IT Equipment Disposal Laws by State (2025): What Enterprise IT Teams Need to Know

Enterprise IT teams managing equipment decommissions, data center relocations, or office consolidations face a compliance picture that varies widely by state — and is frequently misunderstood.

The common assumption is that hiring an ITAD vendor handles the compliance obligation. That is partially true: a certified ITAD vendor handles the physical disposition in a compliant manner. The organization generating the waste is still responsible for understanding what "compliant" means in the jurisdictions where their equipment originates, and for maintaining documentation that proves it was handled correctly.

The Federal Baseline

The United States does not have a single federal e-waste law that governs private-sector IT disposal. The Resource Conservation and Recovery Act (RCRA) covers hazardous waste, and certain electronics components qualify — but the EPA has historically deferred to state programs on consumer and business electronics.

However, federal sector-specific regulations do apply regardless of state law:

HIPAA (healthcare): Any storage-bearing device that contained protected health information (PHI) must be sanitized to NIST 800-88 standards or physically destroyed before disposal. The covered entity's obligation does not end when the device leaves the building — it ends when a certificate of destruction is received from a HIPAA Business Associate.
FISMA (federal agencies and contractors): NIST 800-88 sanitization is the governing standard for federal IT equipment disposal. Defense contractors are subject to DFARS requirements that may impose additional restrictions on where equipment can be processed.
PCI-DSS (payment processing): Requirement 9.8 mandates destruction of cardholder data on media before disposal, with documentation.
SOX (public companies): Audit trail requirements effectively mandate documentation of IT asset disposition for equipment that stored financial records subject to the retention period.

For organizations in regulated industries, the federal requirement is the floor. State requirements may add to it but cannot subtract from it.

State-by-State Overview: Key Programs

As of 2025, 29 states have enacted e-waste legislation. The majority operate producer responsibility programs — meaning manufacturers, not businesses, are primarily responsible for funding recycling infrastructure. Businesses are typically required to use registered collectors or recyclers, and prohibited from disposing of covered electronics in solid waste (landfill) streams.

California

Program: CalRecycle Covered Electronic Waste (CEW) program, operating under SB 20/SB 50.
Covered devices: Video display devices (monitors, TVs, laptops, tablets). Servers and non-display equipment have different handling requirements.
Business requirements: Covered electronic waste may not be disposed of in solid waste. Businesses must take covered devices to authorized collectors or use a certified e-waste recycler. California is the only state with an advance recycling fee (ARF) paid at point of sale.
Data destruction: No state law specifically mandates data destruction standards. CMIA and other California privacy laws create indirect obligations for businesses handling personal data.

New York

Program: New York Electronic Equipment Recycling and Reprocessing Act (NY E-Cycles).
Covered devices: Computers, monitors, TVs, and printers.
Business requirements: Businesses with under 50 employees may use residential drop-off programs. Larger organizations must arrange disposal through manufacturer take-back programs or registered collectors. Landfill disposal of covered electronics is prohibited.
Data destruction: The NY SHIELD Act requires businesses to implement reasonable safeguards for private information, including during disposal. This creates an implicit requirement for certified data destruction on devices containing NY resident data.

Texas

Program: Texas E-Cycles, administered by TCEQ (Texas Commission on Environmental Quality).
Covered devices: Computers, monitors, laptops, and televisions.
Business requirements: Businesses may use manufacturer take-back programs, registered collectors, or certified recyclers. Landfill disposal of covered electronics is prohibited for businesses. Texas has a relatively flexible compliance framework compared to northeastern states.
Data destruction: Texas Business and Commerce Code includes data disposal requirements for businesses holding sensitive personal information. Reasonable disposal means shredding, erasing, or otherwise making data unreadable.

Illinois

Program: Illinois Product Stewardship Act for Electronic Devices.
Covered devices: Computers, monitors, printers, and televisions.
Business requirements: All businesses are prohibited from disposing of covered electronics in solid waste. Must use registered collectors or manufacturer take-back programs.
Data destruction: Illinois Personal Information Protection Act (PIPA) requires reasonable measures to destroy or dispose of records containing personal information.

Washington

Program: E-Cycle Washington, a manufacturer-funded program.
Covered devices: Computers, monitors, laptops, and televisions.
Business requirements: Free collection available to businesses through E-Cycle Washington collection sites. Businesses may not dispose of covered devices in solid waste. One of the most accessible programs in the country for businesses of all sizes.

Minnesota, Oregon, Connecticut, New Jersey

All four states operate manufacturer responsibility programs with landfill prohibition for covered electronics. Oregon's E-Cycles program and New Jersey's program are notable for including a broader range of covered devices than most states. Connecticut's law includes specific provisions for business-generated e-waste volumes above certain thresholds.

States Without E-Waste Laws

As of 2025, states without statewide e-waste legislation include Alabama, Alaska, Georgia (has a program but limited), Idaho, Kansas, Louisiana, Mississippi, Missouri (partial), Nevada (partial), South Carolina, South Dakota, Wyoming, and several others. Businesses in these states are not prohibited from landfill disposal of electronics under state law — but federal regulations (RCRA for hazardous components, sector-specific requirements) still apply, and local ordinances in major cities may impose additional restrictions.

