California Video Surveillance Laws: A Compliance Reference for Security Teams
California regulates video surveillance through multiple legal frameworks rather than a single statute. Camera placement, privacy expectations, workplace restrictions, and CCPA/CPRA data handling can all affect how security teams deploy and manage surveillance systems. This guide outlines the key statutes, location limits, notice considerations, and data handling obligations.
Independent Legal Layers Governing Surveillance
California physical security operations must satisfy multiple legal frameworks. Compliance with one does not satisfy the others.
The California Invasion of Privacy Act (CIPA), codified in Penal Code §§ 630–638.55, governs audio recording, wiretapping, and eavesdropping. Penal Code § 647(j) addresses visual surveillance of private spaces. Labor Code § 435 imposes separate workplace restrictions, and CCPA/CPRA can apply when surveillance footage contains personal information.
Video Versus Audio Recording Rules
The distinction between video-only and audio-inclusive recording is a consequential compliance decision for security teams in California.
Video-Only Recording
No state statute cited here categorically bans video-only surveillance in all public or common areas. Penal Code § 647(j) restricts cameras in spaces where occupants have a reasonable expectation of privacy, so camera placement remains the core legal question for video-only deployments.
Audio Recording and All-Party Consent
California is an all-party consent state. Penal Code § 632 prohibits using an electronic recording device to capture a confidential communication without the consent of all parties. For security teams, the practical implication is straightforward: enabling microphones creates materially higher compliance risk than video-only recording.
Penal Code § 632.7 adds a separate layer. If an audio-enabled camera's microphone captures someone speaking on a cell phone, § 632.7 may apply independently of § 632.
Where Cameras Are Allowed and Restricted
Penal Code § 647(j)(1) prohibits cameras in bathrooms, bedrooms, changing rooms, fitting rooms, dressing rooms, tanning booths, and any other area where the occupant has a reasonable expectation of privacy. The statute includes an exception for areas used to count currency or other negotiable instruments.
Open office areas, common spaces, lobbies, building exteriors, and parking lots generally present different privacy questions than the spaces identified in § 647(j)(1). Private offices and other lockable spaces can require closer review because the analysis turns on whether the occupant has an expectation of privacy.
Workplace Surveillance Considerations
Labor Code § 435 prohibits employers from making audio or video recordings of employees in restrooms, locker rooms, or employer-designated changing rooms. The only exception is a court order. Labor Code § 435 also prohibits employers from using footage obtained in violation of that section for any purpose.
Notice and Consent Requirements
California has no single statute mandating surveillance signage across all contexts. Obligations are constructed from multiple sources.
For businesses covered by CCPA/CPRA, the California Privacy Protection Agency's guidance addresses camera-based collection. Prominent signage at camera locations can satisfy the Notice at Collection obligation under Civil Code § 1798.100(a). The notice must include the categories of personal information collected, whether the information is sold or shared, the retention period, and a reference to the full online privacy policy. Where the full notice cannot be physically displayed, signage may direct individuals to the complete online privacy policy.
Data Privacy and Storage Under CCPA/CPRA
Video footage from security cameras falls within the definition of personal information under CCPA/CPRA when it captures identifiable California residents. Covered businesses must provide notice and align retention and use practices with the purposes disclosed at collection. Footage retained beyond that period, or repurposed for undisclosed uses, may violate data minimization requirements.
When footage is shared with cloud storage vendors, contract security personnel, or managed security service providers, written agreements are required under Civil Code § 1798.100(d) specifying that personal information is disclosed only for limited purposes and that the third party must comply with applicable CCPA/CPRA obligations.
Camera systems deploying biometric identification technology can also raise CPRA issues involving sensitive personal information and limits on use and disclosure.
Penalties and Legal Risks
CIPA violations carry both criminal and civil consequences. A first offense under § 632 can result in fines up to $2,500 per violation, county jail up to one year, or state prison. Repeat offenders face fines up to $10,000 per violation.
Civil exposure under Penal Code § 637.2 is the greater of $5,000 per violation or three times actual damages, and no actual damages are required to bring suit. For camera deployments recording hundreds of conversations, aggregate exposure compounds rapidly.
Practical Compliance Guidance
The most effective risk reduction measure is to disable audio on security cameras unless a documented all-party consent structure is in place. Security teams should document a legitimate business purpose for each camera location, avoid placements in spaces associated with heightened privacy expectations, post signage that satisfies CCPA/CPRA notice requirements, and maintain retention schedules tied to stated security purposes.
Frequently Asked Questions
Does California law ban all video surveillance?
No. The stricter location limits apply to cameras placed in spaces where people have a reasonable expectation of privacy.
Are security cameras with microphones treated differently?
Yes. Once audio is enabled, Penal Code § 632 becomes a central compliance issue, and § 632.7 may also apply if cellular calls are captured.
Is signage required for all camera deployments?
California has no single statute that requires surveillance signage across all contexts. For covered businesses, signage can play an important role in satisfying CCPA/CPRA Notice at Collection requirements.
Do CCPA/CPRA rules apply to surveillance footage?
For covered businesses, yes, when footage contains identifiable personal information. That affects notice, retention, sharing, and sensitive-personal-information handling.
What is the lowest-risk default for security teams?
Disable audio unless a documented all-party consent structure is in place and the deployment has been reviewed for location, notice, and data-handling compliance.
