This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

This article is the consent-and-notice layer of the privacy-and-compliance block, written for the security integrator, product manager, retail or smart-building lead, or enterprise security owner who is specifying or buying a surveillance system and needs to get permission right before a camera records anyone. The question "do we need their consent, or is a sign enough?" sits underneath almost every surveillance deployment, and the answer flips depending on whether you are merely recording or running facial recognition, whether you are in the EU or the United States, and whether the people in frame are employees or strangers. Get it wrong in the cheap direction — a decorative sign, a bundled consent box, a biometric time clock with no signed release — and you have built unlawful processing into the product. You do not need a legal background to read this; every term is defined in plain language and tied to the named law, and the goal is to leave you able to tell a compliant design from a non-compliant one before it is built.

First, untangle two words people use as if they are the same

Two ideas hide inside the phrase "consent and notice," and engineers, vendors, and buyers blur them constantly. Pulling them apart is the whole article.

Notice is telling people what is happening. A sign at the door that says "CCTV in operation," plus a fuller explanation they can reach, is notice. It is a one-way act: you inform, and the duty is discharged whether or not anyone reads it. Almost every surveillance system owes notice, because people have a right to know they are being recorded and to find out the details.

Consent is getting permission. It is a two-way act: the person has to make a real choice and signal agreement, and — this is the part that surprises people — they have to be able to change their mind later. Consent is a much higher bar than notice, and for ordinary cameras you almost never rely on it.

A useful everyday picture: notice is the sign on a shop door that says "open 9 to 5." Consent is the shop actually agreeing to serve you. The sign informs; it does not, by itself, create an agreement. The mistake that costs the most money in surveillance is treating the sign as if it were the agreement.

A two-column diagram contrasting notice as a one-way duty to inform that a sign discharges, against consent as a two-way, withdrawable permission with a high bar, showing that a sign delivers notice but never consent. Figure 1. The distinction the whole article turns on. Notice is a duty to inform that a well-built sign discharges; consent is a freely given, withdrawable permission that a sign can never deliver.

Why ordinary cameras almost never run on consent

In the EU, before a single camera records an identifiable person you need a lawful basis — one of the six grounds in Article 6 of the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, that make processing personal data legal. Consent (Article 6(1)(a)) is one of them. It is rarely the right one for cameras, and it helps to see exactly why.

GDPR defines consent (Article 4(11)) as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement." Article 7 then adds conditions that make that definition operational: the controller must be able to demonstrate consent was given (Art. 7(1)); the request must be clearly distinguishable, intelligible, and in plain language (Art. 7(2)); the person may withdraw at any time, and it must be as easy to withdraw as to give (Art. 7(3)); and consent is not "freely given" if a service is wrongly made conditional on it (Art. 7(4)).

Now apply that to a camera at a shop entrance. To run it on consent you would need a freely given, recorded, withdrawable opt-in from every person who walks through the door — including people who did not choose to be there and cannot realistically be asked in advance. And because consent is withdrawable, anyone could later demand you stop processing and delete their footage, which an entrance camera cannot honour selectively. The European Data Protection Board — the EU body that issues official guidance interpreting GDPR — says exactly this in its Guidelines 3/2019 on video devices: consent under Article 6(1)(a) can serve as a basis only "in rather exceptional cases," and ordinary video surveillance should normally rely on legitimate interests (Article 6(1)(f)) instead. Legitimate interest is a documented three-part balancing test, not a free pass; we walk through it in detail in GDPR for video surveillance.

The practical rule for ordinary cameras: rely on a non-consent basis and tell people with a notice. Consent is the wrong tool because it does not scale to people who never chose to be in frame.

The math that proves consent does not scale

Walk the arithmetic out loud once. Suppose one entrance camera at a mid-size retail site sees about 8,000 unique people a day.

unlawful captures/day = visitors × (1 − opt-in rate)
                      = 8,000 × (1 − 0.99)
                      = 80 people/day
over one year         = 80 × 365 ≈ 29,200 captures

Even at an unrealistically perfect 99% opt-in rate, 80 people a day are filmed with no valid consent — and you have no lawful basis for their data unless you fall back on legitimate interest anyway. One camera, one year, roughly 29,200 people you processed unlawfully. The number only gets worse with more cameras and realistic opt-in rates. This is why open-area CCTV runs on legitimate interest plus notice, and why consent is reserved for the narrow cases below where you genuinely can obtain it.

What valid consent actually takes — when you do need it

Sometimes consent is the right tool, or the legally required one (biometrics, covered below). When you do rely on it, it has to be the real thing. Strip GDPR's definition into four ingredients, each of which a system designer has to honour.

