CCTV Rules and Regulations at Work: A Practical Guide for UK and US Employers

cctv-camera-uk

In the UK, workplace CCTV is governed by UK GDPR (the UK's retained version of the EU General Data Protection Regulation) and the Data Protection Act 2018, which together require employers to have a lawful basis for recording, inform staff and visitors that cameras are in use, limit what is captured, and handle footage securely. In the United States, there is no single federal equivalent: obligations come from a mix of federal guidance and state statutes that vary considerably by location.

This guide covers the main rules for workplace CCTV in the UK and the United States. It is written for organisations managing existing systems or planning new ones, not for consumers setting up home cameras.


UK Rules: What the Law Requires

In the UK, workplace CCTV is governed by the UK GDPR and the Data Protection Act 2018. The ICO (Information Commissioner's Office, the UK's independent data protection regulator) publishes specific guidance on surveillance cameras, and the Biometrics and Surveillance Camera Commissioner maintains a code of practice. Public authorities must have regard to that code. Private employers are not legally required to follow it, but the ICO treats compliance with it as best practice.

What must UK employers do before installing CCTV?

Before installing cameras, you need a lawful basis under UK GDPR Article 6. Most employers rely on "legitimate interests." That means completing a Legitimate Interests Assessment (LIA), a documented process that tests whether the security purpose is proportionate and whether employees' privacy rights have been properly weighed. If the assessment does not hold up, the processing is unlawful regardless of what your internal CCTV policy says.

What are the transparency and signage requirements?

UK GDPR Article 13 requires you to inform people that recording is taking place, what the footage is used for, how long it is kept, and who can access it. In practice, this means clear signage at entry points, an accessible privacy notice, and a written CCTV policy. Signage alone is not sufficient if it does not provide enough information for someone to understand their rights.

Data minimisation and retention

Under UK GDPR Article 5, you should only capture footage that is necessary for the stated purpose. Cameras should not be positioned where they will routinely record areas unrelated to your security aim, such as toilets or private breakrooms.

Retention periods must be clearly defined and enforced. The ICO does not prescribe a rigid, fixed limit, but most standard workplace systems retain footage for 28 to 31 days unless there is a specific ongoing investigation or legal reason to keep it longer.

How must employers handle subject access requests for CCTV footage?

Employees can submit a Subject Access Request (SAR), a formal request under UK GDPR for their personal data, demanding access to any footage in which they appear. You generally have one month to respond.

If the footage shows other individuals, you are legally required to redact (blur) those bystanders before disclosure. Failure to do so means releasing third-party personal data without a lawful basis, which constitutes a separate data breach.

This is where automated redaction becomes a practical necessity rather than a convenience. Manually blurring bystanders in hours of CCTV footage is slow and prone to error. Secure Redact processes footage automatically, detecting and blurring faces and other identifiers, so compliance teams can respond to SARs within the legal timeframe without dedicating significant staff time to the task.

Consequences of non-compliance in the UK

The ICO holds significant enforcement powers. Under UK GDPR, maximum fines can reach £17.5 million or 4% of global annual turnover, whichever is higher.

In practice, most enforcement action against standard employers results in public reprimands, enforcement notices, or fines in the thousands. A public ICO decision also appears on the regulator's published register of regulatory action, which is easily accessible to clients, insurers, and the press.

While landmark multi-million pound fines typically target major tech providers or mass public surveillance programs, the more common risk for standard employers is an upheld SAR complaint. If the ICO investigates and finds you failed to respond correctly or released unredacted footage of other employees, a formal public reprimand is highly likely.


cctv-camera-us.

US Rules: A Fragmented Picture

There is no single federal law governing workplace CCTV in the United States. Employers must navigate a shifting combination of federal guidance, state statutes, and local ordinances.

What does federal law say about workplace cameras?

The Electronic Communications Privacy Act (ECPA) covers the interception of communications and electronic surveillance. Crucially, it prohibits recording audio without consent in most contexts.

Because of this, US workplace CCTV is almost always strictly video-only to avoid wiretapping violations. Video surveillance in non-private areas of a workplace is generally permitted at the federal level, provided there is a legitimate business reason. However, monitoring areas where employees have a "reasonable expectation of privacy"—such as changing rooms, locker rooms, or bathrooms—is strictly illegal under both federal law and the laws of all 50 states.

How do state laws differ?

