PiiBlur

The California Consumer Privacy Act applies to photos and videos just as it applies to databases and spreadsheets. If your business collects images containing identifiable information about California residents, the CCPA creates specific obligations around disclosure, access, deletion, and opt-out rights.

Many businesses understand CCPA for structured data — names, emails, purchase history — but overlook visual content entirely. This guide covers how the CCPA applies to photographs and videos, where it differs from GDPR, and what steps to take. This is operational guidance, not legal advice.

How the CCPA defines personal information in photos

The CCPA defines personal information broadly: "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Under this definition, an image containing a face, license plate, name badge, or any other identifiable visual element qualifies as personal information. The CCPA also lists biometric data — including "imagery of the face" used for identification — as a category of personal information.

When the CCPA applies to your images

The CCPA applies to for-profit businesses that meet any one of these thresholds:

Annual gross revenue exceeding $25 million
Buy, sell, or share personal information of 100,000 or more California consumers, households, or devices per year
Derive 50% or more of annual revenue from selling or sharing personal information

If your business meets any of these criteria and processes images containing identifiable information about California residents, the CCPA applies to those images.

The CCPA covers California residents regardless of where the processing occurs. A company based in New York processing dashcam footage that captures California license plates still has CCPA obligations.

CCPA vs. GDPR for images: key differences

If you already handle GDPR image compliance, understanding where the CCPA diverges helps you avoid gaps.

Scope. GDPR applies to any organization processing data of EU residents, regardless of company size. The CCPA applies only to businesses meeting the revenue or data volume thresholds above.

Lawful basis. GDPR requires a lawful basis (consent, legitimate interest, etc.) before processing. The CCPA requires none — it instead grants consumers rights to know, delete, and opt out after collection.

Consent model. GDPR generally requires opt-in consent for many processing activities. The CCPA uses an opt-out model: you can collect and process personal information by default, but consumers can opt out of its sale or sharing.

Right to delete. Both regulations include deletion rights, but the CCPA's exemptions are broader. Businesses can deny deletion requests when the data is needed to complete a transaction, detect security incidents, comply with legal obligations, or for certain internal uses.

Enforcement. GDPR is enforced by data protection authorities across EU member states. The CCPA is enforced by the California Attorney General and, under the CPRA amendments, the California Privacy Protection Agency (CPPA). A private right of action exists only for data breaches involving unencrypted or unredacted personal information.

Penalties. GDPR fines reach 4% of global turnover. CCPA penalties are $2,500 per unintentional violation and $7,500 per intentional violation. Data breach lawsuits under the private right of action can yield statutory damages of $100 to $750 per consumer per incident.

Practical steps for CCPA photo compliance

1. Inventory your visual data collection

Identify every source of images and videos in your operations: security cameras, vehicle cameras, drones, user uploads, employee photos, and real estate photography. Document what identifiable information each source captures.

2. Update your privacy notice

The CCPA requires you to disclose the categories of personal information you collect at or before the point of collection. If you collect images containing faces, plates, or other identifiable data, your privacy notice must say so. Include:

The categories of personal information collected (e.g., biometric data, geolocation via street signs, identifiers via license plates)
The purposes for collection
Whether the information is sold or shared

3. Build consumer rights workflows

California consumers have the right to:

Know what personal information you have collected, including images
Delete their personal information, with certain exceptions
Opt out of the sale or sharing of their personal information
Non-discrimination for exercising their rights

You need a process to handle these requests within 45 days. For images, this means locating, retrieving, and deleting specific visual data tied to a consumer.

4. Redact before sharing or publishing

The most effective way to reduce CCPA exposure is to redact identifiable information from images before they leave your control. Once you share or publish an unredacted image, you have distributed personal information — creating disclosure obligations and opt-out complications.

PiiBlur detects 13 categories of PII in images and videos, including faces, license plates, ID cards, and name badges. Redacting at the source eliminates downstream tracking and management of that personal information.

5. Address the data breach risk

The CCPA's private right of action applies specifically to breaches involving "nonencrypted and nonredacted personal information." If images in your systems are breached and contain unredacted faces, plates, or other identifiers, you face statutory damages of $100 to $750 per consumer per incident.

Redacting images before storage directly reduces this exposure. A breached dataset of redacted images contains no identifiable personal information.

6. Implement reasonable security measures

The CCPA expects businesses to maintain "reasonable security procedures and practices." For image data, this includes access controls on stored images, encryption in transit and at rest, and audit trails for who accesses visual data.

Treat images as personal data from day one

The CCPA does not exempt photographs and videos. If your images contain identifiable information about California residents, they are personal information under the law — subject to the same disclosure, access, deletion, and opt-out requirements as any other data category.

Automated redaction is the most direct way to minimize your compliance surface. Removing identifiable elements before images are stored, shared, or published reduces the volume of personal information you manage and limits breach liability.

PiiBlur processes images and videos through its API or dashboard, detecting and redacting all 13 PII categories automatically. The free tier covers 100 images and 5 minutes of video per month — enough to validate the approach against your actual content.