North Carolina security and surveillance regulations: what businesses must know

North Carolina is a one-party consent state for audio recording under N.C. Gen. Stat. 15A-287, the interception-of-communications statute. The North Carolina Identity Theft Protection Act, N.C. Gen. Stat. 75-65, governs data breach notification and includes biometric records within personal information. NC has no standalone biometric privacy statute on the BIPA model with a private right of action. Camera installs in NC schools follow FERPA and district board policy.

Camera-related state law

North Carolina's audio-recording statute is N.C. Gen. Stat. 15A-287, which makes intentional interception of wire, oral, or electronic communications a felony unless an exception applies. The most-used commercial exception is consent of one party to the communication. NC is therefore a one-party consent state for audio. Related provisions appear in Chapter 15A, Article 16, the state electronic surveillance act.

Video-only surveillance is treated more permissively. Recording video in places where a person has no reasonable expectation of privacy is generally lawful. Hidden cameras in places where privacy is expected (restrooms, locker rooms, fitting rooms, hotel guest rooms) are off-limits and can trigger criminal exposure under N.C. Gen. Stat. 14-202 (secretly peeping or photographing).

Practical translation. Commercial NC camera installs default to video-only on the cameras and route audio capture through a separate documented intercom or call-recording workflow. Most multi-site retailers, manufacturers, and warehouses post notice at every public entrance and configure cameras to video-only at the device level.

Biometric data and breach notification

North Carolina has no standalone biometric privacy statute on the BIPA model with a private right of action. Biometric data is regulated primarily through the NC Identity Theft Protection Act, N.C. Gen. Stat. 75-65, which includes biometric data within personal information for data breach notification purposes. A breach affecting biometric records triggers NC AG notification.

For commercial security buyers, the practical reach is fingerprint and facial-recognition access control, voice-print authentication, and any AI camera that builds a faceprint template. NC businesses using biometric capture document consent at enrollment, retention, and access controls as a matter of best practice. Out-of-state employee data rules can apply: BIPA reaches Illinois-resident remote workers, CCPA reaches California-resident remote workers, CUBI reaches Texas-resident remote workers, and CPA reaches Colorado-resident remote workers.

The practical retention rule for biometric records in NC is to retain only as long as reasonably necessary for the purpose and to destroy on employee separation or end of lawful purpose. Most multi-state employers in NC default to BIPA-grade documentation (written informed consent + retention schedule + destruction process) because at least one of their employees is likely to fall under BIPA's reach.

Privacy in the workplace

North Carolina has no single workplace electronic-monitoring statute that requires written notice for general video surveillance. Pure video surveillance of common work areas with posted notice is the routine pattern. Cameras in employee-only spaces with a reasonable expectation of privacy (restrooms, locker rooms, lactation rooms) are off-limits and create exposure under N.C. Gen. Stat. 14-202 and invasion-of-privacy theories.

Audio capture by an employer is regulated by N.C. Gen. Stat. 15A-287 (one-party consent). Most NC employers issue a single workplace surveillance notice in the employee handbook covering cameras, badge access, computer monitoring, and call recording together. Cameras in production lines, retail floor, loading dock, and warehouse aisles are routine when paired with notice. NC has a large advanced-manufacturing footprint (research triangle, Triad, Charlotte logistics) and most plant-floor and warehouse installs default to NDAA-compliant cameras with badge-tied access control.

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, fitting rooms, hotel guest rooms, and any other space where privacy is reasonably expected are off-limits.

Multi-tenant residential operators in NC should review the bylaws and lease covenants. Hotel operators handle guest-room signage at the door and at the front desk and document any guest-area camera coverage in the property security plan. Charlotte, Raleigh, Durham, Greensboro, and Winston-Salem have municipal ordinances that can apply to alarm permits and certain license categories. Audio in any common area is the high-risk variable: even in non-private spaces, ambient audio capture without a participating consenter pulls the install into N.C. Gen. Stat. 15A-287 territory.

Video retention requirements

North Carolina has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open. NC has a large hospital-system footprint (Duke, Atrium, UNC, Novant) where camera retention is part of the facility security plan.
Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
Banks and financial institutions. Federal banking regulators set surveillance and retention expectations through bank examination. NC Office of the Commissioner of Banks supervises state-chartered banks. Charlotte's banking concentration drives heavy investment in physical security at branches and operations centers.
ABC permittees. The NC Alcoholic Beverage Control Commission can impose retention requirements on certain alcohol-licensed venues through local rules and conditions on permits.
Schools. FERPA reach for K-12 districts and higher education. NC district board policies typically set 14 to 30 days retention.
Federal contractors and grantees. NDAA Section 889 controls vendor selection. Retention is contractor-driven through the SSP or grant award terms. Fort Liberty, Camp Lejeune, and the defense industrial base across NC are heavy NDAA-touching customers.

Default retention for NC commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies in the WISP or facility security plan.

Notable enforcement examples

NC enforcement against businesses for camera, biometric, and data-handling issues runs through several channels. The North Carolina Attorney General brings consumer protection and breach actions under the Identity Theft Protection Act (N.C. Gen. Stat. 75-65) and the Unfair and Deceptive Trade Practices Act (N.C. Gen. Stat. 75-1.1). The NC AG publishes received breach notifications.

Federal HIPAA settlements have reached NC-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. PCI assessor findings have triggered card brand penalties at NC retailers where camera coverage of the cardholder data environment was inadequate or retention was below 90 days. Real settlements are searchable on the NC AG and HHS OCR enforcement pages.

