California IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance

California operates the most layered compliance regime in the country for IT asset retirement, spanning the CCPA as amended by the CPRA, the Confidentiality of Medical Information Act, a records-disposal statute at Cal. Civ. Code Section 1798.81, the Electronic Waste Recycling Act of 2003 with its advance-recovery-fee architecture and CalRecycle-approved collector and recycler system, and the Hazardous Waste Control Law under Health and Safety Code Division 20 Chapter 6.5 with California-only hazardous-waste classifications more stringent than federal RCRA.

The CPRA created the Sensitive Personal Information category that reaches biometric data, genetic data, and health information, while the Delete Act establishes a one-stop deletion mechanism effective August 2026 and the Right to Repair Act took effect July 2024, all layered over a federal baseline of HIPAA, the FTC Safeguards Rule, GLBA, and DFARS 252.204-7012.

The Enterprise Compliance Reference below delivers the executive briefing for IT Asset Disposition, secure data destruction, and certified electronics recycling in California; the sections that follow expand every statute, regulator, and penalty band with cited authority.

California Enterprise Compliance Reference

California Compliance Reality

California operates the most layered consumer-privacy and electronics-waste compliance regime in the United States. Retirement of a Retired Electronic Asset in California is governed by the convergence of (1) the CCPA as amended by CPRA, which creates affirmative obligations around Sensitive Personal Information that survive hardware retirement, (2) the CMIA, which extends beyond HIPAA for medical information, (3) the records-disposal statute at Cal. Civ. Code § 1798.81 with its “unreadable or undecipherable” outcome standard, (4) the Electronic Waste Recycling Act of 2003 with its advance-recovery-fee architecture and CalRecycle-approved collector/recycler system, (5) the Hazardous Waste Control Law and Title 22 CCR which treat California-only hazardous wastes more strictly than federal RCRA, (6) the Right to Repair Act effective July 1, 2024, and (7) the Delete Act establishing a one-stop deletion request mechanism effective August 1, 2026. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.

California and Federal Compliance Interaction

California sets the strictest state regime in the country, and the federal HIPAA, GLBA, FTC Safeguards, FACTA, FAR 52.204-21, and DFARS 252.204-7012 overlays establish a baseline that California law extends through CCPA/CPRA, the Confidentiality of Medical Information Act, and SB 327 IoT security. A regulated enterprise must satisfy the stricter of (1) California statutes including CCPA/CPRA, CMIA, Cal. Civ. Code § 1798.81 (records disposal), Cal. Civ. Code § 1798.81.5 (reasonable security), Cal. Civ. Code § 1798.82 (breach notice), and the e-waste and hazardous-waste regimes, (2) federal sector rules including the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. CMIA + HIPAA stack in California (the stricter standard governs); CCPA/CPRA + FTC Safeguards stack in California; California-only hazardous wastes stack on top of federal RCRA. The audit defensibility of an IT Asset Disposition program in California depends on the ability to map each asset class and each data category to the operative duty band across that layered regime.

California Preemption Matrix (Federal Floor vs. State Posture)

The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in California, whether California law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.

NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in California must satisfy CMMC 2.0 in addition to California state law.

California Data Security, Privacy, and Disposal Obligations

CCPA / CPRA and Sensitive Personal Information

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, is codified at Cal. Civ. Code §§ 1798.100–1798.199.100 with enforcement by the California Privacy Protection Agency (CPPA) and the California Attorney General. The CPRA category of Sensitive Personal Information (Cal. Civ. Code § 1798.140(ae)) covers Social Security number, driver’s license, financial-account credentials with access codes, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail/email/text messages, genetic data, biometric information processed for unique identification, health information, and information about a consumer’s sex life or sexual orientation. The right to delete (Cal. Civ. Code § 1798.105), right to limit use of SPI (Cal. Civ. Code § 1798.121), and right to correct (Cal. Civ. Code § 1798.106) all impose obligations that survive hardware retirement when the data persists on retired media. Civil penalties under Cal. Civ. Code § 1798.155 are up to $2,500 per violation, and up to $7,500 per intentional violation or per violation involving consumers under 16.

Records Disposal — Cal. Civ. Code § 1798.81

Cal. Civ. Code § 1798.81 requires a business to “take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business” by (1) shredding, (2) erasing, or (3) “otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” The outcome standard is method-agnostic, and the audit-defensible posture is alignment to NIST SP 800-88 Rev. 2 Clear / Purge / Destroy categories with verification per device. The private right of action under Cal. Civ. Code § 1798.84 authorizes actual damages and equitable relief.

