Video monitoring is now embedded in everyday life, from retail CCTV and smart city cameras to building access systems and dashcams. While the technology is increasingly similar across countries, the legal rules that govern video surveillance are not. Major privacy laws such as the EU GDPR, UK GDPR, CCPA/CPRA in California, Brazil’s LGPD and South Africa’s POPIA all treat video as personal data when individuals are identifiable, but they differ in terminology, legal bases, risk assessments and enforcement expectations [1][6][7][8]. This overview focuses on how these frameworks regulate video monitoring and what controllers need to get right in practice. It is informational in nature and does not constitute legal advice.
All modern privacy laws start from the same core idea: if a person can be identified from a recording, that recording is personal data and falls within the law’s scope. Video monitoring therefore rarely sits outside data protection rules.
Under the GDPR, “personal data” is any information relating to an identified or identifiable natural person, including images from which someone can be recognised directly or indirectly [1]. UK GDPR follows the same approach. The UK ICO’s guidance on video surveillance confirms that most CCTV and body-worn camera footage will be personal data when people can be identified or singled out in the frame [2][3]. Similar definitions appear in Brazil’s LGPD and South Africa’s POPIA, which both treat any information that can identify a natural person as protected personal data [7][8].
Common regulated uses include fixed CCTV in stores, shopping malls and office buildings, automatic number plate recognition (ANPR/LPR) systems in car parks, access control and intercom video at building entrances, body-worn cameras for security staff and integrated smart city sensor networks. Even when video is used primarily for safety or loss prevention, regulators treat it as full-scale data processing that must comply with purpose limitation, minimisation, transparency, security and data subject rights.
The GDPR and its UK counterpart are the most detailed general privacy regimes affecting video monitoring. In Europe, supervisory authorities have issued extensive CCTV and video surveillance guidance, and expectations are relatively harmonised.
Controllers must identify a lawful basis for each video monitoring purpose, such as legitimate interests in preventing theft or ensuring safety, compliance with a legal obligation (for example in regulated sectors) or, more rarely, consent [1]. Regulators generally view consent as unrealistic for continuous CCTV in public or semi-public spaces, so legitimate interests is often used, backed by a balancing test showing that surveillance is necessary and proportionate.
Article 35 GDPR requires a Data Protection Impact Assessment (DPIA) when processing is likely to result in a high risk to individuals’ rights, including systematic monitoring of publicly accessible areas on a large scale [1]. Many CCTV deployments in shopping centres, transport hubs, campuses or large workplaces fall into this category. A DPIA should document the surveillance purposes, camera placement, retention, access controls, use of analytics such as facial recognition and measures taken to reduce risk.
The UK ICO’s video surveillance guidance stresses that organisations must provide clear and prominent signage, an easily accessible privacy notice and a way for individuals to exercise rights of access, objection and erasure where applicable [2][3]. Similar expectations exist across EU regulators. In practice, this means contact details on signage, layered notices online and documented procedures for handling video access requests and redaction of third parties.
California’s CCPA and its amendment, the CPRA, do not include CCTV-specific provisions, but they regulate video monitoring as “personal information” when it can be linked to a particular consumer or household [4][5].
The CCPA defines personal information broadly as data that identifies, relates to or could reasonably be linked with a consumer or household [4]. Video footage that shows faces, body shapes, behaviours or vehicle plates will usually fit this definition. CPRA further emphasises “sensitive personal information”, such as precise geolocation and biometric identifiers, which can be derived from high-resolution footage or advanced analytics [5].
Businesses subject to CCPA/CPRA must disclose categories of personal information they collect and the purposes for which they use it. If video monitoring is used for security, fraud prevention or analytics, this should be reflected in privacy notices and “just-in-time” signage where appropriate [4][5]. When CCTV is combined with customer profiles or shared with vendors (for example for loss prevention services), those disclosures must be reflected in “sale” or “sharing” statements and in contracts with service providers.
California consumers have rights to know, access and delete certain personal information, as well as to opt out of its sale or sharing [4][5]. For video, access requests can be challenging because businesses must avoid disclosing other individuals’ images. In practice, organisations either redact footage before disclosure or provide still images when full videos are not feasible.
Brazil’s LGPD and South Africa’s POPIA extend GDPR-style principles to two large and fast-growing markets. Both laws apply broadly to video monitoring where individuals can be identified, including in private and public-sector deployments.
Brazil’s LGPD applies to any processing of personal data carried out in Brazil or targeting individuals located in Brazil, regardless of the technology used [7]. CCTV in malls, offices, public buildings or condominiums is therefore covered. Controllers must select a legal basis (such as legitimate interest, compliance with legal obligation or protection of credit) and document their reasoning. For high-risk activities, LGPD allows the authority to require a “data protection impact report”, which is similar in function to a DPIA and particularly relevant for extensive or intrusive video monitoring [7].
