Colorado security and surveillance regulations: what businesses must know

Colorado is a one-party consent state for audio recording under C.R.S. 18-9-303 (eavesdropping). The Colorado Privacy Act, codified at C.R.S. 6-1-1301 et seq. and effective in 2023, regulates processing of CO residents' personal data and treats biometric data as sensitive data requiring opt-in consent. C.R.S. 6-1-716 governs data breach notification, including breaches of biometric data. Marijuana Enforcement Division rules govern surveillance and retention at licensed cannabis facilities.

Camera-related state law

Colorado's audio-recording statutes are C.R.S. 18-9-303 (eavesdropping) and C.R.S. 18-9-304 (wiretapping). These statutes make it a crime to knowingly intercept the contents of a conversation or a wire or oral communication unless an exception applies. The most-used commercial exception is consent of one party to the communication. CO is therefore a one-party consent state for audio.

Video-only surveillance is treated more permissively. Recording video in places where a person has no reasonable expectation of privacy is generally lawful. Hidden cameras in places where privacy is expected (restrooms, locker rooms, fitting rooms, hotel guest rooms) are off-limits and can trigger criminal exposure under C.R.S. 18-7-801 (invasion of privacy for sexual gratification) and other invasion-of-privacy theories.

Practical translation. Commercial CO camera installs default to video-only on the cameras and route audio capture through a separate documented intercom or call-recording workflow. Most multi-site retailers, manufacturers, and warehouses post notice at every public entrance and configure cameras to video-only at the device level.

Biometric data and the Colorado Privacy Act

Colorado's primary privacy regime is the Colorado Privacy Act (CPA), codified at C.R.S. 6-1-1301 et seq. and effective July 2023. The CPA applies to controllers that conduct business in CO or produce products or services intentionally targeted to CO residents and that process the personal data of at least 100,000 CO consumers in a year, or that derive revenue or receive a discount from selling personal data of at least 25,000 CO consumers.

The CPA classifies biometric data as sensitive data and requires opt-in consent before a controller processes it. For commercial security buyers, the practical reach is fingerprint and facial-recognition access control, voice-print authentication, and any AI camera that builds a faceprint template. Identifiable footage of CO residents at a covered controller can fall within general personal data scope. Enforcement is by the CO Attorney General and CO District Attorneys with civil penalties.

CO does not have a private-right-of-action biometric privacy statute like Illinois BIPA. Coverage runs through CPA opt-in consent at enrollment, retention, access controls, and CPA-aligned privacy notices. CO businesses using biometric capture document the opt-in, the retention schedule, and the destruction process tied to employee separation or end of lawful purpose.

Privacy in the workplace

Colorado has no single workplace electronic-monitoring statute that requires written notice for general video surveillance. Pure video surveillance of common work areas with posted notice is the routine pattern. Cameras in employee-only spaces with a reasonable expectation of privacy (restrooms, locker rooms, lactation rooms) are off-limits and create exposure under invasion-of-privacy theories.

Audio capture by an employer is regulated by C.R.S. 18-9-303 (one-party consent), and biometric capture is regulated by the CPA when CPA thresholds are met. Most CO employers issue a single workplace surveillance notice in the handbook covering cameras, badge access, computer monitoring, and call recording together. Out-of-state employee data rules (CCPA for California-resident remote workers, BIPA for Illinois-resident remote workers) can also reach CO-employed remote staff.

Cameras in production lines, retail floor, loading dock, and warehouse aisles are routine when paired with notice. Fingerprint or facial-recognition timeclocks are common in CO but trigger CPA opt-in consent obligations on every employee enrollment when CPA thresholds apply.

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, fitting rooms, hotel guest rooms, and any other space where privacy is expected are off-limits.

Multi-tenant residential operators in Colorado should review the bylaws and lease covenants. Hotel operators handle guest-room signage at the door and at the front desk and document any guest-area camera coverage in the property security plan. Denver, Colorado Springs, Aurora, and Fort Collins have additional municipal ordinances that can apply to alarm permits and certain license categories. Audio in any common area is the high-risk variable: even in non-private spaces, ambient audio capture can sweep up confidential communications and pull the install into C.R.S. 18-9-303 territory if no participant has consented.

Video retention requirements

Colorado has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

Cannabis. The Colorado Marijuana Enforcement Division publishes camera coverage and retention rules under 1 CCR 212. Pull the current text before designing the install.
Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open.
Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
Banks and financial institutions. Federal banking regulators set surveillance and retention expectations through bank examination. CO Division of Banking supervises state-chartered banks.
Schools. FERPA reach for K-12 districts and higher education. CO district board policies typically set 14 to 30 days retention.
Federal contractors and grantees. NDAA Section 889 controls vendor selection. Retention is contractor-driven through the SSP or grant award terms.

Default retention for CO commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies in the WISP, facility security plan, or MED SOP.

Notable enforcement examples

CO enforcement against businesses for camera, biometric, and data-handling issues runs through several channels. The Colorado Attorney General has brought Colorado Privacy Act enforcement actions against businesses with documented privacy and data security failures since the law took effect, with biometric processing flagged as an enforcement priority. The CO AG also publishes received C.R.S. 6-1-716 breach notifications. The Colorado Marijuana Enforcement Division has issued sanctions against cannabis licensees for surveillance and retention failures.

Federal HIPAA settlements have reached CO-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. PCI assessor findings have triggered card brand penalties at CO retailers where camera coverage of the cardholder data environment was inadequate or retention was below 90 days. Real settlements are searchable on the CO AG, MED, and HHS OCR enforcement pages.

