Video Surveillance on Organizational Property

Legal Considerations and Best Practices for Nonprofit and For-Profit Organizations

Introduction

Video surveillance has become a standard component of facility security for organizations of every kind: churches and charities, schools and childcare programs, retailers, manufacturers, and professional offices. Cameras deter crime, document incidents, support insurance claims, and protect the people an organization serves. They also create legal exposure when installed or operated carelessly. The rules governing surveillance are not uniform across the United States. They vary by state, by the presence or absence of audio recording, by whether employees or members of the public are being observed, and by the specific location of each camera.

This advisory summarizes the legal landscape and offers practical guidelines suitable for organizations operating in any state. It is general information, not legal advice. Before finalizing a surveillance program, organizations should review their plans with locally licensed counsel and with their insurance carrier.

The Governing Principle: Reasonable Expectation of Privacy

Nearly every state’s surveillance rules flow from a single concept: whether the person being recorded has a reasonable expectation of privacy in that location. Lobbies, entrances, hallways, parking lots, sales floors, warehouses, and outdoor grounds are areas where courts consistently find no reasonable expectation of privacy. Cameras in these locations are lawful in every state when used for legitimate security purposes.

The opposite is true of restrooms, locker rooms, changing areas, lactation rooms, counseling offices, medical exam spaces, and similar locations. Recording in these areas is a criminal offense in most states regardless of intent or signage. California Penal Code section 647(j), for example, criminalizes viewing or recording the interior of any area in which the occupant has a reasonable expectation of privacy, and California Labor Code section 435 separately prohibits employers from making any audio or video recording of employees in restrooms, locker rooms, or changing rooms. Comparable prohibitions exist nationwide. The safest universal rule: no cameras, ever, in any space where people undress, receive counseling or medical care, or reasonably expect seclusion.

Video Is Not Audio: The Most Common Compliance Mistake

Many modern cameras ship with microphones enabled by default, and this is where organizations most often stumble. Silent video and audio recording are governed by entirely different bodies of law. Under the federal Wiretap Act, intercepting oral communications requires the consent of at least one party to the conversation. States may impose stricter rules, and many do.

Roughly a dozen states require the consent of all parties before a private conversation may be recorded. California’s Invasion of Privacy Act, Penal Code section 632, is the best known example: it prohibits recording any confidential communication without the consent of every participant, and violations carry both criminal penalties and civil liability. Other all-party consent jurisdictions include Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington. Several states apply hybrid rules: Nevada requires all-party consent for telephone calls but not in-person conversations, Oregon applies all-party consent to in-person conversations but not calls, and Connecticut and Michigan each have their own nuances.

Recommendation: disable audio recording entirely. A security camera in a lobby can lawfully capture video in all fifty states, but the same camera capturing the conversations of passersby may violate criminal wiretap statutes in all-party consent states. Few organizations have a security need that justifies the risk. If audio is essential for a specific application, obtain legal advice for each state of operation and post explicit notice that audio recording is in use.

How State Laws Differ: Representative Examples

While the privacy expectation principle is universal, several categories of state law create obligations that differ meaningfully from one jurisdiction to the next.

Consent for Video in Private Places

A handful of states regulate video itself more strictly. Georgia, for instance, permits video surveillance in public and private settings so long as cameras are in plain view, but prohibits recording activities occurring in any private place and out of public view without the consent of all persons observed. Organizations using any concealed camera should treat that decision as high risk and obtain state-specific legal advice first.

Employee Monitoring Notice Statutes

Three states require employers to give formal notice of electronic monitoring. Connecticut requires every employer to post conspicuous written notice describing the types of monitoring in use, and its statute defines electronic monitoring broadly to include the collection of information on an employer’s premises by any means other than direct observation, which includes video. Delaware requires either daily notice or one-time written notice with signed acknowledgment for monitoring of phone, email, and internet usage. New York requires private employers to give written notice of electronic monitoring of telephone, email, and internet activity to new hires, obtain their acknowledgment, and post notice conspicuously. Multistate employers commonly satisfy all three by adopting the strictest requirements everywhere: written notice in the handbook, signed acknowledgment at hire, and posted notice in the workplace.

Biometric Privacy Laws

Modern camera platforms increasingly offer facial recognition and similar analytics. In Illinois, the Biometric Information Privacy Act requires written notice, a published retention schedule, and a written release before collecting biometric identifiers such as facial geometry, and it grants individuals a private right of action with statutory damages. Texas and Washington have biometric statutes of their own. Organizations should leave facial recognition features disabled unless they have completed a state-specific compliance review.

