Skip to content
Medianonymizer
All articles
compliance

CCPA vs. GDPR: Video & Image Privacy Compliance Guide

Compare CCPA/CPRA and GDPR obligations for video and image data — who they cover, what counts as biometric data, and how anonymization satisfies both.

Medianonymizer Team10 min read

Faces in a security camera feed, a customer service video call, or a training dataset are personal data under US and EU law — but the rules differ in ways that matter for how you handle, share, and store that footage. Whether GDPR, CCPA/CPRA, or both apply to your organization depends on where your users are located and how you process their data.

This guide compares GDPR and CCPA/CPRA obligations specifically for video and image data, clarifies how each regime defines biometric information, and explains how irreversible anonymization can satisfy both frameworks at once.

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Privacy law is complex and jurisdiction-specific. Consult a qualified legal professional before making compliance decisions.

TL;DR

  • GDPR covers identifiable EU residents; CCPA covers California consumers — a US company serving EU users can be subject to both simultaneously; territorial scope follows the data subject, not your company's address.
  • Both regimes treat faces and biometrics as high-sensitivity data, but CPRA explicitly classifies them as "sensitive personal information" with opt-out rights, while GDPR requires a lawful basis to process them as "special category" data.
  • Truly anonymous video and image data falls outside both regimes — GDPR Recital 26 excludes it; CCPA excludes "deidentified" data — so anonymization is the most powerful compliance control available.
  • You can anonymize video and images now with Medianonymizer — AI locates faces, license plates, and on-screen PII; a deterministic pipeline overwrites them irreversibly; an audit log documents what was removed.

Who Each Law Applies To

GDPR (EU)

The General Data Protection Regulation (EU) 2016/679 applies when you process the personal data of individuals who are in the EU or EEA. Under Article 3, territorial scope is triggered by:

  • Establishment: your organization has an office, branch, or stable arrangement in the EU, or
  • Targeting: you offer goods or services to EU individuals, or you monitor their behavior (Article 3(2)).

A US-headquartered company streaming a webinar recorded in California that includes EU participants is generally processing EU personal data and falls under GDPR for those individuals.

CCPA / CPRA (California)

The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA, effective January 2023), applies to for-profit businesses doing business in California that meet at least one threshold:

  • Annual gross revenue exceeding $25 million
  • Buying, selling, receiving, or sharing the personal information of 100,000 or more California consumers or households per year
  • Deriving 50% or more of annual revenue from selling or sharing consumers' personal information

Both laws protect "personal information" broadly, and both recognize that video footage identifying a person falls within scope.

How Each Law Defines Personal Data in Video and Images

GDPR: Personal Data and Special Categories

Under GDPR Article 4(1), personal data is any information relating to an identified or identifiable natural person — including images where a face, gait, or other biometric marker allows identification. Processing biometric data for the purpose of uniquely identifying a person is explicitly prohibited under Article 9 unless a narrow exception applies (explicit consent, vital interests, legitimate public interest, etc.).

Facial recognition data — templates extracted from images to identify individuals — is special-category biometric data under Article 9(1). Even raw video footage where faces are visible is personal data under Article 4 if individuals are identifiable in context.

CCPA/CPRA: Personal Information and Sensitive Personal Information

California Civil Code §1798.140(v) defines personal information broadly, including "images" and identifiers that can be linked to a consumer. Under CPRA §1798.140(ae), sensitive personal information is a distinct sub-category that includes:

  • Biometric information processed to identify a consumer (facial recognition templates, voiceprints, gait analysis)
  • Precise geolocation
  • Racial or ethnic origin
  • Account credentials

For sensitive personal information, consumers have the right to limit use and disclosure under CPRA §1798.121 — businesses may only use it for delivering the primary service requested, unless the consumer opts in to broader uses. This is a stronger restriction than general CCPA rights.

