U.S. State-Specific Data Disposal Laws

Organizations often collect personally identifiable information (PII) on their prospects and customers for contact, billing and other purposes. This information must be kept confidential at all costs. If this sensitive data is exposed via a breach, it could negatively impact both a business’ reputation and its finances, depending on the federal, state and local regulations it must abide by.

Financial and healthcare companies are just two examples of sectors with strict instructions to protect individuals’ privacy. To-date, there are over 32 states with some type of data disposal regulations for paper and digital data, with 31 of those laws addressing digital data specifically (Arizona’s data disposal law only applies to paper records). Here’s a breakdown of how each of these states approaches data disposal, along with information about whether government organizations and/or private businesses are affected.

StateName of LawApplies to gov’t or businesses?Excerpt
Alaska30th Legislature (2017-2018)
Alaska Statutes 2017
AS 45.48.500
Both Article 4. Disposal of Records.
Sec. 45.48.500. Disposal of records.

“(a) When disposing of records that contain personal information, a business and a governmental agency shall take all reasonable measures necessary to protect against unauthorized access to or use of the records.
(b) Notwithstanding (a) of this section, if a business or governmental agency has otherwise complied with the provisions of AS 45.48.500 — 45.48.590 in the selection of a third party engaged in the business of record destruction, the business or governmental agency is not liable for the disposal of records under AS 45.48.500 — 45.48.590 after the business or governmental agency has relinquished control of the records to the third party for the destruction of the records.
(c) A business or governmental agency is not liable for the disposal of records under AS 45.48.500 — 45.48.590 after the business or governmental agency has relinquished control of the records to the individual to whom the records pertain.”
ArkansasTitle 4 Business and Commercial Law / Subtitle 7 Consumer Protection
Ark. Code § 4-110-103
Ark. Code § 4-110-104
BothTitle 4. Business and Commercial Law.
4-110-104. Protection of personal information.

“(a) A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(b) A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
California Cal. Civ. Code §§ 1798.81, 1798.81.5, 1798.84Businesses OnlyDisposal of Customer Records – California Civil Code sections 1798.80 – 1798.81 and 1798.84. These sections require businesses to shred, erase or otherwise modify the personal information when disposing of customer records under their control. It provides a “safe harbor” from civil litigation for a business that has come into possession of records containing personal information that were abandoned, so long as the business disposes of them as provided in the statute.”
Colorado2016 Colorado Revised Statutes: Title 6 – Consumer and Commercial Affairs: Fair Trade and Restraint of Trade: Article 1 – Colorado Consumer Protection Act: Part 7 – Specific Provisions § 6-1-713. Disposal of personal identifying documents – policyBoth“(1) Each public and private entity in the state that uses documents during the course of business that contain personal identifying information shall develop a policy for the destruction or proper disposal of paper documents containing personal identifying information.
(2) For the purposes of this section, “personal identifying information” means: A social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.
(3) A public entity that is managing its records in compliance with part 1 of article 80 of title 24, C.R.S., shall be deemed to have met its obligations under subsection (1) of this section.
(4) Unless an entity specifically contracts with a recycler or disposal firm for destruction of documents that contain personal identifying information, nothing herein shall require a recycler or disposal firm to verify that the documents contained in the products it receives for disposal or recycling have been properly destroyed or disposed of as required by this section.”

Download the solution brief to view the entire list of states that address digital data disposal.