Texas security and surveillance regulations: what businesses must know

Texas is a one-party consent state for audio recording under Texas Penal Code 16.02, the interception-of-communications statute. The Texas Capture or Use of Biometric Identifier Act (Bus. & Com. Code 503.001), commonly called CUBI, requires informed consent before capturing a biometric identifier for a commercial purpose. The Texas Identity Theft Enforcement and Protection Act (Bus. & Com. Code Chapter 521) governs handling and breach notification for personal information, including biometric records.

Camera-related state law

The governing audio-recording statute is Texas Penal Code 16.02, which makes interception, use, or disclosure of a wire, oral, or electronic communication a felony unless an exception applies. The most-used commercial exception is one-party consent: if a participant in the conversation consents (which includes the person doing the recording), the interception is lawful. Texas is therefore a one-party consent state for audio.

Video-only surveillance is treated more permissively. Recording video in places where a person has no reasonable expectation of privacy is generally lawful, with two practical caveats. First, posted notice is the industry standard for any commercial property and many lease agreements require it. Second, hidden cameras in places where privacy is expected (restrooms, locker rooms, fitting rooms, hotel guest rooms) are off-limits and can trigger separate criminal exposure under Texas invasion-of-privacy and improper-photography theories.

Practical translation for a TX commercial install. Cameras with audio capture should be deployed only where the operator can document one-party consent or post unambiguous notice that audio is being captured. Most multi-site retailers, manufacturers, and warehouses default to video-only on the cameras and route audio capture through a separate documented intercom or voice-recording workflow.

Biometric data and the CUBI Act

Texas has an enacted biometric privacy statute. The Capture or Use of Biometric Identifier Act, Business and Commerce Code 503.001, prohibits a commercial entity from capturing a biometric identifier of an individual for a commercial purpose unless the person is informed before capture and consents to the capture. Biometric identifier under CUBI includes retina or iris scan, fingerprint, voiceprint, and record of hand or face geometry.

CUBI restricts sale, lease, or disclosure of a biometric identifier except in narrow circumstances, and it requires destruction of the identifier within a reasonable time, generally not later than the first anniversary of the date the purpose for collecting the identifier expires. Enforcement is by the Texas Attorney General with civil penalties per violation. Unlike Illinois BIPA, CUBI does not include a private right of action, but TX AG enforcement has produced multi-billion-dollar settlements against major technology companies in recent years.

For commercial security buyers, the practical reach is fingerprint and facial-recognition access control, voice-print authentication, and any AI camera that builds a faceprint template. CUBI compliance requires written informed-consent forms at the point of capture, a documented retention schedule, and a destruction process tied to employee separation or end of lawful purpose.

Privacy in the workplace

Texas does not have a single workplace electronic-monitoring statute. Pure video surveillance of common work areas with posted notice is the routine pattern. Cameras in employee-only spaces with a reasonable expectation of privacy (restrooms, locker rooms, lactation rooms) are off-limits and create exposure under invasion-of-privacy theories.

Most TX employers issue a single workplace surveillance notice in the employee handbook that covers cameras, badge access, computer monitoring, and call recording together. Audio capture by an employer is regulated by Penal Code 16.02 (one-party consent) and CUBI when voiceprints are involved. CCPA and out-of-state employee data rules can also reach TX-employed remote workers who reside in California or Illinois.

Cameras in production lines, retail floor, loading dock, and warehouse aisles are routine when paired with notice. Fingerprint or facial-recognition timeclocks are common in TX but trigger CUBI consent and retention obligations on every employee enrollment.

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, fitting rooms, hotel guest rooms, and any other space where privacy is expected are off-limits.

Multi-tenant residential operators in Texas should also review the bylaws and lease covenants. Hotel operators handle guest-room signage at the door and at the front desk and document any guest-area camera coverage in the property security plan. Municipal ordinances in Houston, Dallas, Austin, and San Antonio can add notice or registration requirements that go beyond state law for certain license categories (alarm permits, alcohol-licensed premises, parking facilities).

Video retention requirements

Texas has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

Compassionate Use cannabis and hemp. Texas DPS and TDA publish coverage and retention rules for licensed operators. Pull the current published rules before designing the install.
Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open.
Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
K-12 special education. Texas Education Code 29.022 sets specific coverage and retention for self-contained special-education classroom cameras when requested.
TABC-licensed premises. Texas Alcoholic Beverage Commission regulations and local ordinances can impose retention requirements on bars, clubs, and certain alcohol-licensed venues.
Federal contractors and grantees. NDAA Section 889 controls vendor selection. Retention is contractor-driven through the SSP or grant award terms.

Default retention for TX commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies.

Notable enforcement examples

Texas enforcement against businesses for biometric, surveillance, and data-handling issues runs through several channels. The Texas Attorney General has filed CUBI Act actions against major technology companies for capturing biometric identifiers (faceprints and voiceprints) without informed consent, with reported settlements in the multi-billion-dollar range. The TX AG also brings consumer protection actions under Chapter 521 against businesses with documented data security failures.

Federal HIPAA settlements have reached TX-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. PCI assessor findings have triggered card brand penalties at TX retailers where camera coverage of the cardholder data environment was inadequate or retention was below 90 days. Real settlements are searchable on the TX AG and HHS OCR enforcement pages.

