When there is no specific state (or business) policy, states (and businesses) refer to federal requirements. See the FTC link I provided earlier, for example, that shows how records (including records generated by landlords) must be disposed of.
The FTC rule applies if the records disposed of are “consumer reports” or information obtained from such reports. Very generally, a consumer report is a report that the business obtains about the consumer from a consumer reporting agency, e.g. a credit bureau. So if the information disposed of is, for example, from credit reports the FTC rule certainly applies and the management company would run the risk of enforcement action by the FTC. I admit I didn’t think about the information in the dumpster possibly being credit reports that the management company ran on prospective tenants. To the extent that kind of information was trashed it would seem to be a clear violation of the FTC rule. While not a crime, the management company could nevertheless be subject to a significant civil fine from the FTC. But if these were records of information that the management company got directly from the renters, the FTC rule does not cover that.
For a recent well-publicized case, look at Safeway and the $10 million they were fined for improper disposal of pharmacy records.
That case involved disposal of protected health information (PHI) by a covered entity (a pharmacy) which is regulated by the federal Health Insurance and Portability and Accountability Act (HIPAA) and, in the Safeway case, the California Confidentiality of Medical Information Act. The management company here is not a covered entity for HIPAA purposes and of course the California wouldn’t apply here in any case. It does illustrate, though, that were a privacy law does apply a business who fails to comply with that law may face serious penalties.
What all this points out is that the laws relating to privacy of information and disposal of it are a patchwork of laws that, for the most part, target very specific industries or types of information. In my experience many Americans think far more of their information is protected by such laws than is really case, giving them a false sense of security. It is precisely because a lot of situations are simply not addressed in federal and state laws that individuals need to be proactive about the security of their information and ask businesses that seek personal information about what the business’ privacy policy is, how their information will be used and shared by the business, etc. IMO many Americans part with personal information much too easily; they ought to be reading privacy policies carefully and, where there is no policy or the policy isn't clear, they ought to be asking questions about the privacy of their information. You are the most important protector of your own information, after all.