CCTV Rules and Regulations at Work: A Practical Guide for UK and US Employers
In the UK, workplace CCTV is governed by UK GDPR (the UK's retained version of the EU General Data Protection Regulation) and the Data Protection Act 2018, which together require employers to have a lawful basis for recording, inform staff and visitors that cameras are in use, limit what is captured, and handle footage securely. In the United States, there is no single federal equivalent: obligations come from a mix of federal guidance and state statutes that vary considerably by location.
This guide covers the main rules for workplace CCTV in the UK and the United States. It is written for organisations managing existing systems or planning new ones, not for consumers setting up home cameras.
UK Rules: What the Law Requires
In the UK, workplace CCTV is governed by the UK GDPR and the Data Protection Act 2018. The ICO (Information Commissioner's Office, the UK's independent data protection regulator) publishes specific guidance on surveillance cameras, and the Biometrics and Surveillance Camera Commissioner maintains a code of practice. Public authorities must have regard to that code. Private employers are not legally required to follow it, but the ICO treats compliance with it as best practice.
What must UK employers do before installing CCTV?
Before installing cameras, you need a lawful basis under UK GDPR Article 6. Most employers rely on "legitimate interests." That means completing a Legitimate Interests Assessment (LIA), a documented process that tests whether the security purpose is proportionate and whether employees' privacy rights have been properly weighed. If the assessment does not hold up, the processing is unlawful regardless of what your internal CCTV policy says.
What are the transparency and signage requirements?
UK GDPR Article 13 requires you to inform people that recording is taking place, what the footage is used for, how long it is kept, and who can access it. In practice, this means clear signage at entry points, an accessible privacy notice, and a written CCTV policy. Signage alone is not sufficient if it does not provide enough information for someone to understand their rights.
Data minimisation and retention
Under UK GDPR Article 5, you should only capture footage that is necessary for the stated purpose. Cameras should not be positioned where they will routinely record areas unrelated to your security aim, such as toilets or private breakrooms.
Retention periods must be clearly defined and enforced. The ICO does not prescribe a rigid, fixed limit, but most standard workplace systems retain footage for 28 to 31 days unless there is a specific ongoing investigation or legal reason to keep it longer.
How must employers handle subject access requests for CCTV footage?
Employees can submit a Subject Access Request (SAR), a formal request under UK GDPR for their personal data, demanding access to any footage in which they appear. You generally have one month to respond.
If the footage shows other individuals, you are legally required to redact (blur) those bystanders before disclosure. Failure to do so means releasing third-party personal data without a lawful basis, which constitutes a separate data breach.
This is where automated redaction becomes a practical necessity rather than a convenience. Manually blurring bystanders in hours of CCTV footage is slow and prone to error. Secure Redact processes footage automatically, detecting and blurring faces and other identifiers, so compliance teams can respond to SARs within the legal timeframe without dedicating significant staff time to the task.
Consequences of non-compliance in the UK
The ICO holds significant enforcement powers. Under UK GDPR, maximum fines can reach £17.5 million or 4% of global annual turnover, whichever is higher.
In practice, most enforcement action against standard employers results in public reprimands, enforcement notices, or fines in the thousands. A public ICO decision also appears on the regulator's published register of regulatory action, which is easily accessible to clients, insurers, and the press.
While landmark multi-million pound fines typically target major tech providers or mass public surveillance programs, the more common risk for standard employers is an upheld SAR complaint. If the ICO investigates and finds you failed to respond correctly or released unredacted footage of other employees, a formal public reprimand is highly likely.
US Rules: A Fragmented Picture
There is no single federal law governing workplace CCTV in the United States. Employers must navigate a shifting combination of federal guidance, state statutes, and local ordinances.
What does federal law say about workplace cameras?
The Electronic Communications Privacy Act (ECPA) covers the interception of communications and electronic surveillance. Crucially, it prohibits recording audio without consent in most contexts.
Because of this, US workplace CCTV is almost always strictly video-only to avoid wiretapping violations. Video surveillance in non-private areas of a workplace is generally permitted at the federal level, provided there is a legitimate business reason. However, monitoring areas where employees have a "reasonable expectation of privacy"—such as changing rooms, locker rooms, or bathrooms—is strictly illegal under both federal law and the laws of all 50 states.
How do state laws differ?
Several states impose much stricter transparency requirements on employers:
Connecticut: Requires employers to notify employees in writing before implementing any electronic monitoring, which explicitly includes video surveillance.
California: Under the California Consumer Privacy Act (CCPA) as amended, data exemptions for employees have expired. This means California employees have strict consumer-like privacy rights regarding their workplace data. They have the right to know what video footage is being collected, request access to footage they are featured in, and request deletion under specific criteria.
New York: While New York Civil Rights Law § 52-c requires written notice for monitoring electronic communications (like email and internet use), workplace video surveillance is governed by Labor Law § 203-c, which strictly bans cameras in highly private areas like restrooms and locker rooms.
Texas, Florida, and many other states follow a more traditional approach, requiring only that cameras not violate a reasonable expectation of privacy. Even so, best practice across all states is to document the business purpose, provide staff with written notice, and restrict access to footage to authorised personnel only.
