics; no consumer landfill ban; free/low-cost recycling at approved sites for households/schools/small businesses.
Maryland Yes Commercial Law Article §§14-3501 et seq., Maryland Online Data Privacy Act (MODPA) Senate Bill 541 (Chapter 454), Environment Article §§9-1727 to 9-1730 Requires reasonable security measures, breach notification without unreasonable delay (45 days max), data minimization, opt-in consent for sensitive data, and privacy impact assessments. Personal information includes name plus SSN, driver’s license, financial account with codes, health info, etc. Businesses & government, controllers processing data of 35,000+ residents (or 10,000+ with 20% revenue from sales) Civil penalties up to $10,000 per violation (or $25,000 for willful), 60-day cure period (sunsets April 1, 2027); no private right of action. AG enforcement starts April 1, 2026. E-waste recycling laws require manufacturers to register, pay fees, and offer takeback programs. No statewide landfill ban for e-waste, but counties must include e-waste in recycling plans. Local programs vary, such as curbside collection in Montgomery County by December 2025.
Massachusetts Yes M.G.L. Chapter 93H, 201 CMR 17.00 Requires reasonable security measures for personal information; breach notification to affected residents, Attorney General, and consumer reporting agencies if over 500 residents impacted; written security programs with risk assessments, employee training, access controls, encryption for portable devices, and vendor compliance. Businesses & persons owning or licensing personal information about Massachusetts residents Civil fines; breach notification required without unreasonable delay. E-waste disposal ban under M.G.L. Chapter 21H, §2 and 310 CMR 19.017; no statewide extended producer responsibility (EPR) program but manufacturers of TVs and monitors must register annually with MassDEP; proposed EPR bills (e.g., S.653) pending.
Michigan Yes MCL 445.72, Public Act 690 of 2018, SB 359 (pending), SB 360-364 (pending) Entities must notify affected residents without unreasonable delay of security breaches; licensed insurers and producers must develop and maintain an information security program. Pending legislation (SB 359) would establish consumer rights to access, correct, delete, and port personal data. SB 360-364 would require entities handling personal data to implement security procedures and notify affected residents and the Attorney General of breaches. Businesses, government, and licensed insurers and producers Civil fines up to $10,000; fines up to $7,500 per violation for non-compliance with pending legislation E-waste recycling law (2008) focuses on extended producer responsibility; manufacturers must provide free recycling options for covered electronics. No major updates in 2024 or 2025.
Minnesota Yes Minn. Stat. Ch. 13, Minn. Stat. § 325E.61, Minn. Stat. §§ 115A.1310-115A.1330, Minnesota Consumer Data Privacy Act (MCDPA) Destroy records by erasing to unreadable/undecipherable; MCDPA requires data assessments for targeted ads/sensitive data/profiling, data minimization, security policies; breach notification required without unreasonable delay if unencrypted personal info is accessed. Businesses & government Up to $7,500 per violation under MCDPA; civil fines for breach notification violations E-waste recycling required for covered devices; manufacturers register annually, pay fees if selling ≥100 VDDs, support household CED recycling/report obligations; recyclers register (no fee), ensure compliance; prohibits CRT disposal in mixed waste since 2006.
Mississippi Yes (breach notification) Miss. Code Ann. § 75-24-29, Miss. Code §§ 83-5-801 to 825 Entities must notify affected residents without unreasonable delay of unauthorized acquisition of unencrypted computerized personal info; licensees (insurers) must notify Commissioner within 3 days of cybersecurity events involving nonpublic info; implement written info security programs. Businesses & government Violations are unfair trade practices enforceable by AG (fines up to $10,000); proposed fines up to $7,500 per violation for SB 2500 (Mississippi Consumer Data Protection Act). No statewide mandate banning e-waste from landfills or requiring recycling; relies on 2013 law mandating certified recyclers for state agencies and voluntary local programs; hazardous e-waste (e.g., CRTs) falls under federal RCRA rules.
Missouri Yes RSMo Section 407.1500, Insurance Data Security Act (effective January 1, 2026), RSMo §§ 260.1050-260.1101 Breach notification required without unreasonable delay for personal info breaches; written, electronic, or substitute notice; Insurance Data Security Act requires comprehensive written information security programs for insurers; secure disposal of personal info through destruction or other methods to protect against unauthorized access. No specific digital disposal requirements beyond breach notification and insurance regulations. Businesses, government, and insurers Civil fines up to $150,000 per breach if intentional/willful; enforcement by AG and Director of Insurance E-waste recycling law requires manufacturers to provide free recycling for branded computer equipment; no statewide landfill ban for residential e-waste; businesses must manage hazardous items under hazardous waste laws.