Freely given. The person must have a genuine, no-penalty choice. If saying no costs them the service, the job, or meaningful access, the consent is not free. Recital 43 of GDPR singles out a power imbalance — especially between an employer and an employee, or a public authority and a citizen — as a situation where consent is unlikely to be valid.

Specific. Consent covers one defined purpose. A single tick that authorises "security, marketing, and analytics" together is invalid bundling; each purpose needs its own choice.

Informed. Before agreeing, the person must know who the controller is, what is collected, why, for how long, who receives it, and that they can withdraw. Informed consent and notice overlap here — but informing someone is only the input to consent, not consent itself.

Unambiguous, by a clear affirmative act. Silence, inactivity, or a pre-ticked box is not consent (GDPR Recital 32). The person has to actively do something — sign, tap "I agree," enrol.

On top of those four, Article 7 demands that you can prove consent later, present it separately from other terms in plain language, and make withdrawal as easy as giving it. A consent flow with no withdrawal mechanism fails on its face.

A gate diagram showing four ingredients of valid GDPR consent — freely given, specific, informed, unambiguous — plus Article 7 conditions of provable, separate, and withdrawable, with pre-ticked, bundled, and employer-pressured consent rejected as invalid. Figure 2. Valid consent is a gate, not a checkbox. Four ingredients from Art. 4(11) plus Art. 7's provable, separate, and withdrawable conditions; pre-ticked, bundled, or pressured "consent" never passes.

Common mistake: the pre-ticked or bundled consent box. A box that is already ticked, or one tick that covers security plus marketing, is not valid consent under GDPR Recital 32 and Article 7(2). If your enrolment screen ships with consent pre-selected or rolls multiple purposes into one acceptance, it collects nothing the regulator will recognise — and you have processed the data with no basis.

The notice that actually holds up

Because most cameras run on notice rather than consent, the quality of the notice is what stands between you and a transparency violation. GDPR's transparency duty lives in Articles 12 and 13, and the European Data Protection Board turns it into a practical two-layer model in Guidelines 3/2019. The same structure works far beyond the EU, so it is worth building once and reusing.

The first layer is the warning sign a person meets before entering the monitored area. The EDPB (Guidelines 3/2019, para. 114) says it should carry the most important information: the purpose of the surveillance, the identity of the controller, the existence of the data subject's rights, and information on the greatest impacts of the processing — and it must point to where the fuller notice lives. Paragraph 115 adds that the sign should include anything that could surprise the person, such as footage being transmitted to third parties (especially outside the EU) and the storage period. Paragraph 116 covers placement: position the sign at a reasonable distance from the monitored places so the person can recognise the situation before entering it.

A first-layer sign that meets the bar looks like this:

⚠ CCTV IN OPERATION
Purpose: theft and safety monitoring of this store
Operated by: Example Retail Ltd · dpo@example.com
Footage kept 30 days · not shared except with police on request
You have rights over this footage (access, erasure, objection).
Full notice: [QR code] or ask at the customer desk.

The second layer is the complete information notice holding everything Article 13 requires — the lawful basis (and, for legitimate interests, the interest pursued), the retention period, recipients, international transfers, and how to exercise rights. It has to be reachable without entering the monitored zone: at a reception desk, behind a QR code on the sign, or on a clearly signposted web page. We cover signage as a GDPR obligation in GDPR for video surveillance; here the point is the mechanics that make it sufficient rather than decorative.

A diagram of the two-layer notice model: a first-layer warning sign carrying purpose, controller identity, rights, retention and a pointer, positioned before the monitored zone, leading to a second-layer full Article 13 notice via QR code, reception, or web. Figure 3. Notice in two layers, per EDPB Guidelines 3/2019. The entrance sign (first layer) carries the essentials and points to the full Article 13 notice (second layer) at reception, on the web, or behind a QR code.

Common mistake: the decorative sign. A sign that says only "Smile, you're on camera" is not notice — it names no controller, no purpose, no retention, no rights, and no route to the full notice. Through 2025, EU regulators repeatedly penalised operators for exactly this gap between having a camera and properly informing people. A sign that fails the para. 114–116 content test does not discharge the duty it was meant to.

Biometrics change the question entirely

Everything above is about ordinary recording. The moment a system builds a biometric template — a mathematical model of a face, an iris, or a voice used to identify a specific person — the legal question stops being "notice or consent?" and becomes "do we have the specific, demanding consent that biometrics require?" A sign can never answer yes.

