California security and surveillance regulations: what businesses must know

California is a two-party consent state under Penal Code 632, which prohibits intentional recording of confidential communications without the consent of all parties. CCPA and CPRA (Civ. Code 1798.100 et seq.) treat biometric information and certain surveillance data as personal information requiring disclosure and consumer rights handling. Labor Code 435 bars cameras in restrooms, locker rooms, and other employee privacy areas. Cannabis surveillance is governed by Department of Cannabis Control rules.

Camera-related state law

California is a two-party consent state. Penal Code 632 prohibits intentional eavesdropping on, or recording of, a confidential communication without the consent of all parties to the communication. The statute defines a confidential communication as one where a party has an objectively reasonable expectation that no third party is listening or recording. Violations are criminal and create a civil cause of action with statutory damages.

Penal Code 631 governs wiretap-style interception of telephonic and electronic communications and applies to both interception by the carrier and interception by a third party. Penal Code 647(j) makes it a misdemeanor to record another person without consent in places where privacy is reasonably expected (restrooms, dressing rooms, hotel guest rooms).

Practical translation. Commercial CA camera installs default to video-only on the cameras and route audio capture through a separate documented intercom or call-recording workflow with all-party consent disclosed. Hidden cameras in spaces where privacy is expected are off the table and create exposure for the operator and the integrator.

Biometric data and CCPA/CPRA

California's primary privacy regime is the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), codified at Civ. Code 1798.100 et seq. and enforced by the California Privacy Protection Agency (CPPA). CPRA expanded the statutory definition of personal information to include biometric information explicitly and added a sensitive personal information category that covers more invasive identifiers.

For commercial security buyers, the practical reach is wide. Identifiable footage of CA residents at a covered business, faceprint templates used for facial recognition, and audit trails that link a person to a place can all fall within scope. A covered business has notice-at-collection, consumer right-to-know, deletion-request, and use-limit obligations. Coverage thresholds (annual revenue, data volume, or revenue from data sale) determine which businesses are covered, but most multi-site retailers, hospitality operators, and large multi-tenant residential operators in CA are within scope.

CA does not have a private-right-of-action biometric privacy statute like Illinois BIPA. Coverage runs through CCPA/CPRA disclosures and consumer rights workflows, plus Civ. Code 1798.81.5 data security obligations. CA businesses using fingerprint or facial recognition document consent, retention, and access controls in their privacy policy and at the point of collection.

Privacy in the workplace

California Labor Code 435 prohibits employers from making audio or video recording of an employee in a restroom, locker room, or room designated by the employer for changing clothes. The prohibition is absolute: posted notice does not cure it. Violations are misdemeanors.

Outside the Labor Code 435 zones, the California Constitution's right to privacy (Article 1, Section 1) is enforced through case law. Common-area surveillance with posted notice is the routine pattern. The boundaries on break rooms, lactation rooms, and telework spaces are tighter than in many other states. Most CA employers leave break rooms unwatched and concentrate camera coverage on production lines, retail floor, loading dock, warehouse aisles, and entry-exit points.

CA Labor Code 980 governs social media account access by employers and is a separate regime from physical surveillance. CA Penal Code 631 and 632 reach electronic interception of communications by employers in some scenarios. CCPA/CPRA disclosures cover employee personal information at covered businesses.

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, dressing rooms, hotel guest rooms, and any other space where privacy is expected are off-limits.

CA multi-tenant residential operators handle CCPA/CPRA disclosures at lease-up for any biometric access control or visitor-tracking system. Hotel operators include guest-area camera coverage in the property security plan and post notice at the front desk. Audio in any common area is the high-risk variable: even in non-private spaces, ambient audio capture can sweep up confidential communications and pull the install into Penal Code 632 territory.

Video retention requirements

CA has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

Cannabis. The CA Department of Cannabis Control (DCC) publishes camera coverage and retention rules under Title 4 CCR. Pull the current DCC rules before designing the install.
Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open.
Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
Banks and financial institutions. Federal banking regulators set surveillance and retention expectations through bank examination. CA Department of Financial Protection and Innovation (DFPI) supervises non-bank financial activity.
Schools. FERPA reach for K-12 districts and higher education. CA Education Code district policies apply.
Federal contractors and grantees. NDAA Section 889 controls vendor selection. Retention is contractor-driven through the SSP or grant award terms.

Default retention for CA commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies in the WISP, facility security plan, or DCC SOP.

Notable enforcement examples

CA enforcement against businesses for camera and privacy issues runs through several channels. The California Privacy Protection Agency and the CA Attorney General have brought CCPA and CPRA enforcement actions against businesses with documented privacy and data security failures. The CA Department of Industrial Relations has resolved Labor Code 435 complaints against employers with cameras in prohibited employee areas. The CA DCC has issued sanctions against cannabis licensees for surveillance and retention failures.

Federal HIPAA settlements have reached CA-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. PCI assessor findings have triggered card brand penalties at CA retailers where camera coverage of the cardholder data environment was inadequate or retention was below 90 days. Real settlements are published on the CPPA, CA AG, DCC, and HHS OCR enforcement pages.