Montana Yes Montana Consumer Data Privacy Act (MCDPA), MCA 30-14-1704 Destroy records by methods ensuring confidentiality; encryption and security practices required. Applicability thresholds lowered to 25,000 consumers or 15,000 if deriving >25% revenue from data sales. Consumer rights include access, correct, delete, port, opt-out of targeted ads/sales/profiling. Controllers must minimize data, implement security practices, and provide accessible privacy notices. Businesses & government Fines up to $7,500 per violation; no cure period post-notice. No mandatory e-waste recycling laws or landfill bans; relies on voluntary programs and market development. Hazardous e-waste (e.g., CRTs, batteries) follows hazardous waste rules.
Nebraska Yes Neb. Rev. Stat. §§ 87-1101 to 87-1130, Neb. Rev. Stat. § 87-802, Neb. Rev. Stat. § 87-803 Destruction of personal data by erasing to unreadable/undecipherable; no specific requirements for digital data destruction methods. The Nebraska Data Privacy Act (NDPA) requires data minimization, security, and assessments. Breach notification required without unreasonable delay. Businesses & government (excluding small businesses as defined under the federal Small Business Act) Fines of $7,500 per violation; civil fines and penalties for breach notification violations No statewide e-waste recycling mandates; voluntary recycling through grants; hazardous e-waste (e.g., CRTs) must comply with universal waste rules. The Safe Battery Collection and Recycling Act (LB36) introduces extended producer responsibility (EPR) for batteries effective 2028.
Nevada Yes Nev. Rev. Stat. § 603A.200, 603A.210, 603A.215, 603A.220 Destroy records by shredding, erasing to unreadable/undecipherable; NIST SP 800-88 compliance required. Encryption mandated for payment data (PCI DSS) and transmitted personal info. State agencies must verify deletion (NRS 232.008, 218F.312). Businesses & government Civil fines up to $10,000; breach notification required without unreasonable delay. E-waste is recyclable material; no consumer landfill ban but enterprises must use permitted facilities (NRS 444.440-645). Hazardous waste (CRTs) follows NRS 459.400-600/RCRA. SB 467 (2025) establishes cybersecurity office for state/local agencies.
New Hampshire Yes RSA 507-H, RSA 359-C:19-21, RSA 149-M Grants residents rights over personal data; imposes obligations on controllers and processors. Controllers must provide privacy notices, obtain consent for sensitive data, conduct assessments, and respond to requests within 45 days. Data minimization, security, and de-identification safeguards are mandated. Destroy records in accordance with regulations; no specific method mentioned. Businesses processing data of 35,000+ consumers (or 10,000+ if deriving >25% revenue from data sales); exemptions for nonprofits, government, and regulated entities Fines up to $10,000 per violation under RSA 358-A:2; no private right of action E-waste laws ban certain electronics and batteries from landfills and incinerators. Effective July 1, 2025, lithium-ion batteries are banned. Established bans date to 1991 (batteries) and 2007 (electronics). No producer responsibility program but encouragement for recycling via local sites.
New Jersey Yes N.J. Stat. 56:8-163 (Identity Theft Prevention Act), N.J.S.A. 13:1E-99.94 et seq. (Electronic Waste Management Act), P.L. 2023, c. 266 (NJDPA) Destroy records by methods ensuring confidentiality and security; NIST SP 800-88 compliance recommended. Encryption mandated for sensitive personal info. Businesses must implement data protection assessments for high-risk activities and provide clear privacy notices. Businesses & government; organizations processing data of 100,000+ residents or deriving revenue from selling data of 25,000+ residents Civil fines for noncompliance; breach notification required without unreasonable delay. E-waste is recyclable material; bans certain devices from landfills; manufacturers must fund recycling programs and meet market-share recycling obligations. Hazardous e-waste (e.g., CRTs) follows universal waste rules.
New Mexico Yes NMSA 1978, §§ 57-12C-1 to 57-12C-12; NMSA §§ 9-27A-1 to -5 Requires notification of security breaches involving personal identifying information within 45 days of discovery; secure disposal of personal info required; no comprehensive consumer data privacy law as of October 1, 2025. Businesses & government Violations are unfair trade practices under the Unfair Practices Act, enforceable by AG with fines; no specific penalties mentioned for data disposal. No specific e-waste recycling mandate; e-waste managed under general solid waste and hazardous waste laws; some components classified as hazardous or universal waste under the Hazardous Waste Act.
