Obstructive Summary
Security cameras that capture identifiable individuals generate personal data subject to privacy regulations including the California Consumer Privacy Act (CCPA) and the European Union's General Data Protection Regulation (GDPR). The CCPA applies to businesses meeting revenue or data-volume thresholds that collect personal information from California residents, requiring disclosure, opt-out mechanisms, and data deletion rights. The GDPR applies to any organization processing data of EU residents, imposing stricter requirements including a lawful basis for processing, data protection impact assessments, and the right to erasure. Noncompliance carries severe penalties — up to $7,500 per violation under the CCPA and up to 20 million euros or 4% of global annual revenue under the GDPR. This article details the requirements of both frameworks, compares them side by side, and provides practical steps for compliance. For additional guidance on business surveillance compliance, see our guide on security camera privacy laws for businesses.
How Privacy Regulations Apply to Security Cameras
Video footage of identifiable individuals constitutes personal data under both the CCPA and GDPR. A security camera that captures a person's face, body, license plate, or any other identifier is collecting personal information as defined by these laws. This applies regardless of whether the footage is actively reviewed or simply stored on a recorder.
The CCPA defines personal information as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Video footage meets this definition.
The GDPR defines personal data as "any information relating to an identified or identifiable natural person." Surveillance footage that captures a person's image falls squarely within this definition.
CCPA Requirements for Security Camera Systems
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) effective January 2023, applies to for-profit businesses that meet any of the following thresholds: annual gross revenue exceeding $25 million, buying/selling personal information of 100,000 or more consumers, or deriving 50% or more of revenue from selling personal information.
| CCPA Requirement | Application to Security Cameras | How to Comply |
|---|---|---|
| Notice at collection | Individuals must be informed before or at the point their personal information is collected | Post signage at all camera-monitored entrances stating video is being recorded and referencing your privacy policy |
| Privacy policy disclosure | Your privacy policy must list the categories of personal information collected, including video surveillance data | Add a "Surveillance Data" or "Video Monitoring" section to your privacy policy |
| Right to know | Consumers can request what personal information has been collected about them, including video footage | Establish a process to search, retrieve, and provide surveillance footage to verified requestors |
| Right to delete | Consumers can request deletion of their personal information | Implement a procedure to delete specific footage segments upon verified request, unless a legal exception applies |
| Right to opt out of sale | If footage is shared with third parties for commercial purposes, consumers can opt out | Most security footage is not "sold," but sharing with analytics companies or data brokers may qualify |
| Data minimization (CPRA) | Collection must be limited to what is reasonably necessary for the disclosed purpose | Only record areas necessary for security; set retention periods aligned with your stated purpose |
| Purpose limitation (CPRA) | Footage collected for security cannot be repurposed for marketing, employee performance reviews, or unrelated analytics | Document the purpose of each camera and restrict footage use to that purpose |
| Security safeguards | Businesses must implement reasonable security measures to protect personal information | Encrypt stored footage, use role-based access controls, and maintain audit logs |
CCPA Penalties
- $2,500 per unintentional violation — Applies when a business fails to comply but did not act willfully.
- $7,500 per intentional violation — Applies when a business knowingly violates CCPA requirements.
- Private right of action — Consumers can sue for $100 to $750 per incident (or actual damages if greater) when a data breach results from the business's failure to implement reasonable security measures.
GDPR Requirements for Security Camera Systems
The General Data Protection Regulation applies to any organization that processes personal data of individuals located in the European Union, regardless of where the organization is based. A US business with cameras that capture EU residents — such as a hotel, retail store, or office with European visitors or employees — must comply. For an overview of commercial security camera installation pricing, including compliance-ready systems, see our cost guide.
