Delaware IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Delaware’s Personal Data Privacy Act (DPDPA, effective January 1, 2025) and the Online Privacy and Protection Act apply to far more in-state enterprises than the typical comprehensive privacy law because Delaware’s low covered-entity thresholds reach mid-market employers as well as Fortune 500 headquarters. Use the Enterprise Compliance Reference below as a one-table executive briefing; the sections that follow walk every Delaware duty, regulator, and penalty band with statute citation and recent enforcement context.
Delaware Enterprise Compliance Reference
| Compliance Topic | What Delaware Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to Delaware residents within 60 days; AG notice if 500+ residents affected; 12-month free credit monitoring for SSN breaches under 6 Del. C. § 12B-102. | Delaware Attorney General | Up to $10,000 per violation via Consumer Fraud Act | Certified media shredding with serialized Certificate of Destruction. |
| 2. Reasonable Security | Reasonable security to protect personal information from unauthorized access, use, modification, disclosure, or destruction under 6 Del. C. § 12B-100. | Delaware AG | Up to $10,000 per violation via CFA | Certified data destruction aligned to NIST SP 800-88 Rev. 2. |
| 3. Records Disposal | Reasonable steps to destroy by shredding, erasing, or otherwise destroying or modifying personal identifying information to make it entirely unreadable or indecipherable through any means under 6 Del. C. § 5002C. | Delaware AG | Up to $10,000 per violation via CFA | Certified data wiping aligned to NIST Clear / Purge. |
| 4. Delaware Personal Data Privacy Act | Controller and processor obligations including opt-in consent for sensitive data (biometric, health, child) effective January 1, 2025 under 6 Del. C. § 12D-101 et seq. | Delaware AG | Up to $10,000 per violation; cure period ends Dec 31, 2025 | Hard drive shredding for biometric or sensitive-data media. |
| 5. Hazardous & Universal Waste | RCRA-delegated state program under 7 Del. Admin. Code 1300 (DRGHW); universal-waste rules at DRGHW Part 273; CRT rules at 40 C.F.R. § 261.39. | DNREC Waste & Hazardous Substances Division | Up to $10,000/day under 7 Del. C. § 6005 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Delaware Compliance Reality
Delaware’s privacy compliance regime is concentrated in the Delaware Personal Data Privacy Act (effective January 1, 2025), the breach-notification and reasonable-security duties at 6 Del. C. §§ 12B-100 to 12B-104, and the records-disposal duty at 6 Del. C. § 5002C. Retirement of a Retired Electronic Asset in Delaware is governed by (1) 6 Del. C. § 12B-102, which imposes a 60-day notification deadline and one year of free credit monitoring when a Social Security number is involved, (2) 6 Del. C. § 12B-100, which requires reasonable security across the data life cycle, (3) 6 Del. C. § 5002C, which establishes the “entirely unreadable or indecipherable through any means” destruction outcome, (4) the Delaware Personal Data Privacy Act with sensitive-data and controller obligations, (5) the DNREC hazardous-waste rules at 7 Del. Admin. Code 1300, and (6) federal sector overlays. Delaware does not operate a statewide manufacturer-takeback EPR program. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Delaware and Federal Compliance Interaction
Delaware’s heavy Fortune 500 incorporation footprint means the federal HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, DFARS 252.204-7012, and CMMC 2.0 regimes already cover most data-handling in the state, and DPDPA layers on top of that federal floor rather than displacing it. A regulated enterprise must satisfy the stricter of (1) Delaware statutes including § 12B-102 (60-day notice + 1-yr credit monitoring), § 12B-100 (reasonable security), § 5002C (records disposal), and the DPDPA, (2) federal sector rules including the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. DPDPA exempts HIPAA-covered protected health information and GLBA-covered financial information from most controller obligations, but the § 5002C disposal outcome and the § 12B-102 breach-notice deadline apply regardless of federal sector status.