Signage in the US
Unlike the UK, the US has no blanket federal signage requirement for workplace CCTV. However, posting visible notices dramatically reduces legal exposure by eliminating any argument that an employee had an expectation of privacy in that area. In states with strict employee monitoring laws, written policy notice is a hard requirement. For public-facing premises, signage also sets appropriate expectations for visitors and customers.
Consequences of non-compliance in the US
Penalties vary drastically by state. In Connecticut, violations of electronic monitoring notice laws can result in civil fines. In California, non-compliance with the CCPA can trigger statutory fines from the California Privacy Protection Agency (CPPA) or expose employers to costly private civil lawsuits.
Covert recording in a private area can also expose employers to criminal liability under state wiretapping or invasion-of-privacy statutes. Beyond formal fines, non-compliance carries the practical risk of video evidence being ruled inadmissible in employment disputes, completely undermining the security purpose the cameras were installed to serve.
Key Obligations at a Glance
The table below summarises the core requirements for each jurisdiction. It is a starting point, not a substitute for formal legal advice.
| Obligation | UK | US (Federal) | US (Stricter States - e.g., CA, CT) |
|---|---|---|---|
| Lawful basis required | Yes (UK GDPR Article 6) | Not prescribed by statute | Varies (Business justification required) |
| Written staff notice | Yes (UK GDPR Article 13) | No federal requirement | Yes (Explicitly required in CT and others) |
| Signage at entry points | Yes | No federal requirement | Highly Recommended / Local laws may apply |
| Retention period defined | Yes (Proportionality test) | No federal requirement | Varies |
| No cameras in private areas | Yes | Yes | Yes |
| Respond to access requests | Yes, within one month | No federal equivalent | Yes (Under California's CCPA/CPRA) |
| Redact third parties before disclosure | Yes (Strict requirement) | No federal requirement | Recommended (To avoid privacy tort liability) |
What a Workplace CCTV Policy Should Cover?
Whether you operate in the UK or US, a written policy reduces legal risk and gives employees clear information. A robust policy should state:
The exact purpose of each camera.
Who is authorised to access the footage.
How long recordings are kept before deletion.
How employee access requests are handled.
The consequences of system misuse.
One area organisations frequently overlook is what happens when footage needs to be shared with third parties. Sharing unredacted footage with insurers, solicitors, or law enforcement can expose third-party personal data and spark privacy lawsuits. Before any disclosure, always check whether redaction is required.
Limitations to be aware of
Automated redaction tools, including Secure Redact, perform best on footage at 720p resolution or above. On older analogue systems or cameras with wide-angle lenses at long range, detection accuracy may vary, and a manual review may be needed. No automated system completely eliminates the need for a final human check before disclosing footage in a legal or regulatory context.
Where to start
If you are in the UK, the ICO's employment practices guidance and the Biometrics and Surveillance Camera Commissioner's code of practice are your core reference points. If you are in the US, review your specific state's employee monitoring and privacy statutes before rolling out any new system.
If your organisation is already managing CCTV footage and responding to access requests, Pimloc’s Secure Redact can dramatically reduce the time it takes to prepare footage for disclosure. You can upload footage, run automated redaction, and download a compliant, blurred copy without manual, frame-by-frame editing.
Turn hours of manual redaction into minutes.
Try Secure Redact for free.
Frequently Asked Questions
-
Yes. The UK GDPR requires employers to inform people that recording is taking place, explain the specific purpose of the surveillance, and outline how long footage is kept and who can access it. This is usually achieved through clear entry-point signage combined with an easily accessible written privacy notice or internal CCTV policy.
-
Yes. In the UK, any employee can submit a Subject Access Request (SAR) under the UK GDPR to access footage in which they appear. The employer generally has one month to respond. Crucially, any footage showing other identifiable individuals (such as coworkers or bystanders) must be redacted or blurred before the recording is shared to protect third-party privacy.
-
There is no rigid, fixed time limit set by the ICO, but retention periods must be clearly defined, documented, and proportionate to your security goals. Most standard workplace systems retain footage for 28 to 31 days. Keeping footage longer than necessary without a specific justification (such as an ongoing legal dispute or theft investigation) is a breach of the UK GDPR's storage limitation principle.
-
Video-only surveillance in non-private areas of a workplace is generally lawful at the federal level, provided the employer has a legitimate business reason for it. Audio recording is much more tightly restricted under federal and state wiretapping laws. Employers must also comply with state-specific statutes: Connecticut, for example, strictly requires prior written notice to employees before any electronic workplace monitoring (including video) begins, while California grants employees broad rights to see what data is being collected on them.
-
In both the UK and the US, cameras must never be placed in areas where individuals have a "reasonable expectation of privacy." This strictly includes toilets, changing rooms, locker rooms, and highly private rest areas. In the US, violating this can trigger criminal voyeurism charges; in the UK, it violates fundamental data protection principles and human rights laws.
-
In the UK, sharing footage that exposes identifiable third parties without redacting them first constitutes a data breach (disclosing personal data without a lawful basis). This can result in an ICO investigation, a public reprimand, or financial penalties. In the US, the consequences depend heavily on state law but can include costly civil lawsuits for invasion of privacy or data privacy violations.