What Tec-Tel does to comply with North Carolina regulations

Tec-Tel installs across North Carolina for retail, manufacturing, healthcare, multi-tenant residential, financial, hospitality, and federal-contractor customers. The default install pattern for an NC commercial site:

Video-only on cameras unless audio is documented with one-party consent under N.C. Gen. Stat. 15A-287.
Posted surveillance notice at every public entrance.
No cameras in restrooms, locker rooms, fitting rooms, hotel guest rooms, or other spaces where privacy is reasonably expected (N.C. Gen. Stat. 14-202).
Written informed-consent forms with a documented retention schedule for any biometric capture (fingerprint timeclocks, facial-recognition access, voiceprint authentication), defaulted to BIPA-grade documentation when any employee is an out-of-state resident.
Retention configured to the regime that governs the industry (HIPAA, PCI, NDAA), with the facility's written retention policy attached.
NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific NC regulatory question, work with your privacy counsel.

Security service in North Carolina

Tec-Tel deploys AI-era security across North Carolina with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Or browse the full city directory and nationwide coverage map.

Frequent buyer questions

Is North Carolina a one-party or two-party consent state for audio recording?

North Carolina is a one-party consent state. N.C. Gen. Stat. 15A-287 makes interception of wire, oral, or electronic communications a felony unless an exception applies, and the most-used exception is consent of one party to the communication. A participant in a conversation can lawfully record it. Most NC commercial camera installs default to video-only on the cameras, because audio capture by a continuously running camera does not have an active human participant in the room and creates exposure that's easier to avoid than to litigate.

What's the data breach notification rule in North Carolina?

The North Carolina Identity Theft Protection Act, N.C. Gen. Stat. 75-65, requires notice to NC residents whose personal information was acquired by an unauthorized person. Personal information includes name combined with a sensitive identifier (Social Security number, driver's license, financial account, biometric data, health insurance information, employer identification number). Notice to the NC Attorney General's Consumer Protection Division is required, and the NC AG publishes received breach notifications. Notice to residents is required without unreasonable delay.

Does NC have a biometric privacy law like Illinois BIPA?

Not a standalone BIPA-style statute with a private right of action. NC regulates biometric data primarily through N.C. Gen. Stat. 75-65, which includes biometric data within personal information for breach notification purposes. NC businesses using fingerprint or facial recognition document consent at enrollment, retention, and access controls as a matter of best practice. Out-of-state employee data rules can apply: BIPA reaches Illinois-resident remote workers, CCPA reaches California-resident remote workers, CUBI reaches Texas-resident remote workers, and CPA reaches Colorado-resident remote workers.

Can I put cameras in employee break rooms or restrooms in North Carolina?

Restrooms, locker rooms, and changing rooms are off-limits. NC has not codified a Labor Code 435-style ban, but N.C. Gen. Stat. 14-202 (secretly peeping or photographing in places where privacy is reasonably expected) and N.C. Gen. Stat. 15A-287 (interception for any audio) combine to make camera coverage of those spaces prohibited and prosecutable. Common-area break rooms with posted notice are generally treated like other common work areas. Most NC employers leave break rooms unwatched and concentrate cameras at the entrance and food-prep area instead.

Are there special rules for cameras in North Carolina schools?

NC public schools follow federal FERPA (20 U.S.C. 1232g) for identifiable student footage, which can qualify as an education record. School district board policies set retention and access rules, often 14 to 30 days. SVPP and NSGP grant-funded camera projects at NC schools carry NDAA Section 889 procurement requirements. The NC Center for Safer Schools, housed at the NC Department of Public Instruction, provides school safety guidance. Higher-education campuses follow FERPA plus institution-level policy.

What's the video retention requirement for NC dispensaries or hemp facilities?

NC has no recreational cannabis program. The NC Compassionate Care Act remains under legislative consideration; if and when an NC medical cannabis program is implemented, the licensing agency will publish camera coverage and retention rules. Industrial hemp is regulated by the NC Department of Agriculture and Consumer Services and follows the federal USDA program for licensing. Default retention for NC commercial systems with no specific industry rule is 30 days. PCI, HIPAA, and NDAA-driven retention apply where the customer's industry imposes them.

Are there notable North Carolina enforcement examples for surveillance or privacy issues?

The North Carolina Attorney General has brought consumer protection actions under the Identity Theft Protection Act and the NC Unfair and Deceptive Trade Practices Act against businesses with documented data security failures, and the NC AG publishes received N.C. Gen. Stat. 75-65 breach notifications. Federal HIPAA settlements have reached NC-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. Real settlements are searchable on the NC AG and HHS OCR enforcement pages.

Can a property owner or employer review camera footage without a warrant in NC?

A property owner or employer can review their own footage of their own property under their own access-control policy. Disclosure to outside parties is regulated. Police and prosecutors generally need a warrant or subpoena for an involuntary disclosure of footage from a private system. Voluntary disclosure to law enforcement is allowed but creates exposure if the footage was retained or captured outside the property's posted policy. Document the chain of custody on every export.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

North Carolina security and surveillance regulations: what businesses must know

Camera-related state law

Biometric data and breach notification

Privacy in the workplace

Public-place and common-area cameras

Video retention requirements

Notable enforcement examples

What Tec-Tel does to comply with North Carolina regulations

Security service in North Carolina

Frequent buyer questions

Compliance reference

NDAA Section 889

Georgia regulations

Florida regulations

Manufacturing security

Start with a free consultation.

How can we help?