What Tec-Tel does to comply with Colorado regulations

Tec-Tel installs across Colorado for retail, manufacturing, healthcare, multi-tenant residential, financial, hospitality, and licensed cannabis customers. The default install pattern for a CO commercial site:

Video-only on cameras unless audio is documented with one-party consent under C.R.S. 18-9-303.
Posted surveillance notice at every public entrance.
No cameras in restrooms, locker rooms, fitting rooms, hotel guest rooms, or other spaces where privacy is reasonably expected.
CPA opt-in consent forms with a documented retention schedule for any biometric capture (fingerprint timeclocks, facial-recognition access, voiceprint authentication) when CPA thresholds apply.
Retention configured to the regime that governs the industry (HIPAA, PCI, MED, NDAA), with the facility's written retention policy attached.
NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific CO regulatory question, work with your privacy counsel.

Security service in Colorado

Tec-Tel deploys AI-era security across Colorado with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Or browse the full city directory and nationwide coverage map.

Frequent buyer questions

Is Colorado a one-party or two-party consent state for audio recording?

Colorado is a one-party consent state. C.R.S. 18-9-303 (eavesdropping) and C.R.S. 18-9-304 (wiretapping) make interception of a conversation a crime unless an exception applies, and the most-used exception is consent of one party to the conversation. A participant in a conversation can lawfully record it. Most CO commercial camera installs default to video-only on the cameras, because audio capture by a continuously running camera does not have an active human participant in the room and creates exposure that's easier to avoid than to litigate.

Does the Colorado Privacy Act apply to my camera system?

The Colorado Privacy Act (CPA), C.R.S. 6-1-1301 et seq., applies to controllers that conduct business in CO or produce products or services intentionally targeted to CO residents and that process the personal data of at least 100,000 CO consumers in a year, or that derive revenue from selling personal data of at least 25,000 CO consumers. The CPA defines biometric data as sensitive data and requires opt-in consent for processing. Identifiable footage of CO residents at a covered controller, faceprint templates used for facial recognition, and audit trails that link a person to a place can fall within scope. Enforcement is by the CO Attorney General and District Attorneys.

Can I put cameras in employee break rooms or restrooms in Colorado?

Restrooms, locker rooms, and changing rooms are off-limits. Colorado has not codified a Labor Code 435-style ban, but C.R.S. 18-7-801 (invasion of privacy for sexual gratification) and C.R.S. 18-9-303 (eavesdropping for any audio) combine to make camera coverage of those spaces prohibited and prosecutable. Common-area break rooms with posted notice are generally treated like other common work areas. Most CO employers leave break rooms unwatched and concentrate cameras at the entrance and food-prep area instead.

What's the data breach notification rule in Colorado?

C.R.S. 6-1-716 requires notice to CO residents whose personal information was acquired by an unauthorized person, and notice to the CO Attorney General when the breach affects 500 or more CO residents. Notice is required within 30 days of determination that a breach occurred, which is one of the shorter statutory windows in the country. Personal information includes name combined with a sensitive identifier (Social Security number, driver's license, financial account, biometric data, medical information, certain student data). The CO AG publishes received breach notifications.

What's the video retention requirement for Colorado cannabis retailers?

The Colorado Marijuana Enforcement Division (MED), part of the Department of Revenue, publishes camera coverage and retention rules for licensed retailers, cultivators, manufactured-products manufacturers, and testing facilities under 1 CCR 212. The standing rule has been forty days of footage retention with continuous recording in specified areas (entry, exit, point of sale, vault, cultivation, lab), but operators should pull the current 1 CCR 212 text before designing the install because MED has revised rules over time. Most CO licensed operators retain the MED minimum and configure VMS retention with a buffer.

Are there special rules for cameras in Colorado schools?

CO public schools follow federal FERPA (20 U.S.C. 1232g) for identifiable student footage, which can qualify as an education record. School district board policies set retention and access rules, often 14 to 30 days. SVPP and NSGP grant-funded camera projects at CO schools carry NDAA Section 889 procurement requirements. Higher-education campuses follow FERPA plus institution-level policy. CO has a long history of school security investment after Columbine and Aurora, and CDE provides school safety guidance through the Colorado School Safety Resource Center.

Are there notable Colorado enforcement examples for surveillance or privacy issues?

The Colorado Attorney General has brought CPA enforcement actions against businesses with documented privacy and data security failures since the law took effect in 2023, with a focus on biometric processing without opt-in consent. The CO AG also publishes received C.R.S. 6-1-716 breach notifications. The Colorado MED has issued sanctions against cannabis licensees for surveillance and retention failures. Federal HIPAA settlements have reached CO-based defendants where physical safeguards were a documented part of the breach. Real settlements are searchable on the CO AG, MED, and HHS OCR enforcement pages.

Does Colorado have a biometric privacy law like Illinois BIPA?

Not a standalone BIPA-style statute with a private right of action. Coverage in CO runs through the Colorado Privacy Act (C.R.S. 6-1-1301 et seq.), which treats biometric data as sensitive data and requires opt-in consent before processing at a covered controller. CO businesses using fingerprint or facial recognition document opt-in consent, retention, and access controls under the CPA framework, plus C.R.S. 6-1-716 breach notification readiness. The CO AG has signaled biometric processing as an enforcement priority.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

Colorado security and surveillance regulations: what businesses must know

Camera-related state law

Biometric data and the Colorado Privacy Act

Privacy in the workplace

Public-place and common-area cameras

Video retention requirements

Notable enforcement examples

What Tec-Tel does to comply with Colorado regulations

Security service in Colorado

Frequent buyer questions

Compliance reference

NDAA Section 889

California regulations

Illinois regulations

Cannabis security

Start with a free consultation.

How can we help?