New York Yes NY Gen. Bus. Law § 899-aa and § 899-bb; 23 NYCRR 500; Environmental Conservation Law, Article 27, Title 26 Implement reasonable safeguards to protect private information; maintain cybersecurity programs; conduct risk assessments; implement multi-factor authentication; encrypt sensitive data; report cybersecurity incidents within 72 hours; destroy records by secure methods (e.g., shredding, erasing to unreadable/undecipherable). Businesses & government Civil fines and penalties; breach notification required without unreasonable delay. E-waste recycling programs for covered electronic equipment; manufacturers must provide free and convenient recycling; no consumer landfill ban; enterprises must use registered collection sites or manufacturer take-back programs.
North Carolina Yes G.S. §§ 75-61 to 75-66, G.S. 130A-309.130 to 130A-309.142 Secure disposal required (G.S. 75-64); destroy personal info by reasonable measures. Breach notification required without unreasonable delay for unauthorized acquisition of unencrypted personal information. Businesses & government No specific penalties mentioned; breach notification required. E-waste banned from landfills (G.S. 130A-309.130 to 130A-309.142); manufacturers fund and manage collection/recycling. 2025 update: e-Manifest reporting for hazardous e-waste effective December 1, 2025.
North Dakota Yes ND Century Code Chapter 51-30, 13-01.2; ND Administrative Code Article 33-24 Breach notification required for personal info; financial institutions must implement comprehensive info security programs. Notification within “most expedient time” for breaches; 45-day notification to Dept. of Financial Institutions for 500+ consumer breaches. Encryption and multifactor authentication required. Businesses, financial corporations, government, insurance licensees Civil penalties; deceptive practices under Chapter 51-15; license revocation for non-compliance. No statewide e-waste recycling law; voluntary programs; prohibits landfill disposal of major appliances and hazardous components. E-waste managed under solid and hazardous waste rules.
Ohio Yes Ohio Rev. Code § 1349.19, ORC Chapter 1347, HB 96, Section 9.64 Notify affected residents expeditiously and without unreasonable delay in case of a breach; implement cybersecurity programs for local governments (annual risk assessments, staff training, incident response plans); NIST Cybersecurity Framework and CIS Controls referenced. Businesses & government Civil penalties under consumer protection laws; no private right of action. No dedicated statewide e-waste recycling law; regulated under general solid and hazardous waste statutes; voluntary recycling encouraged through local programs.
Oklahoma Yes Okla. Stat. tit. 24, §§ 162-166 (SB 626); 36 O.S. §§ 670-679 (Insurance Data Security Act) Destroy records by implementing reasonable safeguards (risk assessments, access controls, encryption, training, incident response); notify affected residents without unreasonable delay; notify Attorney General within 60 days for larger breaches. Businesses & government Civil penalties up to $150,000 per breach (or $75,000 with safeguards and notice). E-waste is managed under Oklahoma Computer Equipment Recovery Act (OCERA); producers must provide free recycling for computers and monitors; no statewide landfill ban for most electronics; universal waste regulations adopt federal standards.
Oregon Yes ORS 646A.570-646A.589, ORS 646A.600-646A.628 Destroy records by physical shredding, secure wiping (NIST SP 800-88), or other technical methods to eliminate digital remanence; ensure chain of custody and certificate of destruction. Data minimization, reasonable security, and processor contracts required. Entities conducting business in Oregon or targeting Oregon residents, controlling or processing personal data of ≥100,000 Oregon residents or ≥25,000 residents if >25% of annual gross revenue comes from data sales. Up to $7,500 per OCPA violation; breach fines based on affected customers. No explicit state-mandated e-waste destruction or recycling rules, but secure destruction regulated by privacy laws; use NAID AAA- or R2v3-certified vendors.