Signage

No state generally requires signage for silent video surveillance of areas open to view, but posting signs is a near-universal best practice. Clear notice deters misconduct, reduces privacy complaints, defeats claims of covert surveillance, and in audio-enabled or consent-based jurisdictions can help establish implied consent. Simple language works: “This property is monitored by video surveillance.” Place signs at every public entrance and at parking areas.

Best Practices for a National Audience

The following practices will keep a surveillance program defensible in any state. They apply equally to nonprofit and for-profit organizations.

• Adopt a written policy before activation. Document the purpose of the system (safety and security of people and property), the location of every camera, and a list of areas where cameras are categorically prohibited. Have the board or ownership formally approve it.
• Run video only. Disable microphones at the hardware or firmware level and document that choice.
• Restrict and log access. Authorize access by role, not by individual name, and keep the list short. Use individual credentials, role-based permissions, and multi-factor authentication for remote viewing. Require a documented reason for reviewing recorded footage.
• Set a retention period and follow it. Most organizations retain footage for 30 to 90 days before automatic overwrite. No general law dictates a period; consistency is what matters. Suspend deletion immediately for any footage relevant to an incident, claim, or litigation hold.
• Establish a law enforcement procedure. Route all requests through one designated officer or executive. Voluntary cooperation is appropriate for crimes occurring on your own property; for broader requests, ask for a subpoena or warrant and consult counsel. Document every disclosure and retain a copy of whatever is provided. Do not grant law enforcement standing remote access to the system.
• Protect footage as sensitive data. Change default passwords, keep firmware current, segment cameras from guest networks, and confirm that your cyber liability policy covers stored video. Footage of children, patients, or clients deserves the highest level of protection and should never be posted publicly.
• Give employees notice everywhere. Even outside Connecticut, Delaware, and New York, disclose camera locations and monitoring practices in the employee handbook and obtain acknowledgment. Transparency defeats most privacy claims before they start.
• Maintain the system and document it. A camera system that has failed without anyone noticing can become evidence of negligence after an incident. Schedule periodic checks and log them.
• Coordinate with your insurer. Carriers serving nonprofits and commercial accounts publish surveillance guidelines, may offer premium credits, and will have expectations regarding coverage of playgrounds, childcare areas, and cash handling points.

Special Note for Organizations Serving Children

Cameras covering playgrounds, nurseries, and classrooms are valuable for child protection and for defending against claims, but footage of minors warrants extra restraint. Limit viewing access to the smallest practical group, prohibit export or social media use, and align retention with the advice of counsel, since claims involving minors often carry extended statutes of limitations. Organizations operating licensed childcare should also confirm whether their state licensing agency imposes camera or recordkeeping requirements.

Conclusion

A well-run surveillance program rests on four commitments: cameras only where no one expects privacy, video without audio, honest notice to everyone observed, and a written policy that controls access, retention, and disclosure. Organizations that build their systems on these commitments will satisfy the strictest states and will be well positioned everywhere else.

About Kearnan Consulting Group, LLC: Kearnan Consulting Group advises nonprofit and for-profit organizations on risk management, facility security, and organizational policy. For questions about this advisory or assistance developing a surveillance policy for your organization, contact jeff@kearnanconsulting.com.

This advisory is provided for general informational purposes only and does not constitute legal advice. Laws change frequently and vary by jurisdiction. Consult licensed legal counsel in each state where your organization operates before implementing a video surveillance program.

Sources

• Cal. Penal Code § 647(j); see also Cal. Labor Code § 435 (prohibiting any audio or video recording of employees in restrooms, locker rooms, or changing rooms).
• 18 U.S.C. § 2511 (Electronic Communications Privacy Act, Wiretap Act provisions).
• Cal. Penal Code § 632, available at leginfo.legislature.ca.gov.
• All-party consent jurisdictions include California, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington, with additional nuanced rules in states such as Connecticut, Michigan, Nevada (telephone calls), and Oregon (in-person conversations). See Justia, Recording Phone Calls and Conversations: 50 State Survey, justia.com/50-state-surveys/recording-phone-calls-and-conversations.
• Ga. Code Ann. § 16-11-62.
• Conn. Gen. Stat. § 31-48d; Del. Code Ann. tit. 19, § 705; N.Y. Civil Rights Law § 52-c (S2628, effective May 7, 2022). See Holland & Knight, New York Law Requires Notice of Employees’ Electronic Monitoring (May 2022).
• Illinois Biometric Information Privacy Act, 740 ILCS 14. Texas (Bus. & Com. Code § 503.001) and Washington (RCW 19.375) maintain similar statutes without a private right of action.
• See Worship Facility Staff, Video Surveillance in Nonprofits: Compliance, Privacy, and Retention Guidelines (Nov. 19, 2024), https://www.worshipfacility.com/2024/11/19/video-surveillance-in-nonprofits-compliance-privacy-and-retention-guidelines/.