Side-by-Side Comparison for Video and Image Data

DimensionGDPRCCPA / CPRA
Geographic scopeProcessing of EU/EEA residents' dataBusiness operating in CA touching CA consumers
Faces in videoPersonal data (Art. 4); biometric ID = special category (Art. 9)Personal information; facial templates = sensitive PI
Lawful basis required?Yes — one of six bases under Art. 6; Art. 9 basis for biometricNo explicit consent required, but sensitive PI triggers opt-out right
Data subject rightsAccess, rectification, erasure, portability, object (Arts. 15–21)Know, delete, correct, opt-out of sale/sharing (§1798.100–§1798.125)
Anonymization effectData excluded from Regulation (Recital 26)Data excluded as "deidentified" (§1798.140(m))
PenaltiesUp to €20M or 4% global turnover (Art. 83(5))Up to $7,500 per intentional violation (§1798.155)
RegulatorLead supervisory authority (DPA) + EDPBCalifornia Privacy Protection Agency (CPPA)
Biometric opt-outNo separate opt-out; lawful basis controls processingConsumers may limit sensitive PI use (§1798.121)

Where the Real Differences Land in Practice

Lawful Basis vs. Opt-Out Architecture

GDPR requires you to identify a lawful basis before you process personal data — legitimate interest, contractual necessity, legal obligation, or consent, among others (Article 6). For biometric data, Article 9 requires a specific basis, and in most commercial contexts that means explicit, freely given, informed consent from each individual.

CCPA takes a different approach: processing is generally permitted, but consumers have the right to opt out of the sale or sharing of their personal information, and the right to limit the use of sensitive personal information to the primary business purpose. The compliance burden is disclosures, opt-out mechanisms, and responding to consumer requests — not pre-authorization.

For video data, this distinction is significant. Under GDPR, recording customer faces for analytics likely requires a fresh consent or a robust legitimate-interest assessment with an associated DPIA (Data Protection Impact Assessment, Article 35). Under CCPA, you may record and use the footage but must provide a "Limit the Use of My Sensitive Personal Information" link if it constitutes sensitive PI and honor opt-outs from California consumers.

Data Subject Rights for Video Footage

Both regimes grant individuals the right to request deletion of their data. Under GDPR Article 17, the right to erasure applies when data is no longer necessary for its original purpose, consent is withdrawn, or the individual objects and there is no overriding legitimate interest. Under CCPA §1798.105, consumers may request deletion and the business must notify service providers and contractors to delete as well.

For video archives, this creates an operational challenge: when an individual requests deletion of a recording in which they appear, can you honor it? If the recording also contains other individuals, you cannot simply delete the file. Selectively anonymizing the requesting individual's face — and re-issuing the file — is often the practical path to compliance with erasure requests under both regimes.

DPIA and Risk Assessment Requirements

GDPR Article 35 requires a Data Protection Impact Assessment before processing that is "likely to result in a high risk" to individuals. The Article 29 Working Party (now EDPB) lists large-scale processing of biometric data and systematic monitoring of public areas as automatic DPIA triggers. If you operate CCTV, build a facial recognition system, or process video at scale for analytics, a DPIA is generally mandatory.

CCPA has no direct DPIA equivalent, but CPRA §1798.185 authorized the CPPA to require risk assessments for processing activities that "present significant risk" to consumer privacy. The CPPA published draft Risk Assessment Regulations in 2024 that, once finalized, will impose assessment obligations for certain high-risk processing — including biometric surveillance.

Anonymization as the Shared Compliance Path

The most efficient way to comply with both frameworks is to apply anonymization at the point where footage leaves your immediate control — before archiving for analytics, before sharing with a vendor, before using in training data, before publishing.

ScenarioWithout anonymizationWith anonymization
Sharing CCTV footage with a third-party analytics vendorData processing agreement (GDPR Art. 28); service provider contract (CCPA §1798.140(ag)); ongoing obligationsDeidentified data excluded from both regimes; contractual burden reduced
Archiving customer video calls beyond operational retentionRequires legal basis and retention justification under both lawsAnonymized archive falls outside personal data definition
Using video for AI model trainingBiometric consent under GDPR Art. 9; sensitive PI disclosure under CPRATraining data excluded from scope if re-identification is not reasonably possible
Responding to an erasure request in a multi-person recordingCannot delete the file without affecting other data subjectsSelectively anonymize the requesting individual; retain the rest

Medianonymizer's pipeline is built for exactly these scenarios: AI detection locates faces, license plates, and on-screen text frame-by-frame; ffmpeg-based overwrite replaces the identified regions irreversibly; and a downloadable audit log records the detection categories, timestamps, and output file checksum. See the GDPR video anonymization use case for a detailed workflow.

