California Video Surveillance Compliance Guide for 2026

Understanding California video surveillance laws

California requires businesses to get consent before recording people in private spaces, with different rules for video and audio. Video recording is usually allowed in public areas like lobbies and parking lots where people don't expect privacy. Audio recording is much stricter and requires everyone being recorded to agree first.

The key concept in California surveillance law is "reasonable expectation of privacy." This legal standard decides where you can record and where recording becomes illegal. Restrooms, locker rooms, and private offices have strong privacy expectations. Lobbies, retail floors, and parking structures typically do not.

Why California has stricter surveillance laws than other states

California is a two-party consent state. This means everyone in a conversation must agree before you can record audio. Many other states only require one person to consent, making California's rules significantly more restrictive.

The state's privacy-first approach extends beyond surveillance to broader data protection through laws like the California Consumer Privacy Act, which carries fines up to $7,988 per violation. Federal law sets a baseline for surveillance practices, but California often goes further. If your business operates in multiple states, compliance elsewhere doesn't guarantee compliance in California.

Penal Code Section 632 specifically prohibits recording confidential communications without consent from all parties involved. Violating this law can result in criminal charges and significant fines.

Consent requirements for video surveillance

Video and audio recording have different consent thresholds under California law. You can generally record video in public or common areas without explicit consent, though posting signs is strongly recommended. Audio recording always requires two-party consent, regardless of where it happens.

You can document consent in several ways:

• Written acknowledgment: Employees sign a surveillance policy when they're hired
• Email confirmation: Workers digitally accept monitoring terms
• Signed handbook policy: Formal documentation employees review and sign

Some areas require explicit consent no matter what. Restrooms, changing rooms, and private offices where confidential conversations happen are always off-limits for surveillance. You must notify employees about monitoring before recording starts, not after.

Where you can and cannot record in California

California security camera laws allow recording in areas where people have no reasonable expectation of privacy. This includes lobbies, hallways, parking structures, and customer-facing retail spaces. Outdoor areas visible to the public, like building exteriors and loading docks, are also permissible.

Customer-facing businesses like retail stores and restaurants can record sales floors and transaction areas without individual consent. Dressing rooms and restrooms remain strictly prohibited. Audio recording requires consent from everyone captured, which is impractical in most retail settings.

Audio recording restrictions

California Penal Code Section 632 makes it illegal to record confidential communications without consent from every participant. This applies to in-person conversations, phone calls, and meetings where people expect privacy. Penalties include fines up to $2,500 per violation and potential criminal charges.

The difference between incidental audio and intentional recording matters legally. A security camera capturing ambient noise in a public lobby is different from a system designed to record private office conversations. Most organizations disable audio recording on surveillance equipment unless they have documented consent from all parties.

Meeting and conference recording requires special attention. Even internal business meetings may involve confidential discussions protected under California surveillance laws. You must get explicit consent before recording any meeting, whether in person or virtual.

Compliance requirements for businesses

Beyond knowing where recording is permitted, California businesses must implement specific compliance measures to operate surveillance systems lawfully. These requirements cover employee notification, data handling, and vendor management. The CPPA reported hundreds of active investigations in 2025. Treating compliance as ongoing rather than a one-time setup protects your organization from liability.

Employee notification and policies

California law requires you to inform workers about surveillance practices before monitoring begins. This notification should happen during onboarding for new employees and through formal policy updates for existing staff. Written documentation creates a clear record that employees received proper notice.

Your surveillance policy should include:

• Camera locations: Specific areas where recording occurs
• Purposes: Security, safety, or operational reasons for monitoring
• Data retention: How long you store footage before deletion
• Access controls: Who can view recordings and under what circumstances
• Audio status: Whether audio capture is enabled or disabled

Use clear, accessible language that employees can easily understand. Vague or overly technical descriptions may not satisfy notification requirements and could expose you to legal challenges.

Data retention and security obligations

California doesn't mandate a specific retention period for surveillance footage, but best practices suggest keeping recordings for 30 to 90 days unless needed for an active investigation. Keeping footage indefinitely creates unnecessary liability and storage costs. Establish clear retention schedules and automate deletion processes.

Your security measures for stored footage must prevent unauthorized access and tampering:

• Encryption: Protect footage both in transit and at rest
• Password protection: Require strong credentials for system access
• Audit trails: Log who accesses footage and when
• Physical security: Secure recording equipment in locked areas

If a data breach compromises surveillance footage, California's SB 446, effective January 1, 2026, mandates deadlines for notifying affected individuals. Have incident response plans that address video data specifically.

