Compliance Brief · Multi-State ITAD

The ITAD Compliance Patchwork: Why the Rules Change at the State Line

There is no national rulebook for retiring IT equipment. Twenty-five states regulate how you dispose of electronics, thirty-two require you to destroy the data on them first, all fifty make a lost drive a reportable breach — and your industry layers federal rules on top. Here is the map every multi-site business is already operating under.

By Brian Boynton Last reviewed 9 min read

TL;DR

There is no national ITAD law. Compliance is a patchwork: state rules decided by where you operate, federal rules decided by your industry — stacked on top of each other.

  • 25 states + DC regulate how electronics may be disposed of; 32 states require secure destruction of records with personal information; all 50 + DC require breach notification.
  • Your sector adds a federal floor — HIPAA, GLBA, FERPA, CMMC/ITAR, and the FTC Disposal Rule — that applies in every state.
  • The risk is the layer you didn't know applied. The defense is documentation: NIST 800-88 destruction, serialized certificates, and chain of custody.
  • Multi-site programs win by building once to the highest common denominator, not fifty times.

01 / THE PROBLEMThere is no national ITAD rulebook

Most people assume that retiring IT equipment is governed by one set of federal rules. It isn't. Federal law sets a floor — the FTC Disposal Rule for consumer-report data, HIPAA and GLBA by sector, RCRA for hazardous materials — but the rules that decide how you may dispose of a device, whether you must destroy the data on it first, and what happens if you get it wrong are mostly state law. A company with sites in five states is answering to five different combinations of them.

That patchwork stays invisible right up until something makes it visible: an auditor asking for disposal records, a state attorney general following up on a lost laptop, or a sustainability report that has to account for where the e-waste went. By then the gap is already there. The good news is that the patchwork resolves into a small number of axes — and once you can see them, one program can cover all of them.

Compliance isn't one rulebook. It's your state — or every state you operate in — and your industry, stacked on top of each other.

02 / AXIS ONEElectronics-recycling law: where you can (and can't) throw it out

Twenty-five states plus the District of Columbia have electronics-recycling laws as of June 2026. Many of them ban “covered devices” from landfills outright, put the cost of recycling on manufacturers through take-back programs, and restrict who is allowed to transport and process retired electronics. In the other 25 states there is no statewide e-waste law — the federal RCRA framework and certified-recycler best practice apply instead.

Even where no state law applies, landfilling a data-bearing device is a data-security problem before it's a waste problem: the drive is still readable in the scrap pile. Routing every retired asset through a certified recycler is the move that satisfies the recycling axis and closes the data-exposure question at the same time.

03 / AXIS TWOData-disposal law: destroy the data before the device leaves

Thirty-two states have data-disposal statutes that explicitly require businesses to take reasonable measures to destroy or render unreadable records containing personal information before those records are discarded. The specifics vary — some name paper and electronic media, some set out what “reasonable” looks like — but the through-line is the same: you can't just throw the data away.

Where a state has no specific statute, you are not off the hook. The federal FTC Disposal Rule (FACTA, 16 CFR Part 682) requires reasonable measures for consumer-report information, and HIPAA and GLBA impose their own destruction duties by sector. So “securely destroy the data first” is the correct answer in all 50 states — only the citation on the wall changes. The recognized method standard is NIST SP 800-88 (Revision 2, finalized September 2025): shredding falls under its Destroy category, while a verified wipe is Purge or Clear.

04 / AXIS THREEBreach notification: the cost of getting it wrong

All 50 states and the District of Columbia have breach-notification laws. In most of them, an unencrypted data-bearing device that leaves your control unsanitized is a reportable breach of personal information — triggering notice to affected residents and, frequently, to the state attorney general. A drive that disappears into a downstream scrap pile has no detection timeline and no containment date; it is simply an open exposure waiting to be discovered.

This is where the three axes connect. The recycling axis tells you to route the device to a certified processor. The disposal axis tells you to destroy the data first. The breach axis is what happens if you skip either step. The serialized certificate of destruction — tied to a documented chain of custody — is the single artifact that proves a retired drive was destroyed and never became a notice you had to send.