Reasonable Security — Cal. Civ. Code § 1798.81.5

Cal. Civ. Code § 1798.81.5 imposes a freestanding duty on businesses that own, license, or maintain personal information about California residents to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The reasonable-security standard is interpreted with reference to the CIS Critical Security Controls per the 2016 California AG Data Breach Report and subsequent enforcement guidance. The duty extends to third-party contractor relationships through the contracting-party language at § 1798.81.5(c).

Breach Notification — Cal. Civ. Code § 1798.82

Cal. Civ. Code § 1798.82 requires notice to affected California residents in the most expedient time possible and without unreasonable delay. Notice to the California Attorney General is required when more than 500 California residents are affected. The private right of action under Cal. Civ. Code § 1798.150 authorizes statutory damages of $100 to $750 per consumer per incident, or actual damages whichever is greater, for breaches of unencrypted/unredacted personal information involving certain enumerated categories. The audit defensibility of the breach-notice posture turns on the ability to demonstrate, at the moment of custody transfer, that data was rendered unreadable or undecipherable so that the breach trigger never attached to the retired hardware.

Confidentiality of Medical Information Act (D1 Overlay)

The Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code §§ 56–56.37) predates HIPAA in California and extends beyond it. CMIA covers medical information held by providers, plans, contractors, software companies, and pharmacy benefit managers. Civil penalties run up to $1,000 per violation negligent or up to $25,000 per violation per individual willful, with punitive damages plus attorney’s fees available in private actions. AB 352, effective July 1, 2024, extended CMIA to reproductive and gender-affirming care information. Retirement of any hardware that has processed medical information must reach the CMIA outcome standard before custody transfer.

Biometric Identifiers (D2 Overlay via CPRA SPI)

California does not have a standalone biometric-identifier statute equivalent to Illinois BIPA. Instead, biometric information processed for unique identification is treated as Sensitive Personal Information under Cal. Civ. Code § 1798.140(ae)(2)(C), which triggers the right to limit use of SPI under Cal. Civ. Code § 1798.121. Retired hardware that has processed biometric template files for unique-identification purposes must reach the CCPA/CPRA outcome standard at custody transfer.

Data Broker Registration and the Delete Act (D3 Overlay)

California operates a data-broker registry under Cal. Civ. Code § 1798.99.80. SB 362 (the Delete Act) layers a one-stop deletion mechanism: the Data Broker Requests and Opt-Out Platform (DROP) operated by the CPPA, effective August 1, 2026, will accept a single deletion request that propagates to all registered data brokers. Enterprise data subject to broker-style processing must reach the destruction and chain-of-custody outcomes that satisfy both CCPA/CPRA deletion rights and the Delete Act registry-driven deletion duty.

Right to Repair Act (D6 Overlay)

California’s Right to Repair Act (SB 244, Cal. Bus. & Prof. Code §§ 22330–22337) took effect July 1, 2024. It requires manufacturers of consumer electronics priced over $50 and appliances priced over $100 to make repair parts, tools, and documentation available to consumers and independent repair shops. The Right to Repair regime extends the operational life of enterprise hardware and increases the volume of mid-life servicing events; each servicing event that touches storage media must integrate with the data-destruction chain of custody so that residual data on swapped-out parts is sanitized before disposition.

California Public-Sector IT Disposal Posture

California state agencies retire IT assets under California Department of Technology policy. The operative controls include California State Administrative Manual (SAM) Chapter 5300; SIMM 5300-A state IT security policy; CalOES surplus property; State Records Retention Schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See California Department of Technology policy guidance.

California Student Online Personal Information Protection Act (SOPIPA) (Student-Data Privacy)

California’s student-data privacy statute at Cal. Bus. & Prof. Code § 22584 regulates K-12 ed-tech operators that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under California’s outcome standard and retain the destruction certificate.

Data Destruction and Media Sanitization Expectations

The Cal. Civ. Code § 1798.81 records-disposal statute prescribes the outcome (unreadable or undecipherable) but is method-agnostic. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear (logical), Purge (cryptographic erase, secure-erase command, or strong degaussing for legacy magnetic media), and Destroy (shredding, disintegration, pulverization, or incineration). California state agencies follow CDT SIMM Section 5305-G (“Disposal of Surplus Computers”), which incorporates NIST 800-88 by reference. The audit-defensible position for a California enterprise is NIST 800-88 Rev. 2 alignment with method selection driven by media type, data sensitivity, CCPA/CPRA SPI categories present, CMIA covered medical information, and reuse intent.

Hard Drive Shredding

California-resident Sensitive Personal Information, CMIA medical information, and CPRA-defined “sensitive” categories on fixed media demand a NIST 800-88 Rev. 2 Destroy outcome through physical shredding, because the CCPA breach-trigger reaches any unencrypted media that leaves enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible, satisfying the Cal. Civ. Code § 1798.81 outcome standard.

