Utah IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Retiring a Retired Electronic Asset in Utah is not a disposal task; it is a regulated transfer and termination event for personal information, Sensitive Data, biometric identifiers, and hazardous fractions. The Utah Protection of Personal Information Act, the Utah Consumer Privacy Act, the UDEQ hazardous-waste and universal-waste rules, and the federal overlays of HIPAA, the FTC Safeguards Rule, and RCRA each impose duties that survive hardware retirement. The Enterprise Compliance Reference below is the 30-second answer; the sections that follow walk every duty, every regulator, and every penalty band with cited statute and recent enforcement context.
Utah Enterprise Compliance Reference
| Compliance Topic | What Utah Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Data Security & Disposal (UPPIA) | Reasonable procedures and destruction by shredding/erasing/modifying to indecipherable under Utah Code § 13-44-201. | Utah Attorney General | Up to $2,500 per violation; up to $100,000 aggregate | Certified data destruction aligned to NIST SP 800-88 Rev. 2. |
| 2. Breach Notification (UPPIA) | Notice in “most expeditious time possible without unreasonable delay” under Utah Code § 13-44-202; CRA notice for 1,000+ residents. | Utah AG | Same band as 13-44-201 enforcement | Certified media shredding with serialized Certificate of Destruction. |
| 3. UCPA (Reasonable Security) | Reasonable administrative, technical, and physical data security under Utah Code § 13-61-302 for $25M+ revenue controllers handling 100K+ consumers (effective Dec 31, 2023). | Utah AG; Utah Division of Consumer Protection | Up to $7,500 per violation | Certified IT asset disposition reaching Sensitive Data at retirement. |
| 4. Biometric Data (UCPA) | Biometric data is “Sensitive Data” under Utah Code § 13-61-101(6) and (32); opt-in consent required for processing. | Utah AG | Same as UCPA band | Hard drive shredding for media that has processed biometric templates. |
| 5. Hazardous & Universal Waste | RCRA-delegated state program under Utah Admin. Code R315-260; universal-waste rules at R315-273; CRT rules at 40 C.F.R. § 261.39. | UDEQ | Up to $10,000/day under Utah Code § 19-6-112 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Utah Compliance Reality
Utah’s privacy compliance regime is structured around two state statutes: the Utah Protection of Personal Information Act (UPPIA, Utah Code Title 13, Chapter 44) and the Utah Consumer Privacy Act (UCPA, Title 13, Chapter 61, effective December 31, 2023). Retirement of a Retired Electronic Asset in Utah is governed by (1) Utah Code § 13-44-201, which requires reasonable procedures to prevent unlawful use or disclosure of personal information and to destroy records by shredding, erasing, or modifying to indecipherable, (2) Utah Code § 13-44-202, which requires breach notice in the most expeditious time possible without unreasonable delay, (3) UCPA § 13-61-302, which requires reasonable administrative, technical, and physical data security for $25M+ revenue controllers handling 100,000 or more Utah consumers (or 25,000+ if 50%+ revenue comes from personal-data sales), (4) UCPA Sensitive Data category at § 13-61-101(32), which includes biometric data, mental or physical health condition (subject to HIPAA exemption), and specific geolocation, (5) the UDEQ-administered RCRA-delegated hazardous-waste program at Utah Admin. Code R315-260, and (6) the universal-waste rules at R315-273. Utah does not operate a statewide manufacturer-takeback or EPR program for electronics. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Utah and Federal Compliance Interaction
Utah state law and federal sector rules operate as a layered compliance posture. A regulated enterprise must satisfy the stricter of (1) Utah statutes including UPPIA §§ 13-44-201 and 13-44-202 and UCPA §§ 13-61-301 through 13-61-401, (2) federal sector rules including the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. UCPA contains explicit exemptions for HIPAA, GLBA, FCRA, and FERPA-covered entities at § 13-61-102. UPPIA exempts financial institutions at § 13-44-103. For entities subject to a federal sector rule, the federal rule controls; for all other entities, UPPIA and UCPA are operative.
Utah Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Utah, whether Utah law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Utah Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | equals | Federal regime controls; state law does not exceed the federal floor. |
| FACTA Disposal Rule (16 CFR § 682.3) | Utah exceeds | Utah Code § 13-44-201 requires destruction or modification of records containing personal information. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | equals | Utah Admin. Code R315 implements RCRA Subtitle C; state administers EPA-authorized program at the federal floor. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Utah must satisfy CMMC 2.0 in addition to Utah state law.
Utah Data Security, Privacy, and Disposal Obligations
Utah Code § 13-44-201 — UPPIA Protection and Destruction
Utah Code § 13-44-201 requires any person conducting business in Utah and maintaining personal information to implement and maintain reasonable procedures to (1) prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business and (2) destroy, or arrange for the destruction of, records containing personal information that are not to be retained. Under § 13-44-201(2) the destruction shall be by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable. The outcome standard parallels Cal. Civ. Code § 1798.81 and other state records-disposal statutes.
