State Compliance · Florida

ITAD in Florida: The Disposal Law and the Breach Rules

Florida has no statewide electronics-recycling law — disposal runs on general solid-waste and federal rules. But its breach law is one of the strictest in the country: a 30-day deadline, Attorney General notice at 500 residents, and penalties up to $500,000. Here's what that means for retiring IT equipment.

By Brian Boynton Updated 6 min read

TL;DR

Florida has no statewide e-waste law or landfill ban, so disposal is governed by general solid-waste rules and federal RCRA / HIPAA / GLBA duties. The Florida Information Protection Act is the strict part: a 30-day breach deadline, AG notice at 500 residents, and penalties up to $500,000.

  • Florida has no statewide e-waste law or landfill ban; disposal runs on general solid-waste rules and federal RCRA / HIPAA / GLBA duties.
  • Hazardous components (CRTs, batteries) are still federally regulated — dumpster disposal of business IT is a real risk.
  • The Florida Information Protection Act sets a 30-day deadline, AG notice at 500 residents, and penalties up to $500,000.
  • A serialized certificate of destruction keeps a retirement event from becoming a notification event.

01 / THE DISPOSAL LAWNo state e-waste law — federal rules govern

Florida is among the states with no statewide electronics-recycling law and no landfill ban on covered electronics. Disposal is governed by general solid-waste regulation, county programs, and federal rules — the state encourages recycling but does not mandate a manufacturer take-back program.

That absence of a state e-waste law does not mean business IT can be landfilled freely. CRTs, batteries, and other components are regulated as hazardous waste under federal RCRA, and data-bearing devices carry HIPAA and GLBA duties. Bottom line: in Florida the disposal floor is federal, and a compliant, documented recycler is how an organization meets it.

02 / THE BREACH LAWFIPA: 30 days, and a $500,000 ceiling

Florida's Information Protection Act (Fla. Stat. § 501.171) is one of the strictest in the country. A business must notify affected residents within 30 days — among the shortest deadlines anywhere — and notify the Department of Legal Affairs (Attorney General) when 500 or more residents are affected, even if the investigation is ongoing. Consumer reporting agencies are notified at 1,000+, and penalties can reach $500,000.

A lost or stolen unsanitized drive holding residents' personal information can start that 30-day clock. Bottom line: media destroyed to NIST 800-88 with documentation is not exposed data — the cleanest way to never start the clock.

03 / WHAT IT MEANSOne certified process satisfies both

Read together, Florida's rules point the same direction. An organization retiring IT equipment in Florida has to handle the device lawfully (no state ban, but the federal hazardous-waste floor applies) and be able to prove the data on it is gone under the state's breach-notification law. Handled separately, those are two compliance tracks. Handled as one certified IT asset disposition process, they collapse into a single workflow: compliant recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.

That combined standard is what an R2v3, NAID AAA, and RIOS-certified provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across Florida and all 50 states with on-site and facility-based destruction and documented recycling.

04 / SOURCESWhere this comes from

  • Florida Information Protection Act (Fla. Stat. § 501.171); see IAPP state breach-notification chart — source
  • State e-waste programs (Florida not listed) — ERI state e-waste legislation overview — source

This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.

05 / FAQFrequently asked questions

Does Florida have an e-waste recycling law?
No. Florida has no statewide electronics-recycling law or landfill ban. Disposal is governed by general solid-waste rules, county programs, and federal regulations.

Can a Florida business landfill old computers?
There is no state ban, but CRTs, batteries, and similar components are federally regulated hazardous waste, and data-protection duties apply — making dumpster disposal of business IT a real risk.

When must a Florida organization report a data breach?
Within 30 days to affected residents — one of the shortest deadlines — and to the Department of Legal Affairs when 500 or more residents are affected. Penalties can reach $500,000.

Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.