Certified Data Wiping

Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed and where the data sensitivity supports it. Per-drive serialized records carrying the device identifier, the method, the operator, the date, and the verification result feed the Certificate of Data Destruction.

Media Degaussing

Media degaussing is the appropriate Purge method for legacy magnetic media including tape, magnetic disk, and legacy enterprise storage. SSDs, NVMe, and modern flash media are not degaussable; cryptographic erase (Purge) or physical destruction (Destroy) apply.

Certified Media Shredding

Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to Cal. Civ. Code § 1798.81. The Certificate of Destruction is structured for delivery to the AG, CPPA, customer auditor, or counterparty without reformatting.

California E-Waste, Hazardous Waste, and Environmental Compliance

California operates the most comprehensive state electronics-recycling regime in the United States. The Electronic Waste Recycling Act of 2003 (SB 20) codified at Cal. Pub. Res. Code §§ 42460–42486 established a first-of-its-kind advance-recovery-fee architecture: consumers pay a fee of $5 to $7 at point of sale on Covered Electronic Devices (CEDs, defined as video display devices with screens greater than 4 inches), and the fee fund pays approved collectors and recyclers to manage end-of-life CEDs. CalRecycle administers the funding and collector/recycler approval program; the Department of Toxic Substances Control (DTSC) administers the hazardous-waste regulatory side under the Hazardous Waste Control Law.

Enterprise / commercial equipment covered by the California e-waste program: PARTIAL. California Electronic Waste Recycling Act (SB 20, Pub. Res. Code § 42463 et seq.) covers CEDs (covered electronic devices) under an advance recovery fee model; enterprise bulk disposal of non-CED IT assets routes through 22 CCR Division 4.5 hazardous-waste rules administered by DTSC. California is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through 22 CCR Division 4.5; the state program operates at the federal floor unless explicitly more stringent.

Battery-embedded products (a category that has grown to include modern laptops, tablets, and many IoT devices) were addressed by SB 1215 (2022), which extended product-stewardship requirements. The California Right to Repair Act (SB 244) effective July 1, 2024, layers parts-availability and documentation duties on top of the existing e-waste regime; each repair event creates a mid-life data-destruction touchpoint when storage media is swapped.

The Hazardous Waste Control Law is codified at Cal. Health & Safety Code Div. 20, Ch. 6.5 (§§ 25100 et seq.) with implementing rules at Title 22 CCR Div. 4.5. California recognizes a broader set of hazardous wastes than federal RCRA (California-only hazardous wastes), and DTSC enforcement penalties run up to $25,000 per day per violation with criminal liability for knowing violations. Universal Waste rules at Title 22 CCR § 66273 cover batteries, lamps, mercury equipment, aerosol cans, mercury thermostats, and electronic devices. Title 22 CCR § 66273.4 specifically lists CRTs and other discarded electronic devices as universal wastes. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records and, where applicable, hazardous-waste manifests.

Regulated Asset Types and Enterprise Scenarios

Servers and Storage Arrays

Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Where servers handled CCPA/CPRA Sensitive Personal Information, CMIA medical information, biometric template files, or covered defense information, every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer to satisfy the Cal. Civ. Code § 1798.81 outcome standard.

End-User Computing Assets

Laptops, desktops, and workstations carry the largest concentration of personal information by volume because they are the primary processing surface for end-user data. Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework as server hardware, with the additional consideration that end-user devices frequently contain locally cached credentials and authentication tokens that must be sanitized to NIST 800-88 Clear or Purge before remarketing or to Destroy before recycling.

Mobile Devices

Mobile phones and tablets present a distinct disposition profile. Internal storage is flash-based and not degaussable; cryptographic erase (Purge) or physical destruction (Destroy) are the audit-defensible methods. Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material containing subscriber identifiers.

Equipment Destruction and Product-Recall Scenarios

For non-data enterprise hardware including prototypes, defective products, and regulated equipment that must be irrevocably destroyed rather than recycled, secure equipment destruction covers the chain from custody pickup to verified destruction. Product-recall scenarios (regulatory recall, voluntary recall, customer-driven recall) are handled through product recall management. Defective product destruction applies where retained inventory must be destroyed to prevent gray-market distribution. Classified equipment destruction applies where the asset itself is regulated content, including DoD-marked hardware subject to DFARS or items subject to export control.

Enforcement, Penalties, and Audit Risk

California enforcement operates across the CPPA, the Attorney General, CalRecycle, DTSC, and federal regulators with concurrent jurisdiction. The audit-reconstruction-of-events standard is operative: the regulator’s question is not “did you intend compliance” but “can you produce, on demand, the documentation that demonstrates compliance at each step of asset retirement, data destruction, and downstream recycling.”