What Tec-Tel does to comply with Texas regulations

Tec-Tel installs across Texas for retail, manufacturing, healthcare, multi-tenant residential, financial, and hospitality customers. The default install pattern for a TX commercial site:

Video-only on cameras unless audio is documented with one-party consent under Penal Code 16.02.
Posted surveillance notice at every public entrance.
No cameras in restrooms, locker rooms, fitting rooms, hotel guest rooms, or other spaces where privacy is reasonably expected.
CUBI written-consent forms and a documented destruction schedule for any biometric capture (fingerprint timeclocks, facial-recognition access, voiceprint authentication).
Retention configured to the regime that governs the industry (HIPAA, PCI, DPS, NDAA), with the facility's written retention policy attached to the install package.
NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific Texas regulatory question, work with your privacy counsel.

Security service in Texas

Tec-Tel deploys AI-era security across Texas with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Or browse the full city directory and nationwide coverage map.

Frequent buyer questions

Is Texas a one-party or two-party consent state for audio recording?

Texas is a one-party consent state. Penal Code 16.02 makes interception of wire, oral, or electronic communications a felony unless an exception applies, and the most-used exception is consent of one party to the communication. A participant in a conversation can lawfully record it. Most TX commercial camera installs default to video-only on the cameras, because audio capture by a continuously-running camera does not have an active human participant in the room and creates exposure that's easier to avoid than to litigate.

What does the Texas CUBI Act require for biometric data?

The Texas Capture or Use of Biometric Identifier Act, codified at Business and Commerce Code 503.001, prohibits a commercial entity from capturing a biometric identifier (retina, iris, fingerprint, voiceprint, or hand or face geometry) for a commercial purpose unless the person is informed before capture and consents. CUBI also restricts sale, lease, or disclosure of biometric identifiers and requires destruction within a reasonable time, generally not later than the first anniversary of the date the purpose for collection expires. Enforcement is by the Texas Attorney General. There is no private right of action under CUBI.

Do I have to tell Texas employees they're being monitored on camera?

Texas does not have a single statute requiring written notice for general workplace video surveillance the way New York Civil Rights Law 52-c does for electronic monitoring. That said, posted notice at the property is the standard practice for any TX commercial site, and most TX employers issue a single workplace surveillance notice in the handbook covering cameras, badge access, computer monitoring, and call recording. Cameras in restrooms, locker rooms, and other employee privacy areas are off-limits and create exposure under invasion-of-privacy theories.

What's the data breach notification rule in Texas?

The Texas Identity Theft Enforcement and Protection Act, Business and Commerce Code Chapter 521, requires notice to Texas residents whose sensitive personal information was acquired by an unauthorized person, and notice to the Texas Attorney General when the breach affects at least 250 Texas residents. Notice is required without unreasonable delay and not later than the statutory deadline. Sensitive personal information under Chapter 521 includes biometric records when used for unique identification. The TX AG publishes received breach notifications.

Are there special rules for cameras in Texas schools?

Yes. Texas Education Code 29.022 requires cameras in self-contained special-education classrooms upon request and sets coverage and retention rules for those installs. K-12 districts also follow federal FERPA (20 U.S.C. 1232g) for identifiable student footage. Higher education in Texas follows FERPA plus institution-level policy. SVPP and NSGP grant-funded camera projects in TX schools carry NDAA Section 889 procurement requirements. Texas school districts publish a board-adopted camera policy with retention and access rules.

What's the video retention requirement for Texas cannabis or hemp facilities?

Texas does not have a recreational cannabis program. The Compassionate Use Program for low-THC cannabis is regulated by the Texas Department of Public Safety, which publishes security and surveillance requirements for licensed dispensing organizations. Consumable hemp is regulated by the Texas Department of State Health Services and Department of Agriculture. Operators in either program should pull the current published rules before designing the install. Default retention for TX commercial systems with no specific industry rule is 30 days. PCI, HIPAA, and NDAA-driven retention apply where the customer's industry imposes them.

Are there notable enforcement actions against TX businesses for biometric or privacy violations?

The Texas Attorney General has filed CUBI Act actions against major technology companies for biometric capture without informed consent, with multi-billion-dollar settlements reported in recent years. The TX AG also publishes received breach notifications under Chapter 521 and brings consumer protection cases against businesses with documented data security failures. Federal HIPAA settlements have reached TX-based defendants where physical safeguards were a documented part of the breach. Real settlements are searchable on the TX AG and HHS OCR enforcement pages.

Can a Texas landlord or employer review camera footage without a warrant?

A property owner or employer can review their own footage of their own property under their own access-control policy. Disclosure to outside parties is regulated. Police and prosecutors generally need a warrant or subpoena for an involuntary disclosure of footage from a private system. Voluntary disclosure to law enforcement is allowed but creates exposure if the footage was retained or captured outside the property's posted policy. Document the chain of custody on every export.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

Texas security and surveillance regulations: what businesses must know

Camera-related state law

Biometric data and the CUBI Act

Privacy in the workplace

Public-place and common-area cameras

Video retention requirements

Notable enforcement examples

What Tec-Tel does to comply with Texas regulations

Security service in Texas

Frequent buyer questions

Compliance reference

NDAA Section 889

Illinois regulations

California regulations

Manufacturing security

Start with a free consultation.

How can we help?