01 / THE MODELHow U.S. ITAD law is actually structured
There is no single statute that tells you how to retire IT equipment in the United States. Instead, three layers stack on top of each other, and a compliant program has to satisfy all three at once:
- The federal floor. A baseline that applies everywhere — the FTC Disposal Rule, Section 5 of the FTC Act, and RCRA for hazardous materials.
- The state axes. Three separate bodies of state law — electronics recycling, secure data disposal, and breach notification — that vary by jurisdiction.
- The industry overlay. Federal frameworks — HIPAA, GLBA, FERPA, CMMC, ITAR, PCI DSS — that attach to you because of what you do, in every state you do it.
Read that way, “ITAD compliance” stops being a single intimidating thing and becomes a grid: your states down one side, your industry across the top. This guide walks each layer, then shows how to collapse the grid into one program you can actually run.
The mental model: a federal floor everywhere, three state axes by geography, and an industry overlay by sector — stacked.
02 / THE FEDERAL FLOORWhat applies in all 50 states
Before any state law enters the picture, federal rules set a baseline. The FTC Disposal Rule (implementing FACTA, 16 CFR Part 682) requires any business that uses consumer-report information to take reasonable measures to protect against unauthorized access when disposing of it — which in practice means destroying or erasing the data on retired media. Section 5 of the FTC Act backstops this by treating unfair or deceptive data-handling, including careless disposal, as an enforceable violation.
On the environmental side, the federal RCRA framework governs hazardous components (the cathode-ray tube rule is the classic example), and certified-recycler practice fills the gap where states are silent. None of these is industry-specific or state-specific — they are the floor under everything else. The takeaway: even a company in a state with no e-waste law and no data-disposal statute still has to securely destroy data and recycle responsibly.
03 / STATE AXIS 1Electronics-recycling law
Twenty-five states plus the District of Columbia have electronics-recycling laws as of June 2026. These statutes do several things: they frequently ban covered devices from landfills, they often place financial responsibility for recycling on manufacturers through take-back or advance-recovery-fee models, and they typically define who may transport and process retired electronics. Definitions of a “covered device” differ — some cover only consumer electronics, others include business IT.
In the 25 states without a statewide law, the RCRA floor and certified-recycling best practice apply. For a multi-site operator, the practical rule is simple: route everything through a certified recycler regardless of state, because that satisfies the strictest recycling law in your footprint and resolves the data-exposure question at the same time. The recycling axis is also where ESG and Scope 3 reporting lives — documented diversion and downstream accountability are increasingly board-level expectations, not just legal ones.
04 / STATE AXIS 2Secure data-disposal law
Thirty-two states have data-disposal statutes requiring businesses to take reasonable measures to destroy or render unreadable records containing personal information before disposal. Most cover both paper and electronic media; many were modeled on the same FACTA logic as the federal rule. The defined term is usually “personal information” — name plus a data element like an SSN, financial account, or driver's-license number.
Where a state has no specific statute, the federal FTC Disposal Rule still requires reasonable disposal measures, and sector rules (HIPAA, GLBA) impose their own. That is why the correct operating instruction is identical in all 50 states: destroy the data before the device leaves your control. Only the citation you'd point an auditor to changes. The how is governed by the method standard in section 07.
05 / STATE AXIS 3Breach-notification law
All 50 states and the District of Columbia have breach-notification laws. They share a common spine: when unencrypted personal information is acquired by an unauthorized person, you must notify affected residents — and, increasingly, the state attorney general — within a defined window. A data-bearing device that leaves your control unsanitized is, in most states, exactly the triggering event.
Two features matter for ITAD. First, many statutes provide a safe harbor for data that was encrypted or destroyed — which is precisely what a documented destruction process gives you. Second, a device that vanishes into a downstream scrap pile has no detection or containment timeline, so it sits as an open, indefinite exposure. The serialized certificate of destruction, tied to chain of custody, is the artifact that converts “we think it was handled” into “here is proof it was destroyed on this date.”
06 / THE INDUSTRY OVERLAYFederal frameworks by sector
On top of the three state axes, your industry attaches federal rules that travel with you into every state. These don't replace the state axes — they raise the bar.
Healthcare — HIPAA
PHI on any storage medium must be sanitized under the HIPAA Security Rule media-disposal standard (45 CFR 164.310(d)(2)), with NIST SP 800-88 the recognized method. An ITAD vendor handling PHI-bearing media is a Business Associate and needs a signed BAA; a serialized certificate of destruction is the audit evidence.
Financial services — GLBA
The GLBA Safeguards Rule and the FTC Disposal Rule make secure disposal an examiner-facing control. Examiners ask how retired media is destroyed and what documentation exists before they ask almost anything else about endpoint security.
Education — FERPA
Student records on retired 1:1 devices, lab machines, and servers remain protected under FERPA. The obligation doesn't graduate when the lease ends; the device has to be sanitized first.
Government & public sector — FISMA / CJIS
Public agencies and their contractors inherit FISMA media-protection controls and, where criminal-justice information is involved, the CJIS Security Policy — both of which point back to NIST media-sanitization practice and documented destruction.