What "Certified Recycler" Actually Means Across State Programs

Most state programs require businesses to use "certified" or "registered" recyclers, but the certification standard varies by state:

Some states accept R2 or e-Stewards certification as meeting their recycler qualification requirements (California, New York, Illinois).
Some states operate their own registration programs that are separate from R2/e-Stewards and require independent registration with the state agency.
Some states defer entirely to manufacturer take-back program lists — your recycler must be on the manufacturer's approved vendor list for the specific device type.

This means an R2-certified ITAD vendor that is qualified in one state may not be automatically qualified in another. For multi-state decommissions, confirm that your ITAD vendor is registered or certified in each state where equipment originates — not just where their processing facility is located.

Documentation: What to Keep and for How Long

Regardless of which state laws apply, enterprise IT compliance programs should maintain the following documentation for all IT equipment disposals:

Asset manifest: Complete list of every device disposed of, including make, model, and serial number
Chain of custody records: Documented handoff from internal custody to ITAD vendor, with signed receipts
Certificates of data destruction: Device-by-device certificates from the ITAD vendor, tied to asset serial numbers, specifying the sanitization method used
Vendor credentials: Copy of the ITAD vendor's R2 or e-Stewards certificate, NAID AAA certificate if applicable, and state registration or qualification documentation
Downstream vendor documentation: For R2-certified vendors, ask for their downstream vendor list — a credentialed vendor provides it without hesitation

Retention period: most compliance frameworks specify 3–7 years for records relating to data disposal. HIPAA requires 6 years from creation or last use. Federal contractors may have longer retention requirements under specific contract terms.

Practical Implications for Multi-State Operations

For enterprise organizations with equipment in multiple states, the compliance challenge is not understanding any single state's law — it is managing the variation across locations while maintaining a consistent internal standard.

The practical approach that most enterprise compliance teams adopt:

Set an internal standard that exceeds any single state requirement: R2-certified ITAD vendor, NIST 800-88 data sanitization, device-level certificates, full chain of custody documentation. This standard satisfies the most demanding state programs and most federal sector requirements simultaneously.
Confirm vendor registration in each state: For the states where your equipment originates, verify that your ITAD vendor is specifically qualified to collect in that state — not just that they hold R2 certification.
Centralize processing where possible: For multi-site decommissions, consolidating equipment at a single certified processing facility (with documented transport chain of custody) simplifies compliance tracking versus engaging separate vendors in each state.
Document everything, retain it: The ability to produce device-level certificates for equipment disposed of three years ago is the difference between closing an audit and spending weeks reconstructing records.

Key Terms

Definitions for the acronyms and standards referenced in this article.

Compliance & Regulatory

HIPAA— Health Insurance Portability and Accountability Act: US federal law that governs the protection of patients' medical information (PHI). For IT logistics, HIPAA requires that any hardware storing protected health information be handled, transported, and disposed of with documented chain-of-custody and certified data destruction.
PCI-DSS— Payment Card Industry Data Security Standard: A global security standard that any organization handling credit or debit card data must follow. Requirement 9.8 specifically covers the destruction of storage media containing cardholder data — physical shredding or secure electronic wiping, with documentation.
SOX— Sarbanes-Oxley Act: US federal law requiring publicly traded companies to maintain accurate financial records and implement strong internal controls. For IT asset disposal, SOX mandates that records — including those stored on electronic media — are retained according to schedule and destroyed only with documented evidence.

Certifications

NAID— National Association for Information Destruction: The trade organization that sets standards for the secure destruction of information in all its forms. NAID AAA Certification is the industry's highest credential for data destruction vendors — it requires unannounced audits of the vendor's actual destruction process, not just self-reporting.
R2— Responsible Recycling (R2 Certification): An internationally recognized certification for electronics recyclers. R2-certified facilities meet documented standards for data security, environmental compliance, and worker safety when processing end-of-life IT equipment. If your vendor recycles equipment, R2 (or e-Stewards) certification is the minimum standard to require.

Industry Standards

NIST— National Institute of Standards and Technology: A US federal agency that develops technology standards and guidelines. For IT asset disposal, NIST Special Publication 800-88 ("Guidelines for Media Sanitization") is the most referenced standard — it defines three levels of data destruction (Clear, Purge, Destroy) and specifies which method applies to each type of storage media.
NIST 800-88— NIST Special Publication 800-88 — Guidelines for Media Sanitization: The definitive federal standard for securely sanitizing (wiping or destroying) storage media. It defines three sanitization levels: Clear (software overwrite), Purge (degaussing, cryptographic erase, or secure erase commands), and Destroy (physical destruction). Referenced by HIPAA, PCI-DSS, SOX, FedRAMP, and most enterprise security frameworks.

Security & Data

PHI— Protected Health Information: Any health information that can identify a patient — medical records, diagnoses, treatment data, billing information — that is created, received, stored, or transmitted by a HIPAA-covered entity. Storage media containing PHI must be disposed of with NIST 800-88 Purge or Destroy-level sanitization and a documented certificate of destruction.

Logistics

ITAD— IT Asset Disposition: The business of managing end-of-life IT equipment responsibly — including data destruction, value recovery through remarketing, and certified recycling. A legitimate ITAD provider issues serialized certificates of destruction and holds recognized certifications like NAID AAA, R2, and e-Stewards. ITAD is not the same as "throwing old hardware away."