Utah Code § 13-44-202 — Breach Notification
UPPIA breach notification at Utah Code § 13-44-202 requires a reasonable investigation upon awareness of a security breach and, if personal information was acquired or reasonably believed to have been acquired, notice to affected Utah residents in the most expeditious time possible without unreasonable delay (no fixed-day deadline). Notice to consumer reporting agencies is required for breaches affecting more than 1,000 residents. Civil penalties at § 13-44-301 run up to $2,500 per violation with an aggregate cap of $100,000.
Utah Consumer Privacy Act — Reasonable Security
The Utah Consumer Privacy Act (UCPA, Utah Code Title 13, Chapter 61) took effect December 31, 2023. UCPA applies to controllers and processors that conduct business in Utah or target Utah consumers AND meet (i) $25 million or more in annual revenue and (ii) either control/process personal data of 100,000+ Utah consumers, or control/process 25,000+ consumers while deriving 50%+ revenue from personal-data sales. Section 13-61-302 requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm. The reasonable-security duty extends to retirement of any hardware that has processed personal data.
UCPA Sensitive Data and Biometric Overlay
UCPA § 13-61-101(32) defines “Sensitive Data” to include racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, information about a mental or physical health condition or diagnosis (subject to HIPAA exemption), and biometric data. Biometric data at § 13-61-101(6) means data generated by automatic measurements of an individual’s unique biological characteristics including fingerprint, voiceprint, eye retinas, irises, or other unique biological pattern; explicitly excludes digital photographs, video or audio recordings, data from healthcare settings, and HIPAA-treated information. Processing Sensitive Data requires consumer opt-in consent under § 13-61-302(3). Civil penalties at § 13-61-401 run up to $7,500 per violation.
Utah Public-Sector IT Disposal Posture
Utah state agencies retire IT assets under Utah Department of Government Operations Division of Technology Services policy. The operative controls include Utah DTS Information Security Policy; state surplus through Utah Department of Government Operations; Utah State Archives Records Series. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Utah Department of Government Operations Division of Technology Services policy guidance.
Utah Student Data Protection Act (Student-Data Privacy)
Utah’s student-data privacy statute at Utah Code § 53E-9-301 et seq. regulates K-12 ed-tech operators and Local Education Agencies that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Utah’s outcome standard and retain the destruction certificate.
Data Destruction and Media Sanitization Expectations
Utah Code § 13-44-201(2) prescribes an outcome (indecipherable) and remains method-agnostic. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Utah state agencies follow Utah Department of Government Operations Division of Technology Services (DTS) cybersecurity standards, which reference NIST 800-88. The audit-defensible position for a Utah enterprise is NIST 800-88 Rev. 2 alignment with method selection driven by media type, data sensitivity, UCPA Sensitive Data presence, and federal sector overlay.
Hard Drive Shredding
For media containing UCPA Sensitive Data, protected health information, financial-account information, or covered defense information, the Destroy category under NIST 800-88 Rev. 2 is the audit-defensible posture. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to UPPIA § 13-44-201.
Utah E-Waste, Hazardous Waste, and Environmental Compliance
Utah does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement in Utah routes through the federal RCRA-delegated state hazardous-waste program administered by the Utah Department of Environmental Quality (UDEQ) Division of Waste Management and Radiation Control under Utah Admin. Code R315-260 et seq. Hazardous-waste characterization follows the federal toxicity characteristic for lead (CRT glass, circuit-board solder), mercury (LCD backlights, switches, thermostats), cadmium (batteries, pigments), and chromium (circuit boards).
Enterprise / commercial equipment covered by the Utah e-waste program: NO. Utah has no state e-waste EPR program; enterprise IT asset retirement routes through Utah Admin. Code R315 hazardous-waste and universal-waste rules. Utah is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through Utah Admin. Code R315; the state program operates at the federal floor unless explicitly more stringent.
Universal-waste rules at Utah Admin. Code R315-273 cover batteries, lamps, mercury-containing equipment, and mercury thermostats with streamlined management standards. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under Utah Code § 19-6-112 run up to $10,000 per day per violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records and, where applicable, hazardous-waste manifests.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when UCPA Sensitive Data, protected health information, financial-account information, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework as server hardware.
Mobile Devices
Certified cell phone recycling includes verified erase of internal flash and handling of embedded SIM and eSIM material containing subscriber identifiers.
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Utah enforcement is concentrated at the Utah Attorney General, the Utah Division of Consumer Protection (DCP, for UCPA after the AG sole-enforcement window), UDEQ (for hazardous-waste violations), and federal regulators with concurrent jurisdiction. Utah has been a multistate participant in recent cyber actions (TikTok 2024, Marriott 2024, Equifax 2019). The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| UPPIA § 13-44-301 (breach + disposal) | Up to $2,500 per violation; up to $100,000 aggregate | NO (AG-only) | Utah AG |
| UCPA § 13-61-401 | Up to $7,500 per violation | NO (AG-only under UCPA) | Utah AG; DCP |
| Utah Admin. Code R315-260 (hazardous waste) | Up to $10,000/day under Utah Code § 19-6-112 | NO (DEQ enforcement) | UDEQ |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Utah Attorney General and the Utah environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Utah Department of Financial Institutions examines banks and credit unions for GLBA-aligned information-security-program controls. The Utah Insurance Department examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Utah Department of Health and Human Services examines healthcare entities for HIPAA Security Rule compliance. The Utah Board of Higher Education oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Utah Public Service Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Audit defensibility in Utah is the ability to produce, under scrutiny, a documentation packet that reconstructs every step of asset retirement: serialized asset inventory, chain-of-custody log running from internal pickup to certified destruction, Certificate of Data Destruction per device, Certificate of Recycling with environmental disposition, hazardous-waste manifest where applicable, and contracted-service safeguard terms.