| GDPR Requirement | Application to Security Cameras | How to Comply |
|---|---|---|
| Lawful basis for processing | You must identify a legal basis under Article 6 before capturing footage | Most businesses rely on "legitimate interests" (Art. 6(1)(f)); document the balancing test between your interest and the individual's rights |
| Data Protection Impact Assessment (DPIA) | Required when surveillance is likely to result in a high risk to individuals' rights | Conduct a DPIA before deploying cameras in public-facing areas, workplaces, or spaces where vulnerable individuals (children, patients) may be present |
| Transparency and notice | Individuals must be informed about the surveillance through clear and accessible means | Post multi-layered notices: brief signage at the camera location with detailed information available via QR code, website, or printed handout |
| Purpose limitation | Footage can only be used for the purpose stated at the time of collection | Define and document the specific purpose (e.g., "prevention of theft and vandalism") and do not use footage for other purposes |
| Data minimization | Only collect footage that is adequate, relevant, and limited to what is necessary | Avoid recording areas beyond your property; use privacy masking to obscure public sidewalks, neighboring properties, and irrelevant zones |
| Storage limitation | Footage must not be kept longer than necessary for the stated purpose | Set automated deletion schedules; the European Data Protection Board recommends a maximum of 72 hours for most routine surveillance, extendable to 30 days with justification |
| Right of access (Art. 15) | Individuals can request a copy of footage containing their image | Establish a subject access request (SAR) procedure; respond within one month; redact other individuals' images before providing the footage |
| Right to erasure (Art. 17) | Individuals can request deletion of footage containing their image | Delete requested footage unless retention is required for legal claims or other exceptions under Art. 17(3) |
| Data protection by design | Privacy protections must be built into the surveillance system from the outset | Choose cameras with built-in privacy masking, encryption, and access controls; configure these features during installation |
| International data transfers | Footage stored or processed outside the EU must have adequate safeguards | Use EU-based cloud storage or ensure Standard Contractual Clauses (SCCs) are in place with non-EU providers |
| Data Protection Officer (DPO) | Required when surveillance constitutes large-scale systematic monitoring of public areas | Appoint a DPO and list their contact information on all surveillance notices |
GDPR Penalties
- Tier 1: Up to 10 million euros or 2% of global annual turnover — For violations related to technical measures, record-keeping, and DPO requirements.
- Tier 2: Up to 20 million euros or 4% of global annual turnover — For violations of core principles including lawful basis, purpose limitation, data subject rights, and international transfer rules.
Practical Compliance Steps for Both Frameworks
Businesses subject to one or both regulations should follow these steps to ensure their surveillance systems are compliant.
- Audit all existing cameras. Map every camera location, its field of view, the type of data it captures (video only, video plus audio, video with analytics), and where footage is stored.
- Define and document the purpose of each camera. Write a one-sentence justification for every camera (e.g., "Camera 3: Monitors loading dock entrance to prevent unauthorized access and document deliveries").
- Draft a surveillance-specific privacy notice. Include the identity of the data controller, the purpose of surveillance, the legal basis (GDPR) or business justification (CCPA), the retention period, and how individuals can exercise their rights.
- Post signage with layered information. Physical signs should include the basics — that recording is in progress, who is responsible, and how to get more information. A QR code or URL linking to the full privacy notice satisfies the "layered" requirement.
- Set retention periods and automate deletion. Configure your NVR or cloud system to automatically delete footage after the defined retention period. Document exceptions (e.g., footage related to an active investigation).
- Implement access controls. Restrict footage access to named individuals with a documented need. Use role-based permissions on NVR software and maintain access logs.
- Encrypt footage at rest and in transit. Use AES-256 encryption for stored footage and TLS 1.2+ for remote access and cloud uploads. A licensed security camera installer can configure encryption and access controls during setup.
- Establish a subject access request process. Create a form and procedure for individuals to request access to or deletion of footage containing their image. Train staff on how to process these requests.
- Conduct a Data Protection Impact Assessment. Required under the GDPR for high-risk processing; recommended as a best practice under the CCPA. Document the necessity and proportionality of each camera.
- Review third-party agreements. If you use cloud storage, remote monitoring services, or video analytics providers, ensure contracts include appropriate data processing agreements (GDPR) and service provider provisions (CCPA).
- Train all personnel with footage access. Staff must understand the legal restrictions on footage use, the prohibition on sharing footage informally, and the process for responding to data subject requests.
- Review compliance annually. Regulations evolve, camera placements change, and business operations shift. Schedule annual reviews of your surveillance compliance program. Understanding the broader security camera laws landscape ensures your compliance program covers all applicable regulations.
For more on how privacy law intersects with business camera systems, see our detailed guide on security camera privacy laws for businesses.