Third-party vendor compliance

When you use cloud storage or third-party monitoring services, you remain responsible for how those vendors handle footage. Data processing agreements should clearly define privacy obligations, security standards, and breach notification procedures. Your vendors must meet the same compliance standards you would apply internally.

Before selecting a vendor, verify their security certifications, data handling practices, and track record with similar clients. Liability for vendor breaches can extend to your organization, making careful selection essential.

Industry-specific surveillance rules

Certain industries face additional surveillance requirements beyond baseline California law. Healthcare, retail, and corporate environments each present unique compliance considerations. Organizations in these sectors must layer industry-specific rules on top of general state requirements.

Healthcare and medical offices

Healthcare facilities must balance security needs with patient privacy protections under HIPAA. Waiting areas and hallways may permit video surveillance, but treatment rooms, exam areas, and spaces where protected health information is discussed require strict privacy protections. Audio recording in medical settings is almost universally prohibited.

Position cameras so footage cannot capture patient records, computer screens displaying health information, or conversations between patients and providers. Train staff on both California surveillance laws and HIPAA requirements.

Retail and customer-facing businesses

Retail environments require clear customer notification through posted signage at entrances and throughout the store. Point-of-sale areas and cash handling zones are appropriate for surveillance, but dressing rooms and restrooms are strictly prohibited. Make signage visible and easy to understand.

Position cameras to capture transaction areas without recording private spaces. Audio recording in retail settings requires two-party consent, which is impractical in most customer interactions. Most retailers disable audio capture entirely.

Workplace and corporate offices

California employees retain privacy rights even in workplace settings. You cannot monitor private areas like restrooms or designated break rooms where workers have reasonable privacy expectations. Open office areas, conference rooms with proper notice, and common spaces generally permit surveillance.

Notification remains critical in corporate environments. Employees should acknowledge surveillance policies in writing, and you should refresh these acknowledgments when monitoring practices change.

Common compliance mistakes to avoid

Even well-intentioned organizations make surveillance compliance errors that expose them to liability. Understanding frequent mistakes helps you implement preventive measures. Consequences of violations can include civil lawsuits, regulatory fines, and criminal penalties.

Common compliance failures include:

• Inadequate signage: Failing to post visible notices about video surveillance
• Audio recording without consent: Enabling microphones without two-party consent documentation
• Recording in private areas: Placing cameras in restrooms, changing rooms, or break rooms
• Unauthorized footage access: Allowing employees to view recordings without legitimate business purpose
• Poor data security: Storing footage without encryption or access controls
• Missing employee notification: Beginning surveillance before informing workers
• Excessive retention: Keeping footage indefinitely without clear justification

Each mistake carries distinct risks. Audio recording violations under Penal Code Section 632 can result in criminal charges. Privacy violations may trigger civil lawsuits with damages up to $3,000 per incident.

How Lumana helps with surveillance compliance

Lumana's AI-powered video security platform is designed with California compliance requirements in mind. The system provides tools that help you manage consent documentation, control access to footage, and maintain audit trails automatically. These features reduce the administrative burden of compliance while minimizing risk.

Key compliance-supporting capabilities include:

• Location-based recording controls: Configure camera settings based on area sensitivity
• Access logging: Automatic documentation of who views footage and when
• Retention automation: Set and enforce footage deletion schedules
• Role-based permissions: Limit footage access to authorized personnel only

Lumana's cloud-based architecture centralizes management across multiple sites while maintaining the security standards California law requires. You gain visibility into surveillance operations without sacrificing compliance.

To see how Lumana streamlines video surveillance compliance, request a product demo.

Frequently asked questions

Can California businesses record video without capturing audio?

Yes, video-only recording is permitted in areas where people have no reasonable expectation of privacy, such as lobbies, parking lots, and retail floors. Audio recording triggers stricter two-party consent requirements under Penal Code Section 632, so many organizations disable audio capture entirely.

How long should California businesses keep surveillance footage?

California doesn't mandate a specific retention period, but best practices suggest 30 to 90 days for general security footage. Keep footage related to active investigations or legal matters until the matter concludes.

What penalties apply for violating California surveillance laws?

Violations of Penal Code Section 632 can result in fines up to $2,500 per violation and up to one year in jail. Civil lawsuits may add damages of up to $3,000 per incident, and businesses may face additional regulatory penalties.

Are California businesses required to post video surveillance signs?

While not strictly required in all cases, posting visible signage is strongly recommended and may be necessary to eliminate reasonable privacy expectations. Clear notification protects businesses from claims that individuals were recorded without knowledge.

‍