Defense & aerospace — CMMC, DFARS, ITAR
Contractors handling CUI must meet the NIST SP 800-171 media-sanitization controls (3.8.3), assessed under CMMC and required by DFARS 252.204-7012. Where retired media holds ITAR technical data, export-control handling applies on top. CyberCrunch's staff are all U.S. persons and destruction is documented to the standard — the combination that makes the evidence defensible.
Retail & payments — PCI DSS
Media holding cardholder data falls under PCI DSS, which requires that it be rendered unrecoverable when retired, with destruction documented.
07 / THE METHOD STANDARDNIST SP 800-88 — Clear, Purge, Destroy
Across every axis and overlay above, the recognized answer to “how do we sanitize this?” is NIST Special Publication 800-88. Revision 2 was finalized in September 2025, updating the 2014 revision for modern media. It defines three categories matched to how sensitive the data is and what happens to the device next:
Clear
Logical techniques (overwrite) that protect against simple, non-invasive recovery. Suitable for media that stays in your control.
Purge
Stronger techniques (e.g., verified cryptographic erase or block erase) that resist laboratory recovery — appropriate for media leaving for reuse or remarketing.
Destroy
Physical destruction — shredding, disintegration — so the media can never be reused. The right answer when the device is being recycled.
Two practical notes. Media type matters: the overwrite assumptions that work for spinning hard drives don't hold for SSDs, which is why Purge for flash relies on cryptographic or firmware erase, not a 1990s multi-pass wipe. And shredding is the Destroy category, not Purge — a distinction that comes up constantly in audits. Whatever the method, verification and a record are what make it count.
08 / BUILDING ONE PROGRAMCollapsing the grid into one process
You do not build a program per state. You build one program to the highest common denominator — the strictest requirement anywhere in your footprint, plus your industry's federal floor — and run it everywhere. The grid collapses into a single repeatable process whose output is the same regardless of which state the asset came from.
- Choose a vendor carrying R2v3 and NAID AAA (and, regionally, RIOS and state environmental permits) — the certifications that make destruction evidence audit-ready.
- Destroy to NIST SP 800-88, matched to media type, with the category (Clear / Purge / Destroy) recorded per asset.
- Capture a documented chain of custody from pickup to destruction — the unbroken line auditors and AGs ask for.
- Issue serialized certificates of destruction for every asset, retained on a defined schedule.
- Standardize one record format that satisfies the strictest state you operate in and your sector's federal rule.
- Re-check which axes apply whenever you add a site — geography changes the recycling and disposal axes.
Map your footprint, then build the program
Use the ITAD Compliance Map to see the recycling, data-disposal, and breach rules for every state you operate in, with your industry's federal frameworks stacked on top. The compliance brief is the short version of this guide if you need to brief a stakeholder fast.
09 / A WORKING METHODDon't memorize 51 jurisdictions — operationalize them
No one keeps 51 statutes in their head, and you don't need to. The working method is to know, for each of your sites, which of the three axes are in force, layer your industry overlay on top, and then let your destruction process and documentation carry the load. The Compliance Map gives you the per-state read; the linked state guides go deeper where you need citations; your vendor's certificates and chain-of-custody records are what you actually show an auditor.
Reviewed on a cadence — annually, and whenever you open a site or change what data you hold — this turns a moving legal target into a stable operational routine. The law changes at the edges; the program doesn't have to.
10 / FAQFrequently asked questions
What's the difference between a state data-disposal law and the federal FTC Disposal Rule?
The FTC Disposal Rule is a federal baseline for consumer-report information that applies everywhere. State data-disposal statutes (in 32 states) are broader or more specific requirements to destroy records containing personal information before disposal. Where a state has its own statute, you meet both; where it doesn't, the federal rule still applies.
Which states don't have an electronics-recycling law?
About half. Twenty-five states plus DC have e-waste laws as of June 2026; in the other 25 the federal RCRA framework and certified-recycling best practice apply. Because the right operational move — route everything to a certified recycler — is the same either way, the distinction rarely changes how a multi-site program runs.
What standard should data destruction meet?
NIST SP 800-88 (Revision 2, September 2025) is the recognized method standard, used across HIPAA, CMMC/DFARS, FISMA, and commercial practice. It defines Clear, Purge, and Destroy, matched to media type and to what happens to the device next.
Is shredding always required?
No. Shredding is the Destroy category and is appropriate when media is being recycled or can never be reused. A verified Purge (such as cryptographic erase) is acceptable for many reuse and remarketing scenarios. Classified environments carry their own stricter destruction standards beyond NIST 800-88.
What documentation proves compliant disposition?
A serialized certificate of destruction for each asset, tied to a documented chain of custody from pickup to destruction, produced by a vendor whose certifications (R2v3, NAID AAA) make the records audit-ready. That package is what satisfies a state AG, a HIPAA or GLBA examiner, or a CMMC assessor.
How do I know which rules apply to my company?
Start with the ITAD Compliance Map: select every state you operate in and your industry to see the recycling, disposal, and breach rules plus your federal overlay. Then confirm the specifics with your own legal and compliance teams — this guide is a starting point, not legal advice.
This guide is current as of June 2026 and is provided for general informational purposes only — it is not legal advice. State counts and statutory summaries are simplified and change frequently; verify the current requirements for your states and industry with your own legal and compliance teams before acting. Statute references reflect public sources as of June 2026.