Camera-related state law

The governing audio-recording framework is Ohio Revised Code Section 2933.51 et seq., which defines wiretap and electronic surveillance terms and Section 2933.52, which makes interception of wire, oral, or electronic communications a felony unless an exception applies. The most-used commercial exception is one-party consent: if a participant in the conversation consents (which includes the person doing the recording), the interception is lawful. Ohio is therefore a one-party consent state.

Video-only surveillance is treated more permissively. Recording video in places where a person has no reasonable expectation of privacy is generally lawful, with two practical caveats. First, posted notice is the standard for any commercial property and many lease agreements require it. Second, hidden cameras in places where privacy is expected (restrooms, locker rooms, fitting rooms, hotel guest rooms) are off-limits and trigger criminal exposure under Ohio Rev. Code sec. 2907.08 (voyeurism) and related provisions.

Practical translation for an OH commercial install. Cameras with audio capture should be deployed only where the operator can document one-party consent or post unambiguous notice that audio is being captured. Most multi-site retailers, manufacturers, and warehouses default to video-only on the cameras and route audio capture through a separate documented intercom or voice-recording workflow.

Biometric data law and the Ohio Data Protection Act

Ohio does not have an enacted biometric information privacy law as of 2026. Bills modeled in part on the Illinois BIPA framework have been introduced in recent OH legislative sessions, but none have passed into law. Operators should track OH legislative activity quarterly because the legislative posture has been moving toward more privacy-specific regulation.

Ohio has, however, enacted something most other states have not. The Ohio Data Protection Act, Ohio Revised Code Chapter 1354, provides an affirmative defense in tort actions that allege a business failed to implement reasonable information-security controls. The defense is available to businesses that maintain a written cybersecurity program conforming to an industry-recognized framework (NIST CSF, NIST SP 800-171, ISO 27001, PCI-DSS, HIPAA Security Rule, FedRAMP, or others depending on the business). Documenting that program is high-value: it costs little compared to the litigation exposure it can mitigate.

The federal FTC Act and the FTC Safeguards Rule reach biometric data handling for many businesses. Ohio Rev. Code sec. 1349.19 reaches breach notification for personal information of Ohio residents. OH businesses using facial recognition or fingerprint access control should still document consent, retention, and access controls.

Privacy in the workplace

Ohio does not have a single workplace electronic-monitoring statute. Pure video surveillance of common work areas with posted notice is the routine pattern. There is no single state-level requirement that the notice be in writing, but a documented workplace surveillance policy in the employee handbook is the standard practice.

Most OH employers issue a single workplace surveillance notice covering cameras, badge access, computer monitoring, and call recording together. Cameras in restrooms, locker rooms, lactation rooms, and other employee privacy areas are off-limits and create criminal exposure under Ohio Rev. Code sec. 2907.08. Cameras in production lines, retail floor, loading dock, and warehouse aisles are routine when paired with notice.

Audio capture by an employer is regulated by the one-party consent rule under sec. 2933.52. Continuously running camera audio without any participant consent creates exposure that's easier to avoid than to litigate. Most OH employers route audio capture through a separate documented intercom or call-recording workflow.

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, fitting rooms, hotel guest rooms, and any other space where privacy is expected are off-limits.

OH multi-tenant residential operators should also review the bylaws and lease covenants. Hotel operators handle guest-room signage at the door and at the front desk and document any guest-area camera coverage in the property security plan. Municipal ordinances in Cleveland, Columbus, Cincinnati, and other OH cities can add notice or alarm-permit requirements for certain license categories.

Video retention requirements

Ohio has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

  • Cannabis. The Ohio Division of Cannabis Control publishes coverage and retention rules for licensed dispensaries, cultivators, and processors. Pull the current rules before designing the install.
  • Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open.
  • Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
  • Banking and finance. Federal banking regulators and the Ohio Department of Commerce Division of Financial Institutions set surveillance and retention expectations.
  • Schools. FERPA applies to K-12 districts and higher education. Ohio Department of Education guidance and district policy add detail.
  • Federal contractors and grantees. NDAA Section 889 controls vendor selection. Retention is contractor-driven through the SSP or grant award terms.

Default retention for OH commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies in the WISP, facility security plan, or Division of Cannabis Control SOP.

Notable enforcement examples

Ohio enforcement against businesses for surveillance, data security, and privacy issues runs through several channels. The Ohio Attorney General has brought consumer protection cases under the Ohio Consumer Sales Practices Act against businesses with documented data security failures. The OH AG receives Section 1349.19 breach notifications and tracks recurring patterns. The Ohio Data Protection Act has begun to be cited in defense of breach litigation.

Federal HIPAA settlements have reached OH-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. PCI assessor findings have triggered card brand penalties at OH retailers where camera coverage of the cardholder data environment was inadequate or retention was below 90 days. Real settlements are searchable on the OH AG and HHS OCR enforcement pages.

What Tec-Tel does to comply with Ohio regulations

Tec-Tel installs across Ohio for retail, manufacturing, healthcare, multi-tenant residential, financial, and licensed cannabis customers. The default install pattern for an OH commercial site:

  • Video-only on cameras unless audio is documented with one-party consent under Ohio Rev. Code sec. 2933.52.
  • Posted surveillance notice at every public entrance.
  • No cameras in restrooms, locker rooms, fitting rooms, hotel guest rooms, or other spaces where privacy is reasonably expected.
  • Documentation that aligns with the Ohio Data Protection Act safe harbor: written policies, retention schedules, and a framework-mapped cybersecurity posture (NIST, PCI, HIPAA, or other) for the customer's information-security counsel to fold into the broader program.
  • Retention configured to the regime that governs the industry (HIPAA, PCI, Division of Cannabis Control, NDAA), with the facility's written retention policy attached to the install package.
  • NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
  • Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific Ohio regulatory question, work with your privacy counsel.

Security service in Ohio

Tec-Tel deploys AI-era security across Ohio with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Or browse the full city directory and nationwide coverage map.