State Compliance · Delaware

ITAD in Delaware: The Disposal Law and the Breach Rules

Delaware has no manufacturer e-waste take-back program — but its new Personal Data Privacy Act (effective 2025) and a breach law that pulls in the Attorney General at 500 residents put the emphasis squarely on what happens to the data. Here's what that means for retiring IT equipment.

By Brian Boynton Updated 6 min read

TL;DR

Delaware has no covered-device recycling program; disposal runs through its universal-recycling framework and federal rules. The data side is where Delaware is strict: Delaware now also has a comprehensive consumer-privacy law (the Personal Data Privacy Act, effective 2025), and a breach means AG notice at 500+ residents.

  • Delaware has no covered-device e-waste program; disposal is governed by its universal-recycling framework, household-hazardous-waste collection, and federal rules.
  • Delaware now also has a comprehensive consumer-privacy law, the Delaware Personal Data Privacy Act (effective Jan 1, 2025).
  • A breach requires notice within 60 days and Attorney General notice when 500+ residents are affected.
  • With the emphasis on data, a serialized certificate of destruction is the key record.

01 / THE DISPOSAL LAWNo e-waste program — but rules still apply

Delaware is not among the states with a manufacturer-funded covered-device recycling program. Electronics disposal runs through the state's universal-recycling framework and DNREC guidance, with household-hazardous-waste collection events for residents. There is no statewide covered-electronics landfill ban of the kind Pennsylvania or New York impose.

That does not make business IT disposal unregulated. Hazardous components fall under federal RCRA, and data-bearing devices carry HIPAA and GLBA duties — and Delaware now also has a comprehensive consumer-privacy law, the Delaware Personal Data Privacy Act, effective January 1, 2025. Bottom line: in Delaware the disposal rules are lighter, but the data rules are not.

02 / THE BREACH LAWSixty days, and the AG at 500

Delaware's breach-notification statute (Del. Code tit. 6, § 12B-101 et seq.) requires notifying affected residents without unreasonable delay and no later than 60 days, and notifying the Attorney General when more than 500 residents are affected. "Personal information" reaches medical and health information, biometric data, and account credentials.

An unsanitized drive that leaves the building holding residents' personal information can trigger these duties — and broad data-protection duties raise the stakes on retired-media handling. Bottom line: media destroyed to NIST 800-88 with documentation is not exposed data, which is the practical defense.

03 / WHAT IT MEANSOne certified process satisfies both

Read together, Delaware's rules point the same direction. An organization retiring IT equipment in Delaware has to handle the device lawfully (no covered-device ban, but the data rules are strict) and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.

That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across Delaware and all 50 states with on-site and facility-based destruction and documented recycling.

04 / SOURCESWhere this comes from

  • Delaware breach law (Del. Code tit. 6, § 12B-101); see IAPP state breach-notification chart — source
  • State e-waste programs (Delaware not listed) — ERI state e-waste legislation overview — source

This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.

05 / FAQFrequently asked questions

Does Delaware have an e-waste recycling law?
Delaware has no manufacturer-funded covered-device recycling program. Electronics disposal runs through its universal-recycling framework, household-hazardous-waste collection, and federal rules.

Can a Delaware business landfill old computers?
There is no statewide covered-electronics landfill ban, but federal RCRA hazardous-waste rules and data-protection duties make dumpster disposal of business IT equipment a serious risk.

When must a Delaware organization report a data breach?
Within 60 days to affected residents, and to the Attorney General when more than 500 residents are affected. Personal information includes medical and credential data.

Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.