State Compliance · California

ITAD in California: The Disposal Law and the Breach Rules

California wrote the nation's first comprehensive e-waste law: a landfill ban on covered devices, an advance recycling fee, and substantial business fines per violation. Its breach law requires submitting a sample notice to the Attorney General at 500 residents. Here's what that means for retiring IT equipment.

By Brian Boynton Updated 6 min read

TL;DR

California bans covered electronic devices from landfills, funds recycling through an advance fee paid at purchase, and can draw substantial civil penalties per violation. Its breach law requires a sample notice to the Attorney General when 500+ residents are affected — so documented destruction is the cleaner path.

  • California's Electronic Waste Recycling Act of 2003 bans covered devices from landfills and funds recycling through an advance fee at purchase.
  • Improper business disposal can draw substantial civil penalties per violation.
  • The breach law requires notice without unreasonable delay and a sample notice to the Attorney General at 500+ residents.
  • A serialized certificate of destruction keeps a retirement event from becoming a notification event.

01 / THE DISPOSAL LAWThe nation's first e-waste law

California's Electronic Waste Recycling Act of 2003 was the first comprehensive state e-waste law and remains among the strictest. It funds recycling through an advance recycling fee ($4–$10) collected at the point of sale, and it bans covered electronic devices — CRTs, monitors, laptops, and similar displays — from landfill disposal. Covered devices must go to authorized recyclers.

Enforcement is real for organizations: improper business disposal can draw substantial civil penalties per violation, administered through CalRecycle and DTSC, on top of federal RCRA, HIPAA, and GLBA duties. Bottom line: in California, landfilling covered electronics is prohibited and expensive — a compliant, documented recycler is the only safe route.

02 / THE BREACH LAWA sample notice to the AG

California's breach-notification statute (Cal. Civ. Code § 1798.82) requires notifying affected residents in the most expedient time possible and without unreasonable delay, and submitting a sample of the notice to the Attorney General when more than 500 California residents are affected — submissions the AG publishes. "Personal information" is broad, reaching medical and health-insurance information, biometric data, and account credentials.

A lost or stolen unsanitized drive holding residents' personal information can trigger a public AG filing. Bottom line: media destroyed to NIST 800-88 with documentation is not exposed data — the cleanest way to avoid a published breach notice.

03 / WHAT IT MEANSOne certified process satisfies both

Read together, California's rules point the same direction. An organization retiring IT equipment in California has to handle the device lawfully — covered electronics are banned from landfills — and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.

That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across California and all 50 states with on-site and facility-based destruction and documented recycling.

04 / SOURCESWhere this comes from

  • California breach law (Cal. Civ. Code § 1798.82); see IAPP state breach-notification chart — source
  • California Electronic Waste Recycling Act of 2003 — ERI state e-waste legislation overview — source

This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.

05 / FAQFrequently asked questions

Can a California business throw old computers in the trash?
No. The Electronic Waste Recycling Act of 2003 bans covered electronic devices from landfills. Improper business disposal can draw substantial civil penalties per violation.

How is electronics recycling funded in California?
Through an advance recycling fee of $4–$10 collected at the point of sale on covered devices — one of the few states that uses a fee model rather than producer responsibility.

When must a California organization report a data breach?
Without unreasonable delay to affected residents, and by submitting a sample notice to the Attorney General when more than 500 residents are affected.

Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.