Delaware Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Delaware, whether Delaware law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Delaware Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | Delaware exceeds | 18 Del. C. § 8601 (NAIC Insurance Data Security adoption) imposes a written information security program with annual board certification. |
| FACTA Disposal Rule (16 CFR § 682.3) | Delaware exceeds | 6 Del. C. § 5001C imposes specific disposal-method duty; § 12B-102 imposes 60-day breach notification with 12 months credit monitoring for SSN exposure. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | 7 DE Admin. Code 1302 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Delaware must satisfy CMMC 2.0 in addition to Delaware state law.
Delaware Data Security, Privacy, and Disposal Obligations
6 Del. C. § 12B-102 — 60-Day Breach Notification + 12-Month Credit Monitoring
6 Del. C. § 12B-102 imposes a 60-day notification deadline to affected Delaware residents after determination of a breach. The covered entity must also notify the Delaware Attorney General within 60 days if a breach affects more than 500 Delaware residents. The statute requires 12 months of free identity-theft prevention and credit monitoring services when a Social Security number was involved in the breach, materially increasing post-breach cost exposure for organizations that fail to sanitize SSN-bearing media before custody transfer.
6 Del. C. § 12B-100 — Reasonable Security
6 Del. C. § 12B-100 requires any person who conducts business in Delaware and owns, licenses, or maintains personal information to implement and maintain reasonable security to protect personal information from unauthorized access, use, modification, disclosure, or destruction. The reasonable-security duty extends across the chain of custody during IT asset retirement.
6 Del. C. § 5002C — Records Disposal
6 Del. C. § 5002C requires each commercial entity that conducts business in Delaware and owns or licenses personal identifying information of a Delaware resident, and each person who, on behalf of a commercial entity, destroys or arranges for the destruction of such records, to take all reasonable steps to destroy or arrange for the destruction of records containing personal identifying information that is no longer to be retained by the commercial entity by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means.
Delaware Personal Data Privacy Act (DPDPA)
The Delaware Personal Data Privacy Act (effective January 1, 2025) applies to controllers conducting business in Delaware or producing products targeted to Delaware residents that during the preceding calendar year controlled or processed personal data of 35,000+ consumers, or 10,000+ consumers with 20% or more of gross revenue from sale of personal data. The DPDPA sensitive-data category includes biometric and genetic data processed to uniquely identify an individual, mental and physical health condition or diagnosis, sexual orientation, citizenship or immigration status, personal data from a known child, precise geolocation, status as transgender or nonbinary, and status as victim of crime. Sensitive data requires opt-in consent. The 60-day cure period sunsets on December 31, 2025; enforcement is automatic thereafter.
Delaware Public-Sector IT Disposal Posture
Delaware state agencies retire IT assets under Delaware Department of Technology and Information (DTI) policy. The operative controls include Delaware State Information Security Policy; DTI cyber security standards; Government Support Services surplus property; Delaware Public Archives records retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Delaware Department of Technology and Information (DTI) policy guidance.
Delaware Insurance Data Security Act (NAIC Insurance Data Security Adoption)
Delaware has adopted the NAIC Insurance Data Security Model Law at 18 Del. C. § 8601 et seq. (effective July 31, 2019). The statute imposes a written information security program duty on insurance licensees, brokers, and third-party service providers; mandates annual board certification of the program; prescribes incident-notification windows to the state insurance commissioner; and requires risk-based assessment of third-party service-provider controls. Retired Electronic Assets in scope (workstations, servers, backup media, and any device storing nonpublic information of insureds) must be retired under documented chain of custody with verified sanitization, and the destruction certificate must be retained as part of the program’s audit trail.
Delaware Student Data Privacy Protection Act (Student-Data Privacy)
Delaware’s student-data privacy statute at 14 Del. C. § 8101A et seq. regulates K-12 ed-tech operators that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Delaware’s outcome standard and retain the destruction certificate.
Data Destruction and Media Sanitization Expectations
6 Del. C. § 5002C prescribes an outcome (entirely unreadable or indecipherable through any means) and remains method-agnostic. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Delaware state agencies follow the Delaware Department of Technology and Information (DTI) cybersecurity standards.