South Africa’s POPIA sets out “conditions for lawful processing” that apply to any personal information recorded in a file, including images from CCTV systems [8][9]. These conditions include accountability, purpose specification, information quality, openness, security safeguards and data subject participation. Operators of video systems must ensure that recordings are used only for specified purposes, stored securely, retained for limited periods and made available to data subjects where appropriate, subject to third-party protection.
Both LGPD and POPIA are still in relatively early enforcement phases compared to GDPR, but regulators and courts are increasingly paying attention to workplace monitoring, residential CCTV disputes and public-sector deployments. Organisations operating across EU, Brazil and South Africa cannot assume local regulators will be more lenient simply because case law is younger; in many situations, authorities borrow reasoning from GDPR enforcement when assessing video surveillance systems [7][8][9].
Despite different terminology and enforcement histories, the major privacy laws converge on several expectations for video monitoring. Understanding these patterns helps global organisations design systems that scale across jurisdictions.
All major frameworks require a clear purpose and legal justification for monitoring, as well as proportionality. GDPR, UK GDPR, LGPD and POPIA use explicit legal bases, often relying on legitimate interests for security-oriented CCTV [1][7][8]. CCPA/CPRA instead focus on transparency, contractual controls and honouring consumer choices rather than ex-ante legal bases [4][5]. In every case, regulators expect organisations to ask: is the camera placement necessary, or could a less intrusive measure achieve the same objective?
Rights of access, rectification and deletion apply to video data under GDPR, LGPD and POPIA, and functionally similar “know” and “delete” rights exist under CCPA/CPRA [1][4][7][8]. The practical difficulty lies in responding to access requests without revealing other people’s images. Regulators usually expect controllers to provide redacted footage or stills where feasible, or to justify why disclosure would disproportionately infringe on others’ privacy.
Employee monitoring via CCTV attracts particular scrutiny. Under GDPR and LGPD, the power imbalance between employer and employee means consent is rarely valid, and legitimate interests must be narrowly framed and supported by strong safeguards [1][7]. POPIA similarly emphasises fairness and reasonableness in employment contexts [8]. In California, employees now enjoy many of the same CPRA rights as consumers, which impacts use of video in workplaces such as warehouses and back-of-house areas [5].
Translating legal principles into day-to-day operations is often harder than understanding the rules themselves. Controllers and processors need structured governance for all stages of the video lifecycle.
A defensible compliance posture starts with a complete inventory: which cameras exist, what they record, where data is stored, which vendors have access and how long footage is retained. GDPR, LGPD and POPIA all require purpose limitation and storage limitation [1][7][8]. Long, undefined retention periods are a common enforcement trigger; regulators expect specific retention justifications (for example 30 days for general security and longer for specific incidents under legal hold).
Because most regimes protect both data subjects and third parties in the frame, redaction and anonymisation are central to compliant video monitoring. ICO guidance explicitly calls out the need to mask third parties when providing CCTV copies to individuals [2][3], and similar expectations flow from GDPR, LGPD and POPIA principles [1][7][8]. Manual frame-by-frame editing does not scale in high-volume environments like malls, campuses or transport hubs. In practice, many organisations rely on specialised tooling to automate detection and blurring of faces, licence plates and other identifiers; platforms such as Gallio PRO help operationalise these requirements by combining robust video anonymisation with structured workflows for DSARs and disclosure, allowing teams to stay within legal deadlines without compromising privacy or video quality.
Supervisory authorities across Europe, the UK, Brazil and South Africa increasingly expect written policies for video monitoring, signed off at senior level. These policies should cover purposes, camera placement criteria, DPIA or impact report outcomes, retention schedules, access controls, vendor management and DSAR procedures [1][2][7][8]. Maintaining logs of footage access and periodic internal audits helps demonstrate accountability, which is a core requirement in most modern privacy regimes.
In most cases yes, if individuals can be identified or singled out in the footage. Anonymous, low-resolution imagery where no person is identifiable may fall outside scope, but this is rare in modern systems.
Generally no. Under GDPR-style laws, legitimate interests or legal obligation are more typical bases for security monitoring. However, you must still provide clear notice and respect rights, and some jurisdictions may require consent for certain intrusive uses such as employee monitoring in sensitive areas.
There is no universal number of days. Regulators expect you to define retention based on necessity and risk, usually measured in weeks rather than years, unless there is a specific incident or legal reason to keep footage longer.
Yes, under GDPR, LGPD, POPIA and similar laws they generally can, and under CCPA/CPRA they have related rights to access information. You must, however, protect third parties, often through redaction or by providing only segments or still images.
Yes. Using advanced analytics on video, especially facial recognition or emotion analysis, often triggers high-risk classification, DPIA requirements and, in some jurisdictions, sector-specific or local bans. Controllers should treat such deployments as significantly more sensitive than standard security CCTV.