Several states impose much stricter transparency requirements on employers:

  • Connecticut: Requires employers to notify employees in writing before implementing any electronic monitoring, which explicitly includes video surveillance.

  • California: Under the California Consumer Privacy Act (CCPA) as amended, data exemptions for employees have expired. This means California employees have strict consumer-like privacy rights regarding their workplace data. They have the right to know what video footage is being collected, request access to footage they are featured in, and request deletion under specific criteria.

  • New York: While New York Civil Rights Law § 52-c requires written notice for monitoring electronic communications (like email and internet use), workplace video surveillance is governed by Labor Law § 203-c, which strictly bans cameras in highly private areas like restrooms and locker rooms.

  • Texas, Florida, and many other states follow a more traditional approach, requiring only that cameras not violate a reasonable expectation of privacy. Even so, best practice across all states is to document the business purpose, provide staff with written notice, and restrict access to footage to authorised personnel only.

Signage in the US

Unlike the UK, the US has no blanket federal signage requirement for workplace CCTV. However, posting visible notices dramatically reduces legal exposure by eliminating any argument that an employee had an expectation of privacy in that area. In states with strict employee monitoring laws, written policy notice is a hard requirement. For public-facing premises, signage also sets appropriate expectations for visitors and customers.

Consequences of non-compliance in the US

Penalties vary drastically by state. In Connecticut, violations of electronic monitoring notice laws can result in civil fines. In California, non-compliance with the CCPA can trigger statutory fines from the California Privacy Protection Agency (CPPA) or expose employers to costly private civil lawsuits.

Covert recording in a private area can also expose employers to criminal liability under state wiretapping or invasion-of-privacy statutes. Beyond formal fines, non-compliance carries the practical risk of video evidence being ruled inadmissible in employment disputes, completely undermining the security purpose the cameras were installed to serve.


Key Obligations at a Glance

The table below summarises the core requirements for each jurisdiction. It is a starting point, not a substitute for formal legal advice.

Obligation UK US (Federal) US (Stricter States - e.g., CA, CT)
Lawful basis required Yes (UK GDPR Article 6) Not prescribed by statute Varies (Business justification required)
Written staff notice Yes (UK GDPR Article 13) No federal requirement Yes (Explicitly required in CT and others)
Signage at entry points Yes No federal requirement Highly Recommended / Local laws may apply
Retention period defined Yes (Proportionality test) No federal requirement Varies
No cameras in private areas Yes Yes Yes
Respond to access requests Yes, within one month No federal equivalent Yes (Under California's CCPA/CPRA)
Redact third parties before disclosure Yes (Strict requirement) No federal requirement Recommended (To avoid privacy tort liability)

What a Workplace CCTV Policy Should Cover?

Whether you operate in the UK or US, a written policy reduces legal risk and gives employees clear information. A robust policy should state:

  • The exact purpose of each camera.

  • Who is authorised to access the footage.

  • How long recordings are kept before deletion.

  • How employee access requests are handled.

  • The consequences of system misuse.

One area organisations frequently overlook is what happens when footage needs to be shared with third parties. Sharing unredacted footage with insurers, solicitors, or law enforcement can expose third-party personal data and spark privacy lawsuits. Before any disclosure, always check whether redaction is required.

Limitations to be aware of

Automated redaction tools, including Secure Redact, perform best on footage at 720p resolution or above. On older analogue systems or cameras with wide-angle lenses at long range, detection accuracy may vary, and a manual review may be needed. No automated system completely eliminates the need for a final human check before disclosing footage in a legal or regulatory context.

Where to start

If you are in the UK, the ICO's employment practices guidance and the Biometrics and Surveillance Camera Commissioner's code of practice are your core reference points. If you are in the US, review your specific state's employee monitoring and privacy statutes before rolling out any new system.

If your organisation is already managing CCTV footage and responding to access requests, Pimloc’s Secure Redact can dramatically reduce the time it takes to prepare footage for disclosure. You can upload footage, run automated redaction, and download a compliant, blurred copy without manual, frame-by-frame editing.


Turn hours of manual redaction into minutes.
Try Secure Redact for free.


Frequently Asked Questions

Previous
Previous

When Does Video Footage Count as PHI Under HIPAA?

Next
Next

World Cup Surveillance, FOIA, and Mass Data Collection: What Agencies Must Know