Hard Drive Shredding
Delaware-resident personal data on fixed magnetic and solid-state media requires the NIST 800-88 Rev. 2 Destroy outcome, because the 60-day breach-notice clock under 6 Del. C. § 12B-102 starts the moment unencrypted media leaves enterprise custody. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal identifying information subject to § 5002C.
Delaware E-Waste, Hazardous Waste, and Environmental Compliance
Delaware does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement in Delaware routes through the federal RCRA-delegated state hazardous-waste program administered by the Delaware Department of Natural Resources and Environmental Control (DNREC) Waste & Hazardous Substances Division under 7 Del. Admin. Code 1300 (Delaware Regulations Governing Hazardous Waste, DRGHW). Hazardous-waste characterization follows the federal toxicity characteristic for lead, mercury, cadmium, and chromium.
Enterprise / commercial equipment covered by the Delaware e-waste program: NO. Delaware has no state e-waste EPR program; enterprise IT asset retirement routes through 7 DE Admin. Code 1302 hazardous-waste rules. Delaware is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through 7 DE Admin. Code 1302; the state program operates at the federal floor unless explicitly more stringent.
Universal-waste rules at DRGHW Part 273 cover batteries, lamps, mercury-containing equipment, mercury thermostats, and paint. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under 7 Del. C. § 6005 run up to $10,000 per day per violation. The Delaware Universal Recycling Law (7 Del. C. ch. 60E) imposes broad recycling obligations but does not create an electronics EPR. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records and, where applicable, hazardous-waste manifests.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, Social Security numbers, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework as server hardware.
Mobile Devices
Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material.
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Delaware enforcement is concentrated at the Delaware Attorney General Consumer Protection Unit (privacy statutes and DPDPA), DNREC (hazardous-waste violations), and federal regulators with concurrent jurisdiction. Delaware has been an active multistate participant in recent cyber actions (TikTok 2024, Marriott 2024, Equifax 2019). The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| 6 Del. C. § 12B-102 (60-day notice + 12-mo credit monitoring) | Enforceable through CFA up to $10,000 per violation | NO (AG-only) | Delaware AG |
| 6 Del. C. § 12B-100 (reasonable security) | Enforceable through CFA | NO (Insurance Department enforcement) | Delaware AG |
| 6 Del. C. § 5002C (records disposal) | Enforceable through CFA | NO (AG-only under DPDPA) | Delaware AG |
| Delaware Personal Data Privacy Act | Up to $10,000 per violation; cure period ends Dec 31, 2025 | NO (DNREC enforcement) | Delaware AG |
| 7 Del. C. § 6005 (hazardous waste) | Up to $10,000 per day per violation | NO (Department of Education enforcement) | DNREC |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Delaware Attorney General and the Delaware environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Delaware Office of the State Bank Commissioner examines banks and credit unions for GLBA-aligned information-security-program controls. The Delaware Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Delaware Department of Health and Social Services examines healthcare entities for HIPAA Security Rule compliance. The Delaware Department of Education and Delaware Higher Education Office oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Delaware Public Service Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Delaware Department of Justice investigations under DPDPA and 6 Del. C. § 12B-101 build the violation from documentary evidence, and a Retired Electronic Asset without a serialized destruction record is treated as a presumptive failure of the “reasonable security procedures” duty. The § 12B-102 12-month credit-monitoring exposure makes pre-disposal SSN sanitization documentation a board-level priority.
How All Green Recycling Operationalizes Delaware Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Delaware’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy the 6 Del. C. § 5002C “entirely unreadable or indecipherable through any means” outcome standard and align to NIST SP 800-88 Rev. 2.
Certified Electronics Recycling
Certified electronics recycling diverts retired electronic assets from landfill through DNREC-authorized channels that satisfy DRGHW hazardous-waste characterization and universal-waste rules. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Delaware.
What is Delaware’s breach-notification deadline?