Pennsylvania Yes Breach of Personal Information Notification Act (BPINA) (amended 2022, 2024), Insurance Data Security Act (Act 2 of 2023), Covered Device Recycling Act (CDRA) (Act 108 of 2010) Destroy records by methods ensuring they are unreadable/undecipherable; notification required without unreasonable delay (state agencies within 7 business days); credit monitoring required for 12 months if SSN, DL, state ID, or bank accounts impacted. Encryption and security standards mandated. Businesses, state agencies, counties, schools, municipalities Penalties up to $10,000 per violation; civil fines for e-waste violations up to $1,000 (first offense), $2,000 (subsequent offenses) E-waste recycling programs for covered devices (desktops, laptops, monitors, peripherals, TVs) funded by manufacturers; disposal ban in municipal waste since January 24, 2013; no consumer landfill ban but enterprises must use permitted facilities. HB 78 (Consumer Data Privacy Act) pending.
Rhode Island Yes R.I. Gen. Laws § 11-49.3-1 et seq. (Identity Theft Protection Act of 2015, as amended through S.B. 1037, effective July 1, 2025); R.I. Gen. Laws §§ 27-1-46 et seq. and 27-2-29 et seq. (Insurance Data Security Act); S.B. 603 (nonbank financial institutions); Data Transparency and Privacy Protection Act (effective January 1, 2026); R.I. Gen. Laws Chapter 23-24.10 (Electronic Waste Prevention, Reuse and Recycling Act) Implement risk-based security programs with administrative, technical, and physical safeguards; breach notifications within 30/45 days; credit monitoring required; encryption and other specific controls mandated; data retention limited to 2 years post-use; impact assessments and staff training required. Businesses, government, and nonbank financial institutions; entities processing data of 35,000+ residents or 10,000+ with 20% revenue from data sales Civil fines up to $10,000 per violation, $100–$500 for intentional disclosures; up to $1,000 per record for reckless violations, $2,000 for willful; civil penalties up to $1,000 per violation and $25,000 per day E-waste disposal ban since 2009; manufacturers fund recycling programs for covered devices; no major amendments in 2025; businesses arrange own recycling; covered devices include computers, monitors, TVs, and video displays; recyclers must register annually and comply with standards.
South Carolina Yes Section 39-1-90 of the South Carolina Code of Laws Entities must notify residents of breaches involving unencrypted personal identifying information (PII) if there’s a material risk of harm. Notifications can be delayed for law enforcement investigations. Compliance with federal laws (e.g., Gramm-Leach-Bliley) satisfies requirements. Businesses & government Civil fines up to $1,000 per resident for knowing violations by the Department of Consumer Affairs; residents can sue for damages (actual for negligence, punitive for willful), injunctions, and fees. E-waste is banned from landfills; manufacturers fund free recycling programs for covered devices (computers, monitors, printers, TVs). The Manufacturer Responsibility and Consumer Convenience Information Technology Equipment Collection and Recovery Act (Act 129 of 2010) governs e-waste recycling.
South Dakota Yes SDCL §§ 22-40-19 to 22-40-26 Notification of breaches involving personal or protected information required within 60 days of discovery; no harm threshold but exemptions for encrypted data or good faith acquisitions. Organizations must notify data owners; Attorney General notice if >250 residents affected. Entities owning or licensing computerized personal information of residents Penalties up to $10,000 per day per violation, enforced by the AG No dedicated statewide e-waste recycling law; managed under general solid and hazardous waste regulations. Certain components banned from landfills (e.g., lead-acid batteries, major appliances). Businesses must treat some e-waste as hazardous if disposed.
Tennessee Yes Tenn. Code Ann. § 47-18-3201 et seq. (TIPA), § 47-18-2107 TIPA mandates reasonable security practices, data protection assessments for high-risk processing, and consumer rights including access, deletion, correction, portability, and opt-out from sales, targeted advertising, or profiling. Encryption safe harbor for breach notification. Businesses with annual revenue over $25 million that either process data of 175,000+ Tennessee consumers or 25,000+ consumers while deriving over 50% revenue from data sales; also applies to processors. Penalties up to $7,500 per violation (treble for willful); 60-day cure period. No dedicated statewide e-waste recycling law or disposal ban; managed under general solid waste regulations (Chapter 0400-11-01); local programs and events provide collection options.
Texas Yes Tex. Bus. & Com. Code § 521.052; TDPSA; Data Broker Act (S.B. 1343) Reasonable procedures to erase digital data; NIST SP 800-88 compliance. TDPSA (eff. 7/1/24): deletion rights, 45-day response. Data Broker Act (eff. 9/1/25): annual registration, transparency. Businesses (TDPSA: 100K+ consumers or 50%+ revenue from data sales); data brokers Up to $7,500 per violation per individual (TDPSA); 30-day cure period. TCEQ regulates business e-waste; hazardous classification applies. Renewable energy decommissioning laws (eff. 9/1/25). Right to Repair (eff. 9/1/26) extends device lifespans.
