Compliance Resources
Texas Data Disposal Law
Texas has its own data-disposal law, and it applies to essentially every business in the state. Chapter 521 of the Business & Commerce Code — the Identity Theft Enforcement and Protection Act — reaches customer records, employee files, and the drives they live on.
What Texas law requires
Under Chapter 521, a business must implement and comply with procedures for the destruction of business records that contain sensitive personal information when those records are disposed of — by shredding, erasing, or otherwise modifying the information to make it unreadable or undecipherable. Sensitive personal information includes things like Social Security numbers, driver's license numbers, financial account numbers, and health information tied to an individual.
The Texas Attorney General enforces the chapter, and it carries civil penalties. Separately, Texas's newer privacy legislation continues to raise expectations for how businesses handle personal data across its lifecycle — disposal included.
What that means for retired IT equipment
"Business records" is not a filing-cabinet concept anymore. Payroll data, customer databases, scanned IDs, and HR files live on workstations, servers, and backup media. When that hardware is discarded with drives intact, records are being disposed of without destruction — exactly what the statute addresses.
For a DFW business, the practical bar is straightforward: when equipment is retired, data-bearing media gets sanitized or destroyed, and the business keeps a record showing it happened. That is achievable on every disposal, including free ones.
How our process lines up
We are a Texas business too — headquartered in Southlake — and our standard handling is built around this exact expectation: storage media sanitized following NIST 800-88 guidelines, certificates of data sanitization for your records, serialized manifests on request, and paid onsite shredding where policies call for physical destruction. We are not your lawyers; we are the documented-disposal leg of the procedures the statute expects you to have.
This page is general information, not legal advice. Regulations change and their application depends on your situation — confirm your obligations with your counsel or compliance advisor. What we provide is documented disposal: sanitization following NIST 800-88 guidelines, certificates, and manifests that support the procedures your advisors design.
Common Questions
Does this law apply to small businesses?
Yes — Chapter 521's disposal provision applies to businesses generally, without a size carve-out. The procedures just have to result in sensitive personal information being made unreadable when records are discarded.
Is donating or reselling old computers a "disposal"?
Equipment leaving your control with data intact is the risk the statute targets, whatever you call the transaction. Sanitize media before donation or resale — refurbishment and reuse are great outcomes, but only after the data is gone.
How does this interact with federal rules like HIPAA or FACTA?
They stack. Federal rules cover specific information types; the Texas statute covers sensitive personal information broadly. A NIST 800-88-aligned disposal process with documentation is the common denominator that supports all of them.
Retiring Equipment With Data On It?
Free pickup for qualifying business IT equipment across DFW — with the sanitization certificates and manifests your records need.
Schedule a Documented Pickup