What Tec-Tel does to comply with California regulations

Tec-Tel installs across California for retail, manufacturing, healthcare, multi-tenant residential, financial, and licensed cannabis customers. The default install pattern for a CA commercial site:

Video-only on cameras unless audio is documented with all-party consent under Penal Code 632.
Posted surveillance notice at every public entrance.
No cameras in restrooms, locker rooms, dressing rooms, or any space prohibited by Labor Code 435 or where privacy is reasonably expected under Penal Code 647(j).
CCPA/CPRA notice-at-collection language coordinated with the customer's privacy team for any biometric capture or facial recognition.
Retention configured to the regime that governs the industry (HIPAA, PCI, DCC, NDAA), with the facility's written retention policy attached.
NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific CA regulatory question, work with your privacy counsel.

Security service in California

Tec-Tel deploys AI-era security across California with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Or browse the full city directory and nationwide coverage map.

Frequent buyer questions

Is California a one-party or two-party consent state for audio recording?

California is a two-party (all-party) consent state under Penal Code 632, which prohibits intentional eavesdropping or recording of a confidential communication without the consent of all parties to the communication. A confidential communication is one where a party has a reasonable expectation that no third party is listening. Penal Code 631 covers wiretap-style interceptions of telephonic and electronic communications. Most CA commercial camera installs go video-only on the cameras to keep audio out of scope, because two-party consent is hard to document on a camera that records continuously.

Does CCPA apply to my camera footage?

Often, yes. The California Consumer Privacy Act and its CPRA amendment (Civ. Code 1798.100 et seq.) reach personal information about California residents, and CPRA expanded the definition to cover biometric information explicitly. Identifiable footage of an individual, faceprints used for recognition, and audit trails that link a person to a place can fall within scope at a covered business. The covered business has disclosure, deletion-request, and limit-on-use obligations. Not every business is covered (revenue, volume, and data-sale thresholds apply), but most multi-site retailers and hospitality operators in CA are.

Can I put cameras in employee break rooms or restrooms in California?

Restrooms, locker rooms, and changing rooms are off-limits under California Labor Code 435, which prohibits employers from making audio or video recording in those areas. Break rooms are a closer call. Common-area break rooms with posted notice are generally treated like other common work areas, but the more a space resembles a private personal-use area, the more exposure the employer takes. Most CA employers leave break rooms unwatched and run cameras at the entrance and in the food-prep area instead.

What's the video retention requirement for CA cannabis dispensaries?

The California Department of Cannabis Control (DCC) publishes camera coverage and retention rules for licensed retailers, cultivators, distributors, manufacturers, and microbusinesses under Title 4 of the California Code of Regulations. Retention is set in the regulation and operators should pull the current DCC text before designing the install, because DCC has revised rules during the consolidation of legacy CDPH and CDFA cannabis programs. Most CA licensed operators retain the DCC minimum and configure VMS retention with a buffer.

Does CA have a biometric privacy law like Illinois BIPA?

Not a standalone BIPA-style statute with a private right of action like Illinois. Coverage in CA runs through CCPA/CPRA, which reaches biometric information as personal information of CA residents at covered businesses, and through Civ. Code 1798.81.5 (data security obligations). Penal Code provisions and the Information Practices Act address public-sector biometric capture. CA businesses using fingerprint or facial recognition document consent, retention, and access controls under CCPA/CPRA disclosures and consumer rights workflows.

Do I have to give California employees notice before monitoring them?

California Labor Code 435 bars cameras in restrooms and locker rooms outright. CA Labor Code 980 governs social media account access by employers. CA Penal Code 631 and 632 reach electronic interception. There is no single CA statute requiring written notice for general workplace video surveillance the way New York's Civil Rights Law 52-c does for electronic monitoring, but the CA Constitution's right to privacy is enforced through case law, and most CA employers issue a single workplace surveillance notice in the handbook covering cameras, computer monitoring, and call recording.

Are there notable CA enforcement actions against businesses for surveillance or privacy issues?

The California Privacy Protection Agency (CPPA) and the California Attorney General have brought CCPA and CPRA enforcement actions against businesses with documented data security and privacy failures. CA Department of Industrial Relations has resolved Labor Code 435 complaints against employers placing cameras in prohibited employee areas. Federal HIPAA settlements have reached CA-based defendants where physical safeguards were a documented part of the breach. Real settlements are searchable on the CPPA, CA AG, and HHS OCR enforcement pages.

Are there special rules for cameras in California schools?

CA public schools follow federal FERPA (20 U.S.C. 1232g) for identifiable student footage, which can qualify as an education record. The CA Education Code provides additional district-level guidance and many districts have a board-adopted camera policy with retention and access rules. SVPP and NSGP grant-funded camera projects at CA schools carry NDAA Section 889 procurement requirements. Higher-education campuses often add CA Information Practices Act and CSU/UC system-specific privacy policies on top.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

California security and surveillance regulations: what businesses must know

Camera-related state law

Biometric data and CCPA/CPRA

Privacy in the workplace

Public-place and common-area cameras

Video retention requirements

Notable enforcement examples

What Tec-Tel does to comply with California regulations

Security service in California

Frequent buyer questions

Compliance reference

NDAA Section 889

Illinois regulations

Cannabis security

Retail security

Start with a free consultation.

How can we help?