Across the U.S., there are laws and regulations that require companies and organizations to safeguard consumer information. If you work in a business, office, or practice that collects personal identifiable information (PII) like phone numbers, addresses, dates of birth, SSNs, etc., you are responsible for that data and must keep it private.

When you have electronics that store any of that data and are about to be resold or recycled, data destruction is essential. Failing to meet federal and local laws can lead to hefty fines, penalties, legal fees, and class action lawsuit settlements. You need to know your responsibilities when it comes to PII.

What Is Article 17 of the GDPR?

Article 17 of the General Data Protection Regulation covers a consumer’s “Right to Erasure.” Companies must erase personal data without delay when one or more of these terms are met:

  • The personal data was not lawfully collected or processed.
  • The personal data has to be erased to meet federal or state laws.
  • The personal data is no longer necessary for the initial reason it was collected and processed.
  • The consumer withdraws consent to store it or objects to you continuing to store or process it.
  • A minor child reaches the age where a parent or guardian no longer makes those decisions and the child wants the information removed.

There are a few additional rules to consider. If you are storing PII for the defense of a legal claim, you can continue to do so until the legal case is settled. If you must transfer PII to another country or international organization, you must make sure the information is processed and stored in ways that follow U.S. laws. Finally, any PII that you collect and store must be accessible to the consumer. If they ask to see what you are storing, you must have steps they can follow to access it.

Other Data Privacy Laws to Keep in Mind

Those are the requirements under the GDPR. Five states have additional rules that you must follow when storing and processing PII.

The California Consumer Privacy Act (CCPA)

California Civil Code §§ 1798.100 is known as the CCPA. Since 2018, consumers have had the right to ask what PII is being stored and why the business has collected that information. If they ask for the PII to be deleted, the company or organization must comply. Businesses are not allowed to discriminate against California residents who opt out.

Effective January 1, 2023, California also added the California Consumer Privacy Rights Act. Proposition 24 allows consumers to prevent companies from sharing PII and limit the use of sensitive PII like sexual orientation, religion, race, geolocation, genetic data, private messages, and specified medical information. Businesses cannot retain PII for longer than needed, and violations increase by 3x if the consumer is younger than 16. 

The Colorado Privacy Act, Part of the Colorado Consumer Protection Act

The Colorado Privacy Act is part of the Colorado Consumer Protection Act that went into effect on July 1, 2023. It enforces a company’s responsibility for protecting PII and allows the attorney general or district attorney to take action if there are violations. 

The Connecticut Personal Data Privacy and Online Monitoring Act

Connecticut’s 2022 S.B. 6 went into effect on July 1, 2023. It requires businesses and organizations to store and process PII following privacy standards. Consumers have the right to access, correct, delete, and ask for a copy of any PII that’s stored. They also have the right to opt out.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA dates back to 1996 and involves the health industry. Healthcare providers, health, dental, vision, and prescription drug insurers, including HMOs, Medicare/Medicaid, long-term care insurers, and church-, employer-, and government-sponsored health plans. Any personal health information (PHI) must be protected and accessible only to the patient, policyholder, or person provided with that patient’s permission. 

In certain conditions, PHI can be shared without the individual’s permission. This includes when it’s legally required by law enforcement or for administrative or judicial proceedings. It can be shared when it involves public health, tissue, organ, or eye donations, workers’ comp claims, victims of abuse or neglect, or for identifying deceased people. 

Doctors and healthcare practices must keep PHI protected from security threats. Only people with HIPAA permission or the individual can access that information. The HHS Office for Civil Rights enforces these rules. 

The Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a security rule that applies to any business that processes or stores cardholder information. The goal is to reduce cash, credit, and debit card fraud. It was created in 2004 by American Express, Discover, JCB, MasterCard, and Visa. There are six principles to PCI DSS.

  • Create and maintain a secure network and infrastructure system.
  • Regularly monitor and test the infrastructure.
  • Protect a cardholder’s PII.
  • Use risk assessment and vulnerability management programs.
  • Use strong access control measures.
  • Maintain and follow strict security protocols.

The best practice is to destroy any cardholder data and PII that isn’t necessary. Data destruction of former cardholders is essential.

The Utah Consumer Privacy Act

While the Utah Consumer Privacy Act isn’t in effect yet, it’s coming up at the end of the year. Starting December 31, 2023, businesses must share how they collect and use PII and whether they sell it to other companies. Utah residents have the right to opt out of their information being sold and to ask that PII be deleted. If a business doesn’t comply, the attorney general can take action and fine violators.

The Virginia Consumer Data Protection Act

Finally, Virginia’s Consumer Data Protection Act requires businesses with the PII of at least 100,000 consumers or who get more than 50% of their revenue from the sale of at least 25,000 consumers’ PII to follow specific rules on the collection and use of PII. Consumers can opt out of their PII from being used for targeted advertising.

How Do You Ensure Data Destruction Is Completed Correctly?

How do you ensure data is properly destroyed? Work with an ITAD professional. If you’re recycling or selling used electronics that are no longer necessary to your business, office, or organization, you must destroy data. This isn’t a process for everyone.

Most people think of a factory reset as being enough to destroy data. It’s not. It erases paths between a program and information you’ve stored, but it doesn’t destroy the data. Programs that rewrite binary code over and over again are one way to destroy data. The use of magnets (degaussing) destroys data on magnetic drives and tapes. 

But, the best way to destroy data is to take the hard drives and shred them. If they’re chopped into tiny fragments, there’s no way to put them back together and have the information retrievable. Shredding electronic devices is the best way to destroy data and ensure PII won’t end up in the wrong hands.

ERI is an ITAD specialist who can ensure your items go through rigorous data destruction methods that ensure you comply with state and federal regulations. We can destroy data at your site or one of our facilities. No matter where data destruction takes place, ERI provides you with a certificate of destruction you can keep in your files as proof that you followed procedures. Reach us to learn more about e-recycling and data destruction.