Legal Guidelines for Sharing Surveillance Footage: How to Protect Third-Party Privacy

Łukasz Bonczol
Published: 5/2/2025
Updated: 7/2/2026

Summary: Before you release security-camera footage, the key question is who's receiving it - police, a person caught on camera, an insurer or vendor, or the public. Each has a different legal basis and a different redaction expectation, and in almost every case you must obscure uninvolved third parties. Gallio PRO automatically blurs faces and license plates across your footage and gives you a built-in editor to hide anything else (badges, documents, screens) by hand - so you can answer the request while protecting bystanders. It runs on your own machine and keeps no logs. Download the free demo to try it on your own clips.

Surveillance is everywhere, and so is the temptation to forward a clip to the police, post it to a neighborhood group, or hand it to an insurer. Doing that without redacting the people who aren't the point of the footage is where organizations get into trouble. This guide is US-first, with the EU/UK position alongside, and it's organized around the decision that actually matters: the recipient.

Download the free demo →

Who Are You Sharing With? A Recipient-by-Recipient Guide

The legal basis and the redaction expectation change with the recipient. Use this as your starting matrix.

The US Picture: No Single Law, Several That Bite

There's no federal GDPR-equivalent for surveillance in the US. Instead, several frameworks apply depending on what you're doing:

  • State recording / wiretap laws. Video is treated more permissively than audio. Roughly a dozen states require all-party (two-party) consent for recording private conversations - including California, Illinois, Florida, Pennsylvania, Washington, and Massachusetts - while most others are one-party. If your camera captured audio you weren't entitled to record, sharing it can compound the violation.
  • CCPA / CPRA (California). Footage that identifies a consumer can be personal information; sharing it with vendors requires proper "service provider"/"contractor" terms.
  • BIPA (Illinois, 740 ILCS 14). Applies if you process footage to extract a biometric identifier such as a faceprint.
  • FOIA / state public records laws. Public bodies must release certain records, but privacy exemptions mean third parties (and bystanders) should be redacted first.

For US public-sector context, see the DHS Best Practices for Privacy and Civil Liberties Considerations in the Use of Camera Systems (2020).

The EU / UK Layer

Under the GDPR, individuals retain privacy expectations even in public spaces captured by cameras (confirmed by the CJEU in Ryneš, C-212/13). Before sharing, you need a lawful basis, and the data-minimisation principle (Art. 5(1)(c)) means redacting people who aren't the purpose of the disclosure. The EDPB's Guidelines 3/2019 on video devices are the reference framework; an access request under Art. 15 must be balanced against the privacy rights of others in the same footage - which in practice means blurring them.

How to Redact Surveillance Footage with Gallio PRO (Step by Step)

Prefer to watch? See the full step-by-step video tutorial.

  1. Install Gallio PRO from gallio.pro/download. It processes footage locally, so the unredacted original never leaves your environment - important for chain of custody.
  2. Import the recorded clip. Gallio PRO works on saved video files, not on live or real-time camera feeds.
  3. Run automatic detection. Gallio PRO automatically blurs faces and license plates across the footage and tracks them as people and vehicles move - the only two elements it detects automatically.
  4. Redact the rest in the built-in editor. Name badges, ID documents, a visible monitor, a tattoo, or a logo aren't auto-detected - blur them manually in a few clicks. (Audio is a separate legal issue; if your clip contains conversations you weren't entitled to record, handle that before sharing.)
  5. Keep the requester visible, hide everyone else. For an access request, leave the requester identifiable and blur all other people - Gallio PRO lets you control which detections to keep.
  6. Verify and export. Scrub through to confirm no bystander slips through, then render. Gallio PRO keeps no detection logs and stores no personal data.

See how Gallio PRO fits high-volume redaction workflows.

Special Cases Worth Flagging

Footage with audio. Audio carries stricter consent rules than video. Confirm you had the right to record it before sharing; if not, the safest path is to remove or not disclose the audio.

Home and doorbell cameras. Homeowners face lighter regulation than businesses, but sharing isn't unrestricted. If a doorbell camera captures a public sidewalk or a neighbor's property, blur passersby before posting to social media or a neighborhood app.

Covert / hidden cameras. Footage from covert recording is high-risk. Verify you had a legitimate basis for the recording itself before sharing anything, and apply stronger redaction than usual.

Criminal activity. Tempting to post, but the privacy of uninvolved bystanders still applies. Share with law enforcement first; if public posting is genuinely necessary, release a version with everyone but the relevant party redacted.

What's at Risk if You Skip Redaction

In the EU/UK, improper disclosure can mean complaints to a supervisory authority and fines up to €20 million or 4% of global annual turnover (GDPR Art. 83). In the US, the exposure runs through privacy/civil suits, state-law penalties (e.g. BIPA's private right of action in Illinois), and contractual or reputational fallout. There's also an evidentiary risk: footage shared or obtained improperly can be challenged or excluded in proceedings, undermining the very reason you kept it.

Best Practices Checklist

  • Set a written policy for when and how footage may be shared.
  • Train staff on handling surveillance data.
  • Document every request and the legal basis for sharing.
  • Redact uninvolved third parties before sharing, unless a specific exception applies.
  • Share the minimum footage needed for the purpose.
  • Set a retention period tied to purpose (commonly ~30–90 days) and delete on schedule.
  • Secure originals with access controls and an audit trail of exports.

Download the free Redaction Tool Checklist

Choosing a tool to redact your footage? Get our free one-page checklist: 10 things to check before you trust a tool with faces and license plates, including where your footage actually goes and whether the redaction is truly irreversible. Get the checklist here.

FAQ: Sharing Surveillance Footage

Can I post security footage of a crime on social media?

The privacy of uninvolved bystanders still applies. Share with law enforcement first; if you post publicly, redact everyone who isn't the relevant party.

Do I have to redact other people when responding to an access request?

Yes. You can release footage showing the requester, but you must blur other identifiable individuals first - under GDPR Art. 15 and US state access rights alike.

What's the difference between one-party and all-party consent?

In one-party states, recording is lawful if one participant consents (which can be you). In all-party states, everyone recorded must agree. It mainly affects audio captured by surveillance systems.

Can Gallio PRO blur multiple moving people at once?

Yes. It automatically detects and blurs faces and license plates across the footage and tracks them as subjects move; you can choose which detections to keep visible.

Does Gallio PRO work on a live camera feed or redact audio?

No to both. Gallio PRO processes recorded video files, not real-time or live streams, and it works on the visual layer (faces and plates automatically, other elements manually) - it does not redact audio.

How long should I keep surveillance footage?

Tie retention to the system's purpose - commonly 30–90 days - unless there's a specific reason (such as an active investigation) to keep it longer.

References list

  1. Regulation (EU) 2016/679 (GDPR) - Art. 5(1)(c), Art. 6, Art. 15, Art. 83. https://eur-lex.europa.eu/
  2. European Data Protection Board (2019). Guidelines 3/2019 on processing of personal data through video devices. https://edpb.europa.eu/
  3. Article 29 Working Party, Opinion 4/2004 on the processing of personal data by means of video surveillance.
  4. CJEU, Case C-212/13, František Ryneš (2014). https://curia.europa.eu/
  5. U.S. Department of Homeland Security (2020). Best Practices for Privacy and Civil Liberties Considerations in the Use of Camera Systems.
  6. California Consumer Privacy Act / CPRA; Illinois Biometric Information Privacy Act, 740 ILCS 14; state wiretap/eavesdropping statutes (US; vary by state).