Utah Yes Utah Consumer Privacy Act (UCPA), Government Data Privacy Act (GDPA), H.B. 444, H.B. 418, S.B. 98, S.B. 217 Reasonable information security measures for controllers/processors; privacy annotations and notices; breach notifications; annual privacy training for government employees; right to correct inaccurate personal data effective July 1, 2026; data sharing requirements for social media companies. Controllers, processors, businesses, government entities Civil fines up to $100,000 aggregate for breach notification violations. Manufacturers must provide collection/reuse/recycling programs for consumer electronic devices; no landfill ban but recycling encouraged; S.B. 217 (2025) enhances recycling and responsible waste management; hazardous components follow federal universal waste rules.
Vermont Yes 9 V.S.A. § 2435, 10 Chapter 166 Destroy records securely; notify consumers within 45 days of security breaches, Attorney General within 14 days; NIST compliance implied for secure destruction. Encryption and secure disposal methods required. Businesses & state agencies Penalties up to $100,000 aggregate for violations of data security laws. E-waste recycling is free for households and small businesses under E-Cycles Program; manufacturers fund recycling; battery recycling mandatory since July 1, 2024, expanding to 25 lbs by January 1, 2026; Household Hazardous Waste EPR starts 2025.
Virginia Yes Va. Code §§ 59.1-573 to 59.1-581 (VCDPA), 10.1-1425.27 to 10.1-1425.38 (Computer Recovery and Recycling Act) Grants consumers rights over personal data, including access, correction, deletion, and opt-out for sales/advertising/profiling. Controllers must conduct data protection assessments, provide privacy notices, and obtain consent for sensitive data. Data disposal by secure deletion or destruction; NIST SP 800-88 compliance recommended. Encryption required for sensitive data. Businesses & government Civil penalties up to $7,500 per violation; enforcement by Virginia Attorney General. E-waste recycling law requires manufacturers to implement free recovery and recycling plans for computer equipment. No consumer landfill ban; local recycling programs available.
Washington Yes RCW 19.373, RCW 19.255, RCW 42.56.590, RCW 70A.500 Data security requirements for reasonable safeguards; breach reporting; My Health My Data Act (MHMD) for consumer health data protection; affirmative consent for collecting/sharing/selling health data; security measures; consumer rights to access, delete, withdraw consent. No comprehensive consumer data privacy law. Businesses & government Civil penalties; injunctions; damages; private rights of action and Attorney General oversight under Consumer Protection Act. E-waste recycling through E-Cycle Washington program; free recycling for households, small businesses, schools, nonprofits; Right to Repair Act (effective 2026) for electronics repair; Recycling Reform Act (E2SSB 5284) for residential packaging and paper.
West Virginia No WV Code § 46A-2A-101 et seq. (WVCCPA); Article 15A of Chapter 22 Data breach notification law requires notice for unencrypted personal info breaches; Covered Electronic Devices Recycling Act mandates manufacturer takeback programs for e-waste. Businesses & entities owning/licensing computerized data; manufacturers of covered electronic devices Civil penalties up to $10,000; no private right of action but AG enforcement E-waste recycling through manufacturer takeback programs; no disposal ban but improper handling leads to penalties; local programs like REAP support e-waste diversion.
Wisconsin No Wis. Stat. § 134.98, 287.17 No comprehensive consumer data privacy law; sector-specific statutes (e.g., data breach notification under § 134.98); proposed Consumer Data Protection Act (AB 172/SB 166) pending. E-waste recycling law: Wis. Stat. § 287.17 (E-Cycle Wisconsin program). Businesses & government Civil forfeitures up to $10,000 per violation; shortfall fees up to 50 cents/pound for e-waste recycling targets. E-waste recycling program (E-Cycle Wisconsin) requires manufacturers to fund recycling of covered electronic devices; statewide ban on landfilling/incinerating specified electronics; 18.8 million pounds collected in 2024.
Wyoming Yes (sector-specific) Wyo. Stat. § 40-12-501 et seq., SF 65 (Government Data Privacy Act) Breach notification required for computerized personal data; notification within expedient time (no unreasonable delay); methods include written, electronic, or substitute notice; no private right of action but AG enforcement with civil penalties up to $10,000. Government entities must adopt data privacy policies, designate privacy officers, and report annually. Businesses & government Civil penalties up to $10,000; no private right of action No statewide mandatory e-waste recycling law; e-waste classified as solid waste; hazardous components follow RCRA standards; voluntary recycling encouraged through DEQ.