How All Green Recycling Operationalizes Utah Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Utah’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy the UPPIA § 13-44-201 indecipherable outcome standard, the UCPA § 13-61-302 reasonable-security duty, and NIST SP 800-88 Rev. 2.
Certified Electronics Recycling
Certified electronics recycling diverts retired electronic assets from landfill through UDEQ-authorized channels that satisfy Utah Admin. Code R315-260 hazardous-waste characterization and R315-273 universal-waste rules. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Utah.
What is Utah’s breach-notification deadline?
Utah does not impose a fixed-day deadline. Under Utah Code § 13-44-202, notice must occur in the “most expeditious time possible without unreasonable delay” after the entity becomes aware of a security breach and conducts a reasonable investigation. Consumer reporting agency notice is required for breaches affecting more than 1,000 residents. Civil penalties under § 13-44-301 run up to $2,500 per violation with an aggregate cap of $100,000.
Does Utah’s records-disposal statute prescribe a specific destruction method?
No. Utah Code § 13-44-201(2) requires destruction by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable. The audit-defensible posture is alignment to NIST SP 800-88 Rev. 2 through certified data destruction with verification per device.
Does the Utah Consumer Privacy Act apply to our enterprise?
The Utah Consumer Privacy Act (UCPA) took effect December 31, 2023 and applies to controllers and processors that conduct business in Utah or target Utah consumers AND meet (i) $25 million or more in annual revenue and (ii) either control/process personal data of 100,000+ Utah consumers, or control/process 25,000+ consumers while deriving 50%+ revenue from personal-data sales. Many enterprises do not meet the thresholds, but UCPA Sensitive Data category is a useful reference for UPPIA § 13-44-201 reasonable-procedures analysis.
Does Utah have a biometric overlay affecting retired devices?
Yes, under UCPA. Utah Code § 13-61-101(6) defines biometric data and § 13-61-101(32) includes biometric data as Sensitive Data subject to opt-in consent under § 13-61-302(3). Retired hardware that has processed biometric template files for a covered controller must be sanitized to NIST 800-88 Purge or Destroy. UPPIA does not enumerate biometric data, but the UCPA category sets the operative practice standard for covered controllers.
Are financial institutions exempt from UPPIA?
Yes. Utah Code § 13-44-103 exempts financial institutions and their affiliates as defined in 15 U.S.C. § 6809 from UPPIA, deferring to GLBA. UCPA § 13-61-102 similarly exempts GLBA-covered entities and HIPAA-covered entities.
Does Utah have a state-funded electronics-recycling program?
No. Utah does not operate a statewide manufacturer-takeback or EPR program for electronics. Enterprise IT asset retirement routes through UDEQ-authorized hazardous-waste channels under Utah Admin. Code R315-260 and is executed through certified electronics recycling with environmental disposition records.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. Utah Admin. Code R315-260 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by R315-273. Civil penalties under Utah Code § 19-6-112 run up to $10,000 per day per violation.
Which media-sanitization standard does Utah accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Utah state agencies follow Utah DTS cybersecurity standards, which reference NIST 800-88.
What is All Green Recycling’s certification posture for Utah enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device, Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and the contracted-service safeguard terms. The packet is structured for direct delivery to the Utah AG, DCP, UDEQ, HHS OCR, FTC, or counterparty audit without reformatting.
How does the federal HIPAA / GLBA baseline interact with Utah law?
A regulated enterprise must satisfy the stricter of (1) Utah UPPIA §§ 13-44-201 and 13-44-202 (subject to financial-institution exemption) and UCPA §§ 13-61-301 through 13-61-401 (subject to HIPAA, GLBA, FCRA, FERPA exemptions), (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses.
Is the physical loss of unencrypted hardware a reportable breach under Utah’s PIPA?
Yes. Utah Code § 13-44-202 (UPPIA) covers unauthorized acquisition of personal information which includes physical loss of unencrypted media.
Does Utah’s PIPA carve out encryption or verified data sanitization as breach-notification exemptions?
Yes. § 13-44-202 excludes encrypted data; NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Utah Compliance as Risk Management
Utah IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered indecipherable before custody transfer, that the UCPA Sensitive Data category (including biometric data) was respected for covered controllers, that breach notice surfaced in the most expeditious time possible after determination, and that hazardous fractions were handled under the universal-waste rules. UPPIA § 13-44-301 per-violation and aggregate civil penalties, UCPA § 13-61-401 per-violation civil penalties, UDEQ daily penalties, HIPAA federal overlay, FTC Safeguards Rule, and audit-driven counterparty review converge on the same set of records.
Utah compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need a Utah-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.