What You Need To Know
Laws that Require Destruction of Consumer Information
- HIPPA – HIPAA is the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 that sets national standards for protecting the confidentiality and security of patient health information. Its primary goals are to ensure people can maintain health insurance coverage when changing jobs, control healthcare administrative costs, and safeguard personal health information from unauthorized disclosure.
- FACTA – The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is an amendment to the Fair Credit Reporting Act (FCRA) that enhances consumer rights and helps reduce identity theft and fraud. Key provisions include the right for consumers to receive a free annual credit report from each of the three major credit bureaus, the ability to place fraud alerts, requirements for businesses to properly dispose of consumer information, and the disclosure of credit scores and risk-based pricing by creditors.
- GLB – The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that protects consumers’ financial privacy by requiring financial institutions to clearly explain their information-sharing practices and protect customer data. The Act’s main components include the Financial Privacy Rule, which mandates clear notices and allows consumers to opt-out of certain data sharing; the Safeguards Rule, which requires institutions to implement security programs to protect customer information; and the Pretexting Rule, which prohibits obtaining information under false pretenses.
- Red Flag Rule – Red Flag Rules require financial institutions to establish written Identity Theft Prevention Programs (ITPPs) to detect, prevent, and mitigate identity theft by identifying suspicious activity, or “red flags”. These programs must define specific red flags, train staff to recognize them, and outline appropriate responses. Common red flags fall into categories such as suspicious documents, suspicious personal information, unusual use of a covered account, and alerts from consumers or other agencies.
- State Data Protection Laws – Colorado’s primary data protection law is the Colorado Privacy Act (CPA), effective July 1, 2023, which grants consumers rights to access, correct, and delete their personal data, opt out of its sale and targeted advertising, and exercise control over automated profiling. Businesses that meet certain size thresholds must comply with the CPA’s requirements, including purpose specification and data minimization. Updates in 2025 have also introduced data protection assessments for online services involving minors and for certain high-risk processing activities.
If Utilizing Records Destruction Vendor, Laws Require:
- Creating a Written Selection Criteria
- Hire AAA NAID Certified Vendor (like XpresShred!)
XpresShred AAA NAID Certification
- Mobile Onsite Shredding at your Location
- Collection Pick Up at your Location
Audit Trail
- XpressShred Certificate of Destruction
After Shredding
- Paper baled in Secure Warehouse
- Shipments go directly to paper mills and scrap metal refiners for recycling.