In the EU, a face template is special-category biometric data under GDPR Article 4(14), and Article 9 prohibits processing it by default. The only realistic way to make commercial facial recognition lawful is the explicit consent exception in Article 9(2)(a) — a stronger, opt-in, clearly-stated consent. The EDPB's own worked example shows why this collapses in public space: a hotel that runs facial recognition to greet VIP guests cannot rely on the VIPs' consent, because the same camera also processes the biometric data of every other guest and passer-by, from whom explicit consent is impossible. A notice on the wall does not deliver explicit consent from anyone. We cover the face-recognition pipeline and its accuracy realities in face recognition in surveillance.

In the United States, Illinois sets the strictest rule, and it is a consent rule, not a notice rule. The Biometric Information Privacy Act (BIPA, 740 ILCS 14) says in Section 15(b) that no private entity may collect a biometric identifier unless it first (1) informs the person in writing that a biometric is being collected or stored, (2) informs them in writing of the specific purpose and length of term, and (3) receives a written release the person actually signs. BIPA's Section 10 defines that "written release" as informed written consent. Section 15(a) adds a notice-style duty on top: a public written retention-and-destruction policy. So Illinois layers a hard consent requirement (15(b)) over a public-notice requirement (15(a)) — and for a camera that faceprints whoever walks past, the signed-release-before-capture step is structurally impossible. We cover BIPA's litigation engine and the per-person damages in BIPA and US biometric privacy law.

The takeaway: for biometrics, notice is necessary but never sufficient. You need actual opt-in consent — Article 9(2)(a) explicit consent in the EU, a signed BIPA release in Illinois — and where you cannot obtain it from everyone in frame, the lawful move is not to build the template at all. Detection and counting that never identify a specific person stay outside the biometric rules; the same boundary governs plate reading, which we treat in license-plate recognition (LPR/ANPR).

A decision diagram: plain recording is lawful on notice plus a non-consent basis, while biometric capture requires EU Article 9 explicit consent or US BIPA Section 15(b) written release before capture, with an open-area camera failing the biometric gate. Figure 4. The gate biometrics add. Plain recording runs on notice plus a non-consent basis; a biometric template needs explicit consent (EU Art. 9) or a signed release before capture (Illinois BIPA 15(b)) — which an open-area camera cannot obtain.

The workplace is the hardest case — and it cuts both ways

Cameras at work create the sharpest consent problem, because of the power imbalance GDPR Recital 43 warns about. An employee asked to "consent" to monitoring is not making a free choice — saying no risks the job — so an employer almost never has valid consent for workplace cameras. The European data protection authorities made this point years ago in the Article 29 Working Party's Opinion 2/2017 on data processing at work, and it still holds: rely on legitimate interest plus clear notice (and, in many EU states, consultation with the works council or employee representatives), not consent.

Then biometrics flip the pressure the other way. A biometric time clock in Illinois — the fact pattern behind a wave of BIPA class actions — does require the employee's written consent under Section 15(b), because BIPA's consent rule applies regardless of the employment relationship. So the same workplace can be a place where consent is the wrong basis for ordinary cameras and the mandatory one for a fingerprint or face clock. The resolution is not contradictory once you hold the two ideas apart: for plain monitoring, notice on a legitimate-interest basis; for biometric capture, a documented signed release and a public retention policy, with the feature off by default until both exist.

Common mistake: the biometric time clock with no signed release. Rolling out fingerprint or face-scan clocks because the hardware offers it, without the Section 15(b) written release and the Section 15(a) public policy, is the exact pattern that produced hundreds of BIPA suits. The vendor's convenience feature becomes the employer's per-person liability the moment it is switched on.

The United States: mostly a notice regime, with two traps

Outside biometrics, US surveillance law is lighter than the EU's and leans on notice rather than consent. Recording video in spaces where people have no reasonable expectation of privacy — shop floors, lobbies, parking lots — is generally permitted with appropriate notice, and is prohibited where they do have that expectation, such as restrooms and changing rooms. California's Consumer Privacy Act (CCPA, as amended by the CPRA, Cal. Civ. Code § 1798.100) adds a notice at collection duty: a business must tell people, at or before the point of collection, what categories of personal information it collects and why. Under the CPRA, biometric information used to identify a person is "sensitive personal information," carrying an extra right to limit its use. That is still a notice-and-control regime, not an opt-in consent regime — except where a dedicated biometric statute like BIPA imposes one.

Two traps catch teams that assume "the US is relaxed."

The first is audio. Federal wiretap law (18 U.S.C. § 2511) allows recording a conversation with one party's consent, but roughly a dozen states — including California and Illinois — require all parties to consent. A surveillance camera with its microphone on, capturing conversations in an all-party-consent state, can be a criminal violation even when the video is perfectly lawful. The safe default is to disable audio unless you have a specific, lawful reason and the consent the state requires.