Note: For a full list of all 50 states, including statute citations and e-waste integration, see Blancco’s U.S. State-Specific Data Disposal Laws and ERI’s Data Destruction Compliance.

Integration with E-Waste Regulations

Many states regulate the disposal of electronic devices through e-waste laws, which often require the use of certified recyclers (e.g., R2v3 or e-Stewards certified). While these laws focus on environmental protection, certified facilities must also comply with data sanitization standards, ensuring secure destruction of data-bearing devices. (SERI R2v3 Standard, e-Stewards Standard)

Federal Regulations and Best Practices

Even in states without specific data disposal laws, federal regulations apply:

Best Practice: Follow NIST SP 800-88 guidelines for media sanitization, which define methods such as clearing, purging, and physical destruction for all types of digital storage. (NIST SP 800-88)

Enforcement, Penalties, and Compliance Challenges

Why Enterprises Must Go Beyond Minimum Legal Requirements

State laws set the floor, not the ceiling. With the rapid evolution of cyber threats and increasing regulatory scrutiny, enterprises should:

Why Choose Data Destruction, Inc. for State and Federal Compliance

Data Destruction, Inc. is the trusted partner for enterprises navigating the complex landscape of digital data destruction regulations. We deliver:

Contact our team for a compliance assessment or to schedule secure destruction:

Contact Data Destruction, Inc. | +1 (866) 850-7977

 

Frequently Asked Questions

 

What is the most widely recognized standard for digital data destruction?

The most widely recognized standard is NIST SP 800-88, which defines methods for clearing, purging, and destroying digital media to ensure data is unrecoverable.

Do all states require secure digital data destruction?

No. As of 2025, 32 states have specific laws mandating secure disposal of personal information, including digital data. In the remaining states, federal regulations and best practices still apply.

What are “reasonable measures” for digital data disposal?

Reasonable measures typically include erasing, overwriting, or physically destroying electronic media so that data cannot be reconstructed or read. Using a NAID AAA Certified provider is considered best practice.

How do e-waste laws affect digital data destruction?

E-waste laws in 25 states and D.C. require the use of certified recyclers for electronics. These recyclers must comply with standards (such as R2v3 or e-Stewards) that include secure data sanitization.

What are the penalties for non-compliance with state data disposal laws?

Penalties vary by state and can include civil fines (ranging from hundreds to hundreds of thousands of dollars per violation), litigation, and regulatory enforcement actions.

Does contracting a third-party vendor transfer liability?

In many states, liability for data disposal can be transferred to a certified third-party vendor if proper documentation (such as a Certificate of Destruction) is maintained.

What federal laws govern digital data destruction?

Key federal laws include the FTC Disposal Rule, HIPAA, and GLBA.

What documentation is required for compliant data destruction?

A Certificate of Destruction (CoD) that includes asset serial numbers, destruction method, date, and witness signature is essential for legal defensibility.

How can enterprises ensure compliance across multiple states?

Adopt NIST SP 800-88 as a universal standard, use NAID AAA Certified vendors, and maintain detailed records for all data destruction activities.

Where can I find more information about my state’s requirements?

Consult Blancco’s U.S. State-Specific Data Disposal Laws, ERI Data Destruction Compliance, and your state’s environmental agency for e-waste regulations.

For expert guidance on digital data destruction regulations and secure, compliant disposal of IT assets, contact Data Destruction, Inc. or call +1 (866) 850-7977.

(866)850-7977