Sixty days from determination of a breach. Under 6 Del. C. § 12B-102, notice must be given to affected Delaware residents within 60 days, and the Delaware Attorney General must be notified within 60 days if the breach affects more than 500 residents. Twelve months of free credit monitoring is required if a Social Security number was involved.
Why is the 12-month credit-monitoring requirement material to IT asset retirement?
A breach involving a Social Security number that escaped pre-disposal sanitization triggers a 12-month credit-monitoring obligation under § 12B-102. Pre-disposal NIST 800-88 Rev. 2 alignment through hard drive shredding eliminates this exposure.
When did the Delaware Personal Data Privacy Act take effect?
January 1, 2025. The DPDPA applies to controllers processing personal data of 35,000+ Delaware consumers per year, or 10,000+ consumers with 20%+ of gross revenue from sale of personal data. The 60-day cure period sunsets on December 31, 2025; enforcement is automatic thereafter.
Does the DPDPA treat biometric data as sensitive data?
Yes. The DPDPA sensitive-data category includes biometric and genetic data processed to uniquely identify an individual, alongside mental and physical health, sexual orientation, citizenship status, personal data of a known child, precise geolocation, transgender or nonbinary status, and crime-victim status. Opt-in consent is required for processing.
Does Delaware’s records-disposal statute prescribe a specific destruction method?
No. 6 Del. C. § 5002C requires reasonable steps to destroy by shredding, erasing, or otherwise destroying or modifying personal identifying information to make it entirely unreadable or indecipherable through any means. The audit-defensible posture is alignment to NIST SP 800-88 Rev. 2 through certified data destruction.
Does Delaware have a state-funded electronics-recycling program?
No. Delaware does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement routes through DNREC-authorized hazardous-waste channels and certified electronics recycling with environmental disposition records.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. 7 Del. Admin. Code 1300 (DRGHW) implements federal RCRA with cradle-to-grave generator liability. Civil penalties under 7 Del. C. § 6005 run up to $10,000 per day per violation.
Which media-sanitization standard does Delaware accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Delaware state agencies follow Delaware Department of Technology and Information (DTI) cybersecurity standards.
What is the maximum penalty for a Delaware privacy or disposal violation?
Violations of § 12B-102, § 12B-100, § 5002C, and the DPDPA are enforceable through the Delaware Consumer Fraud Act (6 Del. C. § 2511 et seq.) with civil penalties up to $10,000 per violation. The Delaware AG is the enforcement authority.
What is All Green Recycling’s certification posture for Delaware enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
How does the federal HIPAA / GLBA baseline interact with Delaware law?
A regulated enterprise must satisfy the stricter of (1) Delaware statutes including § 12B-102 (60-day notice + 12-mo credit monitoring), § 12B-100 (reasonable security), § 5002C (records disposal), and the DPDPA, (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses. DPDPA exempts HIPAA-protected health information and GLBA-covered financial data from most controller obligations, but the § 5002C disposal outcome and § 12B-102 breach-notice deadline apply regardless.
Is a lost or stolen unencrypted drive a reportable breach under Delaware’s TIPA?
Yes. 6 Del. C. § 12B-101 et seq. covers unauthorized acquisition of personal information which extends to physical loss of unencrypted media.
Can verified sanitization or encryption remove an asset from Delaware’s breach-notification trigger?
Yes. § 12B-101 excludes encrypted data; NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Delaware Compliance as Risk Management
Delaware IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered entirely unreadable or indecipherable through any means before custody transfer, that breach notice surfaced within 60 days of determination, that 12-month credit-monitoring exposure was eliminated through pre-disposal SSN sanitization, that downstream processing routed through DNREC-authorized channels, and that hazardous fractions were handled under the universal-waste rules. Consumer Fraud Act per-violation civil penalties, DPDPA enforcement (post-cure-period), DNREC daily penalties, HIPAA federal overlay, FTC Safeguards Rule, and audit-driven counterparty review converge on the same set of records.
Delaware compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Delaware-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.