The second is biometrics, already covered: Illinois BIPA, Texas's CUBI, and Washington's biometric law turn a "feature" into a consent obligation with real teeth. The litigation map and the state-by-state detail live in BIPA and US biometric privacy law and the regional regulation map.

Putting it together: notice or consent, by situation

The decision is small once the two ideas are separate. The table below is the whole article compressed.

Situation What you need Primary source Does a sign suffice?
EU — ordinary CCTV Lawful basis (usually legitimate interest) + layered notice GDPR Art. 6(1)(f); Art. 12–13; EDPB 3/2019 Yes — a sign that meets para. 114–116
EU — facial recognition / biometrics Explicit consent (Art. 9(2)(a)) or another Art. 9 exception GDPR Art. 9; Art. 4(14) No — a sign is not explicit consent
US — ordinary video (no privacy expectation) Notice; CCPA notice at collection where it applies CCPA/CPRA § 1798.100; state law Usually — with proper notice
US — audio with the video All-party consent in ~12 states 18 U.S.C. § 2511; state wiretap laws No — silence is not consent
US (Illinois) — biometric capture Informed written release before capture + public policy BIPA 740 ILCS 14, § 15(b), § 15(a) No — you need a signed release

A top-down decision tree asking whether the system builds a biometric template, whether it operates in the EU or US, and whether audio is captured, routing each branch to notice, explicit consent, a signed release, or all-party consent. Figure 5. The consent-or-notice decision in one tree. Plain recording lands on notice; biometric capture and audio recording branch into the specific consent each regime demands.

Where Fora Soft fits in

We build video surveillance and computer-vision systems, and in that work the consent-and-notice boundary is an architecture decision, not a paperwork afterthought. The systems that hold up under both real load and a regulator's questions are the ones where biometric analytics ship off by default, where the pipeline can run detection and counting without ever building an identity template, and where capture can be geo-fenced so a face-recognition feature simply does not turn on at a site with no consent flow. We design surveillance and analytics with that gate built in — accurate, honest about the precision-and-recall realities of recognition, and structured so the legal basis is decided before the camera records, not discovered afterward. The verticals we know best — video surveillance, computer vision, streaming, conferencing — are exactly where this matters.

What to read next

Call to action

References

  1. GDPR — Regulation (EU) 2016/679, Article 4(11) (definition of consent) and Article 4(14) (biometric data). Official consolidated text. https://gdpr-info.eu/art-4-gdpr/Tier 1 (primary law).
  2. GDPR Article 7 — Conditions for consent (demonstrable, distinguishable, withdrawable, freely given). https://gdpr-info.eu/art-7-gdpr/Tier 1 (primary law).
  3. GDPR Article 6 — Lawfulness of processing (legitimate interests, Art. 6(1)(f); consent, Art. 6(1)(a)). https://gdpr-info.eu/art-6-gdpr/Tier 1 (primary law).
  4. GDPR Article 9 — Processing of special categories of personal data (biometrics prohibited unless an exception such as explicit consent, Art. 9(2)(a), applies). https://gdpr-info.eu/art-9-gdpr/Tier 1 (primary law).
  5. GDPR Articles 12–13 and Recitals 32, 42, 43 — transparency duty; clear affirmative act; burden of proof; freely given consent and power imbalance. https://gdpr-info.eu/art-13-gdpr/Tier 1 (primary law).
  6. EDPB Guidelines 3/2019 on processing of personal data through video devices (v2.0, 2020), paras. 114–116 (first-layer content and positioning) and the finding that consent serves "in rather exceptional cases." European Data Protection Board. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_enTier 1 (issuing-body guidance).
  7. Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14, Sections 10 (definitions, "written release"), 15(a) (public retention policy), 15(b) (informed written consent before capture), and 20 (right of action). https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004Tier 1 (primary statute).
  8. Article 29 Working Party, Opinion 2/2017 on data processing at work (WP249) — employee consent rarely freely given because of the employer–employee power imbalance. European Data Protection Board archive. https://ec.europa.eu/newsroom/article29/items/610169Tier 2 (issuing-body guidance).
  9. California Consumer Privacy Act (CCPA), as amended by the CPRA — Cal. Civ. Code § 1798.100 (notice at collection; biometric information as "sensitive personal information"). https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100Tier 1 (primary statute).
  10. EU Artificial Intelligence Act — Regulation (EU) 2024/1689, Article 5 — prohibition on certain real-time remote biometric identification in publicly accessible spaces (in force 2 February 2025). https://eur-lex.europa.eu/eli/reg/2024/1689/ojTier 1 (primary law).
  11. US federal wiretap law — 18 U.S.C. § 2511 (one-party-consent baseline for intercepting communications; many states require all-party consent). https://www.law.cornell.edu/uscode/text/18/2511Tier 1 (primary statute).