Recent Enforcement Actions

In August 2022, the California Attorney General settled with Sephora for $1.2 million in the first CCPA enforcement action, alleging failure to disclose the sale of personal information and to honor opt-out signals. In February 2024, the AG settled with DoorDash for $375,000 in a stacked CCPA/CalOPPA action involving marketing-cooperative data flows. In September 2024, the AG settled with Tilting Point Media for $500,000 over collection of minor data without parental opt-in. In March 2025, the CPPA brought its first lead-agency enforcement action under CPRA, settling with American Honda Motor Co. for $632,500 over CCPA opt-out procedures.

Statutory Penalty Schedule

State Sectoral Regulators and Audit Authority

In addition to the California Attorney General and the California environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The California Department of Financial Protection and Innovation examines banks and credit unions for GLBA-aligned information-security-program controls. The California Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The California Department of Public Health examines healthcare entities for HIPAA Security Rule compliance. The California Bureau for Private Postsecondary Education and CSU/UC systems oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The California Public Utilities Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.

Documentation, Chain of Custody, and Audit-Ready Proof

California enforcement under the CCPA private right of action, the CPPA administrative regime, and the Attorney General turns on documented destruction evidence, and the $750-per-record statutory minimum under Cal. Civ. Code § 1798.150 makes the absence of a serialized Certificate of Destruction directly monetizable for plaintiffs. The packet has six components: a serialized asset inventory, a chain-of-custody log running from internal pickup to certified destruction, a Certificate of Data Destruction per device with method and verification, a Certificate of Recycling with environmental disposition through CalRecycle-approved channels, a hazardous-waste manifest where applicable, and the underlying contracted-service safeguard terms with the certified destruction provider. Where CCPA/CPRA right-to-delete requests have been processed, the destruction record links the deletion request to the underlying media disposition. Where CMIA-covered medical information is present, the record links the destruction to the covered entity’s HIPAA accounting of disclosures.

How All Green Recycling Operationalizes California Compliance

IT Asset Disposition

All Green Recycling operates certified IT asset disposition structured around California’s layered statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction or sanitization at the receiving facility, environmental disposition, and audit-ready reporting. Where remarketing is in scope, asset remarketing recovers residual value while preserving the data-destruction chain of custody.

Secure Data Destruction

All Green Recycling’s secure data destruction service line is structured to satisfy the Cal. Civ. Code § 1798.81 outcome standard and align to NIST SP 800-88 Rev. 2. Method selection is driven by media type and data sensitivity (CCPA/CPRA SPI, CMIA medical information, federal-overlay covered defense information), with documented verification per device and a serialized Certificate of Destruction.

Certified Electronics Recycling

Certified electronics recycling diverts retired electronic assets from landfill through CalRecycle-approved collector/recycler channels that satisfy the Electronic Waste Recycling Act of 2003 and DTSC Title 22 CCR hazardous-waste rules. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability; environmental disposition records are produced per engagement.

Secure Equipment Destruction

For regulated hardware that must be destroyed rather than recycled, secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction. The chain-of-custody record is structured for direct delivery to a regulator, an OEM, or a prime contractor.

Reverse Logistics and Chain-of-Custody Tracking

Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, Right-to-Repair mid-life servicing returns, and customer-driven returns where the asset must be tracked from origin to disposition with serialized records at each handover.

Audit-Ready Reporting

Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies. The documentation package is structured for direct delivery to compliance, legal, audit, CPPA examination, AG inquiry, and DTSC inspection teams without reformatting.

Frequently Asked Questions

The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in California. Answers are statute-anchored, declaration-first, and scoped to the operational decisions a Chief Compliance Officer, Chief Information Security Officer, IT Director, in-house counsel, or procurement lead actually makes.

California Compliance as Risk Management

California IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered unreadable or undecipherable before custody transfer, that CCPA/CPRA right-to-delete and right-to-limit-use-of-SPI obligations propagated to retired media, that medical information covered by CMIA reached the stricter destruction outcome, that downstream processing routed through CalRecycle-approved DTSC-regulated channels, and that the Right to Repair regime’s mid-life servicing events integrated with the chain-of-custody continuity.

CCPA/CPRA per-violation civil penalties, CCPA private statutory damages, CMIA per-individual penalties, DTSC daily civil penalties with criminal liability, HIPAA federal overlay, FTC Safeguards Rule, and audit-driven counterparty review converge on the same set of records: serialized destruction logs, chain-of-custody continuity, environmental disposition evidence, hazardous-waste manifests where applicable, and contracted-service safeguard terms. Enterprises that operationalize that record set carry defensible compliance posture across regulator inquiry, audit cycle, and incident response.

California compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a California-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.