05 / THE OVERLAYYour industry stacks federal rules on top

On top of the three state axes, your industry adds federal frameworks that apply in every state you operate in. The same pallet of retired hardware carries a different rulebook depending on who you are:

The three state-law axes at a glance
AxisWhat it governsCoverage (June 2026)
Electronics recyclingHow covered devices may be disposed of; landfill bans; manufacturer take-back25 states + DC + RCRA floor elsewhere
Secure data disposalDestroying records with personal information before disposal32 states + FTC Disposal Rule in all 50
Breach notificationNotifying people when unencrypted personal data is exposedAll 50 states + DC
  • Healthcare — the HIPAA Security Rule media-disposal standard (45 CFR 164.310(d)(2)); your ITAD vendor is a Business Associate and needs a signed BAA.
  • Financial services — the GLBA Safeguards Rule and the FTC Disposal Rule; disposal is an examiner-facing control.
  • Education — FERPA, which doesn't graduate when the device is retired with student records still on it.
  • Defense & aerospace — CMMC, DFARS 252.204-7012, the NIST SP 800-171 media-sanitization controls (3.8.3), and ITAR for any technical data.
  • Retail & payments — PCI DSS requirements for media holding cardholder data.
  • Everyone — the FTC Disposal Rule and Section 5 of the FTC Act set a baseline no matter the sector.

06 / OPERATINGOne program across every state line

The mistake is trying to run a different process in every state. The fix is to build one program to the highest common denominator — the strictest requirement across your footprint plus your industry's federal floor — and apply it everywhere. Done once, the patchwork collapses into a single, repeatable, defensible process.

  • Certified destruction to NIST SP 800-88, matched to the media type (HDD vs. SSD).
  • Serialized certificates of destruction for every asset, tied to a documented chain of custody.
  • A vendor carrying R2v3 and NAID AAA — the certifications that make the evidence audit-ready.
  • One record format that satisfies the strictest state you operate in and your sector's federal rule.
  • A current read of which axes apply to each site — which is exactly what the Compliance Map is for.

See your states and industry on one map

The ITAD Compliance Map lets you select every state you operate in and your industry, then shows the recycling, data-disposal, and breach rules that apply — with the federal frameworks stacked on top. Pair it with the field guide to turn the picture into a program.

07 / FAQFrequently asked questions

Is there a federal law that governs IT asset disposition?
There is no single federal ITAD statute. Federal law sets a floor — the FTC Disposal Rule (FACTA) for consumer-report data, HIPAA and GLBA by sector, and RCRA for hazardous materials — but most disposal and recycling rules are state law. Compliance is the combination of the states you operate in and your industry's federal frameworks.

Do I have to destroy the data on a device before recycling it?
In 32 states a data-disposal statute explicitly requires reasonable measures to destroy or render unreadable records containing personal information before disposal. Even where no state statute exists, the federal FTC Disposal Rule and sector rules like HIPAA and GLBA require secure destruction — so “destroy the data first” is the correct answer in all 50 states; only the citation changes.

Can a lost or improperly disposed device count as a data breach?
Yes. All 50 states and DC have breach-notification laws, and in most an unencrypted data-bearing device that leaves your control can trigger notice to affected residents and often the state attorney general. A verified certificate of destruction is the evidence that a retired drive never became a reportable breach.

How do multi-site companies handle 50 different rule sets?
They don't run 50 programs. They build one program to the highest common denominator — certified destruction to NIST SP 800-88, serialized certificates, and a documented chain of custody through an R2v3 and NAID AAA certified vendor — so a single, repeatable process satisfies the strictest state plus their industry's federal requirements.

This brief is current as of June 2026 and is provided for general informational purposes only — it is not legal advice. State counts and statutory summaries are simplified and change frequently; verify the current requirements for your states and industry with your own legal and compliance teams before acting. Statute references reflect public sources as of June 2026.