01 / THE DISPOSAL LAWPennsylvania's Covered Device Recycling Act
Pennsylvania's electronics-disposal rules come from the Covered Device Recycling Act (CDRA), Act 108 of 2010 (35 P.S. § 6031.101 et seq.), enforced by the Pennsylvania Department of Environmental Protection. Its central provision is a landfill disposal ban that took effect January 24, 2013: no person may place covered devices in municipal waste, and landfills and transfer stations may not accept them.
Covered devices include desktop and laptop computers, computer monitors, computer peripherals (printers, keyboards, mice), tablets and e-readers with a browser and connectivity, and televisions with screens larger than four inches. Cell phones are exempt.
Here is the part that matters for organizations. The CDRA's free manufacturer- and retailer-funded recycling programs exist for consumers and small businesses with fewer than 50 employees. Businesses with 50 or more employees — and public entities such as schools and government offices — are not covered, and must make their own recycling arrangements at their own expense. Generators, haulers, landfills, and transfer stations can all be held liable for improper disposal, and illegal dumping of covered devices carries fines of up to $1,000 for a first offense and up to $2,000 for subsequent violations.
Bottom line: for any Pennsylvania enterprise, putting old laptops and monitors in the dumpster is illegal. You need a recycler that lawfully handles covered devices and gives you the documentation to prove it.
02 / THE BREACH LAWWhat happens if data leaves with the hardware
The disposal rules cover the device. Pennsylvania's Breach of Personal Information Notification Act (BPINA) — originally Act 94 of 2005, significantly amended by Act 151 of 2022 (effective May 2, 2023) and Act 33 of 2024 (effective Sept 26, 2024) — covers the data on it. It applies to any business doing business in the Commonwealth that maintains the personal information of Pennsylvania residents.
A breach under the Act is the unauthorized access and acquisition of computerized personal information — and a lost or stolen unsanitized drive can qualify. The amendments broadened "personal information" to include medical information, health insurance information, and a username or email address combined with a password or security question and answer. That pulls retired healthcare devices and credential stores squarely into scope.
On a reportable breach, an entity must notify affected residents without unreasonable delay upon determination of the breach, and — under the 2024 amendments — must notify the Pennsylvania Office of Attorney General when more than 500 residents are affected, concurrent with notice to individuals. A vendor that manages data on behalf of another entity must notify that entity upon discovering a breach.
Bottom line: data that has been sanitized to standard and certified is not exposed data. Documented destruction is how you keep a retirement event from becoming a notification event.
03 / WHAT IT MEANSOne certified process satisfies both
Read together, the two laws point the same direction. A Pennsylvania organization must recycle covered devices through its own arrangement (CDRA) and must be able to prove the data on those devices is gone (BPINA). Handled separately, they become two compliance headaches. Handled as one certified IT asset disposition process, they collapse into a single workflow: covered-device recycling, documented NIST 800-88 data destruction with serialized certificates, and an unbroken chain of custody.
That combined standard is exactly what an R2v3, NAID AAA, and RIOS-certified, PA DEP-permitted provider is built to deliver. CyberCrunch is headquartered in Greensburg, Pennsylvania, and serves organizations across the Commonwealth and all 50 states with on-site and facility-based destruction and documented recycling.
04 / SOURCESWhere this comes from
- Covered Device Recycling Act: PA DEP, Electronics Recycling / CDRA (Act 108 of 2010, 35 P.S. § 6031.101 et seq.) — pa.gov DEP
- Breach notification: Pennsylvania Breach of Personal Information Notification Act, as amended by Act 151 of 2022 and Act 33 of 2024 — PA Office of Attorney General
This page is provided for general informational purposes only and reflects publicly available sources as of June 2026. It is not legal advice and does not create an attorney-client relationship. Laws and regulations change frequently and are subject to interpretation; CyberCrunch makes no representation or warranty as to the accuracy, completeness, or currency of this information and assumes no liability for any reliance on it. Always do your own research and confirm the current requirements for your organization with qualified legal counsel before acting.
05 / FAQFrequently asked questions
Can a Pennsylvania business throw old computers in the trash?
No. The CDRA bans computers, monitors, peripherals, tablets, and televisions from Pennsylvania landfills, and businesses with 50 or more employees must arrange their own recycling.
Does Pennsylvania's e-waste law cover businesses?
The free manufacturer and retailer programs cover consumers and businesses with fewer than 50 employees. Larger organizations must arrange — and pay for — their own recycling.
When must a Pennsylvania organization report a data breach?
Without unreasonable delay after determining a breach of Pennsylvania residents' personal information; under the 2024 amendments, the Attorney General must be notified when more than 500 residents are affected.
Does destroying a drive remove breach-notification risk?
Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data — the practical defense against a disposal-driven breach.