AI Video Surveillance Privacy Laws Biometric Privacy Laws, BIPA Consent, and Retention Rules
Recording video in a US workplace is broadly lawful. Computing a face template from that video is a different legal act, governed by different statutes, and in one state it carries a private right of action worth $1,000 to $5,000 per violation. Most AI surveillance compliance risk sits on that line, and most buyers never notice they crossed it.
This is general information for US businesses, not legal advice. Laws change, and your facts matter. Talk to counsel before deploying.
Is AI Video Surveillance Legal in the United States?
Yes, with conditions. A US business may generally record video in areas of its own property where people have no reasonable expectation of privacy, and may run analytics on that video. The rules tighten sharply the moment the system derives a biometric identifier, most commonly a face template, because that triggers a separate body of state law with consent requirements, retention schedules, and in Illinois, private lawsuits.
Three states have stand-alone biometric statutes: Illinois (BIPA), Texas (CUBI), and Washington. Roughly twenty more treat biometric data as sensitive data inside a broader consumer privacy law, and the remainder reach it only through breach-notification rules. Illinois is the one that generates litigation, because BIPA is the only such statute giving individuals the right to sue directly.
The practical consequence for a security buyer is simple. Object detection, which reports that a person, a vehicle, or a weapon appeared, does not compute a biometric identifier and stays outside those statutes. Facial recognition does. Choosing detection over recognition removes most of the legal exposure without removing the security value, which is why Surveillant defaults to detecting people rather than identifying them.
The line that matters:
- Detection. "A person is in the loading dock." Not a biometric identifier.
- Recognition. "That person is Dana Ruiz." A face template, and a regulated act.
Vendors blur these two words constantly. Ask whether a face template is computed and stored, and get the answer in writing.
Which States Have Biometric Privacy Laws?
Only three states regulate biometric identifiers with a dedicated statute. The differences between them decide how much exposure a facial recognition deployment actually carries.
| State and statute | Consent required | Who can sue or enforce | Exposure |
|---|---|---|---|
| Illinois, BIPA (2008) | Written consent before collection | Individuals, private right of action | Statutory damages of $1,000 or $5,000 per violation |
| Texas, CUBI | Informed consent for commercial capture | Texas Attorney General only | Civil penalties up to $25,000 per violation |
| Washington | Notice and consent for commercial use | State Attorney General | Enforcement action, no private suits |
| Roughly 20 more states | Varies, biometric data treated as sensitive data | Usually the state AG | Consumer privacy law penalties, opt-in for sensitive data |
| Remaining states | No specific biometric consent rule | Breach-notification regimes | Exposure arises after a breach, not on collection |
BIPA also requires a published retention and destruction schedule and prohibits selling biometric data. Texas has signalled that biometric enforcement is a priority through settlements, a public CUBI complaint portal, and amendments tied to its 2026 responsible-AI legislation. Verify current law before you deploy; this table summarizes the landscape as of July 2026.
A Practical Compliance Checklist Before You Turn Analytics On
Six steps that cover most of the risk for a US business deploying AI video analytics on its own premises.
Decide detection or recognition, in writing
Write down whether the system will compute a face template. If the answer is no, most biometric statutes do not apply and the deployment gets dramatically simpler. If the answer is yes, everything below becomes mandatory rather than advisable.
Map where your people are
BIPA follows the person, not the server. An Illinois employee walking through an Illinois warehouse is covered even if your headquarters and your cloud region are in Nevada. Multi-site operators should assume the strictest state in their footprint sets the standard.
Get written consent before collection, not after
Where biometrics are in scope, consent must precede the first capture, and it has to be written. Most employers fold a plain-language biometric consent into onboarding and keep the countersigned record on file, which is far easier to produce three years later than an email thread.
Publish a retention and destruction schedule
BIPA requires a publicly available written policy stating how long biometric identifiers are kept and when they are destroyed. Set a real retention window per camera, and make sure the platform actually enforces deletion rather than merely promising it in a sales deck.
Post notice, and never point a camera at a private space
Several states require notice of video monitoring, and no state permits cameras in restrooms, locker rooms, or changing areas. Two-party consent states add rules for audio, which is why most commercial deployments simply disable microphones.
Never sell or share the data
BIPA flatly prohibits profiting from biometric identifiers. Read your vendor contract for any clause permitting model training on your footage or sharing with third parties, and strike it. The absence of that clause is worth more than any certification badge.
Step three is where deployments quietly fail an audit. A consent that lives in a training slide, an intranet post, or a verbal briefing is not a written consent, and reconstructing who agreed to what after a claim is filed is close to impossible. The teams that stay out of trouble treat biometric consent like any other signed employment document: a short plain-language form, one signature, stored with a date. Getting employees to sign and return that form electronically takes minutes and produces the dated record a regulator will ask for.