What "Irreversible" Actually Means

A visual blur or pixelation filter applied at the display layer is not sufficient for either GDPR or CCPA compliance if the underlying pixel data survives in the encoded file. Genuine anonymization requires that the identifying data is overwritten in the output file, not merely obscured in the UI. This means:

  • Video: re-encoding with the face region filled by a solid color or noise, not an overlay layer
  • Images: pixel-level overpainting with metadata stripping (EXIF, XMP, IPTC)
  • Audio in video: waveform overwrite (silence or beep) for the relevant segment, not a mute layer

The GDPR principle of data minimisation (Article 5(1)(c)) supports this directly: collect and retain only what is necessary. For footage where the face is not necessary for the downstream purpose, irreversible removal satisfies minimisation and takes the data out of scope.

Implementation Checklist

  • Identify all video and image assets that contain identifiable individuals (CCTV, call recordings, user uploads, training data)
  • Determine which data subjects are EU/EEA residents (GDPR) and which are California consumers (CCPA/CPRA)
  • For GDPR: document the lawful basis for each processing activity; conduct a DPIA for biometric or large-scale video processing
  • For CCPA/CPRA: add "Limit the Use of My Sensitive Personal Information" controls if processing biometric data; update privacy notice
  • Define retention periods for video assets and the anonymization trigger (expiry, export, sharing, research use)
  • Implement irreversible anonymization for all footage leaving primary operational use — faces, plates, and on-screen PII
  • Retain an audit log for each anonymization operation: input hash, detection categories, output hash, timestamp
  • Establish a process to handle erasure requests in multi-person recordings via selective face anonymization
  • Execute data processing agreements (GDPR) or service provider contracts (CCPA) with vendors who receive video data — or eliminate the obligation by sharing only anonymized outputs

Start Anonymizing Across Both Regimes

The fastest path to reducing GDPR and CCPA exposure for video and image data is removing identifiable information before it propagates — to vendors, archives, analytics systems, and training sets. A single anonymization step, done irreversibly and with an audit trail, satisfies the deidentification standards of both frameworks and collapses the downstream obligations that follow personal data.

Anonymize a file now →

Frequently asked questions

Does GDPR apply to video footage if my company is based outside the EU?
Generally yes, if the footage contains identifiable EU residents and you are either established in the EU or targeting EU individuals with goods or services (GDPR Article 3). Territorial scope is determined by where the data subjects are located, not just where your organization is incorporated.
Does CCPA/CPRA treat faces and biometric data differently from other personal information?
Yes. California Civil Code §1798.140 lists 'biometric information' — which includes facial recognition templates and voiceprints — as a distinct category of personal information. CPRA (effective 2023) further classifies biometric data as 'sensitive personal information,' triggering additional opt-out and purpose-limitation rights beyond those for general personal information.
Is blurring a face in a video enough to satisfy GDPR or CCPA?
A pixelation or blur overlay that leaves the underlying image data intact in the file is not sufficient; it may be reversible by extracting the unmodified video stream. Compliant anonymization requires irreversible destruction of the identifying pixels — for example, solid overpainting or ffmpeg-based frame overwrite — so no original facial data is recoverable from the output file.
What is the practical difference between GDPR 'anonymous data' and CCPA 'deidentified' data?
GDPR (Recital 26) considers data anonymous only when re-identification is not reasonably possible for anyone, accounting for all available auxiliary data. CCPA requires that the data cannot 'reasonably' be linked to a consumer and that the business implements technical safeguards and contractually commits not to re-identify. The GDPR standard is generally higher because it considers third-party re-identification risk globally, not just the business's own capabilities.
Does CCPA apply to employee video surveillance footage?
Since January 1, 2023, CPRA's employment data exemption has expired, meaning employees and job applicants in California have full CCPA/CPRA rights. This includes rights over video footage captured in the workplace that could identify them. Businesses should audit internal surveillance practices against CPRA's sensitive-personal-information rules for biometric data.
Can a single anonymization workflow satisfy both GDPR and CCPA simultaneously?
In most cases, yes. If anonymization meets the higher GDPR standard — irreversible removal so re-identification is not reasonably likely for anyone — it will generally also satisfy CCPA's 'cannot reasonably be linked' requirement for deidentification. Building once to the stricter standard is the efficient compliance path for organizations subject to both regimes.
More in compliance

Related articles