Step four deserves the same discipline. A retention schedule that says "as long as necessary" satisfies nobody. Pick a number of days per camera class, write it down, and confirm the platform deletes on that schedule. Our guide to how long to keep security camera footage covers the operational and insurance considerations that usually set the number.
How to Get the Security Value Without the Biometric Exposure
Almost everything a security team actually needs from AI video is available without identifying anyone. Knowing that a person entered a restricted yard at 2:14am, that a vehicle has been parked at a loading dock for forty minutes, or that someone is on the roof does not require knowing their name. Object detection answers all three, and it computes no biometric identifier.
Investigation is the case people assume needs facial recognition, and usually it does not. Cross-camera tracking follows the same appearance signature across a site without ever matching it to an identity database, which is enough to reconstruct a path through a building. Natural-language search retrieves "man in a red jacket near the west door after 9pm" from hours of footage without a face template. Both are described in more detail on our cross-camera tracking and natural-language video search pages.
Where footage leaves the building, redaction is the other half of the answer. Sharing a clip with police, an insurer, or opposing counsel routinely exposes uninvolved bystanders, and a blurred face costs nothing to produce and removes an entire category of complaint. See video redaction software and the walkthrough on how to redact a video.
If you do need facial recognition for a genuine reason, such as an access-control watchlist at a secure facility, treat it as its own project with its own consent flow, its own retention schedule, and counsel involved from the start. Do not let it arrive as a checkbox inside a general surveillance rollout. That is precisely how organizations end up defending a BIPA class action over a feature nobody remembered enabling.
AI Video Surveillance Privacy Questions
Is AI video surveillance legal?
In the United States, generally yes. A business may record video on its own property in places where people lack a reasonable expectation of privacy, and may run analytics on that footage. The legal picture changes when the system derives a biometric identifier such as a face template, which triggers state biometric statutes with consent, notice, and retention obligations.
Which states have biometric privacy laws?
Illinois, Texas, and Washington have stand-alone biometric statutes. About twenty additional states protect biometric data as sensitive data within a broader consumer privacy law, and the rest address it only through data-breach notification rules. Illinois BIPA is the strictest and the only one that lets individuals sue directly.
What is BIPA and does it apply to security cameras?
BIPA is the Illinois Biometric Information Privacy Act, enacted in 2008. It applies to security cameras only when the system collects a biometric identifier, such as a face or voice template. Ordinary recording and object detection do not trigger it. Facial recognition does, and BIPA then requires written consent before collection, a published retention and destruction schedule, and a ban on selling the data.
How much are BIPA damages?
BIPA provides statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorney fees. It is the only US biometric statute with a private right of action, which is why the overwhelming majority of biometric litigation in the country is filed in Illinois and why multi-state employers usually set their standard to BIPA.
Do I need employee consent for AI video surveillance?
For plain video monitoring of work areas, most states require notice rather than consent, and several require neither, though posting notice is standard practice. For any system that computes a biometric identifier, written consent obtained before the first capture is required in Illinois and informed consent is required in Texas. Get it in writing and keep the dated record.
Does video analytics count as biometric data?
Not by default. Detecting that an object is a person, a vehicle, or a weapon produces no identifier tied to an individual and falls outside biometric statutes. Facial recognition, which computes and stores a mathematical face template for matching, is biometric data under every state biometric law. The distinction is the single most important thing to confirm with a vendor.
How long can a business keep security camera footage?
No general federal rule sets a maximum, and in practice retention is driven by storage cost, insurance requirements, and industry regulation, commonly landing between 30 and 90 days. Biometric identifiers are different: BIPA requires destruction when the purpose is satisfied or within three years of the last interaction, whichever comes first, under a published schedule.
Can I record audio with my security cameras?
Usually you should not. Audio recording falls under federal and state wiretap law rather than video privacy law, and roughly a dozen states require all-party consent to record a conversation. Because the legal exposure is disproportionate to the security benefit, most commercial deployments disable microphones entirely.
Does GDPR apply to US video surveillance?
Only if you monitor people in the EU or UK, or process their data. A purely domestic US deployment watching a US facility is governed by US federal and state law. Companies with European sites should treat GDPR as a parallel obligation, since it classifies biometric data as a special category and demands a lawful basis and a documented impact assessment.
Related Reading
Business Security Camera Laws
Where you may point a camera, and where you may not.
Facial Recognition Software
When identification is genuinely required.
Video Redaction Software
Blur bystanders before footage leaves the building.
Intelligent Video Analytics
Detection without identification, by default.
Get the security value without the biometric exposure
Surveillant detects people, vehicles, and threats without computing a face template. Connect a camera and see what detection alone can do. No credit card required.