The comforting aroma of freshly brewed coffee, the gentle buzz of customers and staff – your café is a place built on trust. Whether you’re an independent coffee shop owner or running a busy café chain, you want your business, employees and customers to feel safe. For many café owners in the UK, installing CCTV (Closed-Circuit Television) cameras seems like a straightforward way to enhance security and deter crime. But did you know there are specific legal hoops you need to jump through before switching those cameras on?

Under UK law, especially the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, using CCTV isn’t just about putting up a camera and hitting “record.” Cafés must meet data protection requirements, respect people’s privacy, and communicate openly about how images are being captured and used. If you get it wrong, the financial penalties and reputational damage can be severe.

Don’t stress – with the right legal approach, you can keep your café protected while staying on the right side of the law. In this guide, we’ll walk you through the essentials of UK CCTV law for cafés, covering your legal obligations, practical compliance steps, and some top tips for best practice. Let’s get started!

What Does The Law Say About CCTV In Cafés?

First things first: cafes that use CCTV must comply with the GDPR and the Data Protection Act 2018. These regulations exist to protect individuals’ privacy rights, especially when it comes to the collection and processing of personal data (and yes, video footage of people counts as personal data!).

Here’s what this means for café owners:

  • You must process CCTV footage lawfully, fairly and transparently.
  • Anyone captured by your cameras (customers, staff, delivery drivers) has privacy rights you must respect.
  • A clear, legitimate reason is needed for filming (for example, crime prevention or staff safety).
  • Those recorded should know when, where, and why they’re being recorded.
  • You must also be prepared to respond to ‘data subject requests’ – for example, if someone asks for a copy of footage they appear in.

Breaching these rules isn’t just frowned upon – penalties from the Information Commissioner’s Office (ICO) can be as high as £17.5 million, or 4% of your annual turnover, whichever is greater. So, getting this right is crucial.

Do I Need To Tell Customers And Staff About CCTV?

Yes. Transparency is a core requirement of UK data protection law. People have a legal right to know if they’re being filmed, why, how the footage will be used, and who to contact about their data.

In practice, this means you need to:

  • Display clear signage at entrances and in key areas where CCTV operates. This should state cameras are in use, outline the purpose (e.g. “For safety and crime prevention”), and provide contact details for enquiries.
  • Let your employees know about CCTV, why it’s being used, and how long recordings will be kept.
  • Consider including CCTV details in your Privacy Policy or giving a specific privacy notice about video monitoring.

Trying to conceal CCTV monitoring – especially of employees – can land you in legal hot water, lead to staff distrust, and damage your reputation. Openness and honest communication are your best policy.

What Reasons Justify CCTV Use In My Café?

According to the ICO and UK guidance, you must have a legitimate interest to record CCTV images in your café. Acceptable reasons include:

  • Preventing or detecting crime (e.g., shoplifting, vandalism, antisocial behaviour)
  • Protecting the safety of staff and customers
  • Assisting in the defence of legal claims, where relevant

But just because these are common reasons doesn’t mean you can place cameras everywhere. Surveillance should be proportional. You should not record areas where privacy is expected (like toilets or staff rest rooms), and you should avoid excessive monitoring.

If you want to monitor staff for performance or conduct reasons, tread very carefully. Covert monitoring (filming without someone’s knowledge) is only justified in exceptional circumstances – for example, if you have strong evidence of criminal activity and notifying people would undermine your investigation. Even then, you’d need strong legal justification and clear documentation.

How Do I Stay GDPR Compliant With CCTV?

Good news: complying with GDPR doesn’t have to be scary. Here’s a step-by-step checklist for ensuring lawful CCTV operation in your café:

1. Conduct A Data Privacy Impact Assessment (DPIA)

Before you install cameras, you should complete a Data Privacy Impact Assessment (DPIA). This means looking at:

  • What risks CCTV introduces to privacy (e.g., capturing footage of innocent bystanders, monitoring staff unnecessarily)
  • How you plan to mitigate those risks (e.g., careful camera positioning, access controls, restricting who can view footage)
  • Whether CCTV is truly necessary for your goal, or if less intrusive alternatives exist

Carrying out a documented DPIA isn’t just good practice – it’s often a requirement under GDPR, and if the ICO investigates, they’ll expect to see your risk assessment.

2. Be Completely Transparent

Make it clear to anyone entering your café that CCTV is in use. Do this by:

3. Keep Footage Secure And Limit Access

Under GDPR, you must keep all personal data (including CCTV footage) safe. That means:

  • Storing footage securely on password-protected systems
  • Restricting access to only those who genuinely need it (for example, you and trusted managers only)
  • Having clear protocols for reviewing, copying or releasing footage (especially if requested by police or in connection with a legal dispute)

4. Set An Appropriate Retention Period

You mustn’t keep CCTV footage longer than necessary for your stated purpose. This could mean keeping images for as little as 24-72 hours, a week, or up to 30 days depending on your risk assessment and business needs. Set out your policy and stick to it.

If there’s an ongoing incident (such as a theft) or a formal investigation, you may need to keep footage longer, but only for as long as is required for that matter.

5. Draft A Clear Privacy Policy

Your Privacy Policy should explain your use of CCTV and include details like:

  • The lawful basis for collecting images (“legitimate interests” for safety/crime prevention is common)
  • Who operates the CCTV system and how to contact them about privacy concerns
  • How people can request access to images of themselves (“subject access request”)

Need help? Drafting privacy documentation is a legal requirement for most businesses processing personal data – using templates or DIY methods is rarely enough. If you need tailored advice or a professionally prepared Privacy Policy, reach out to a data privacy specialist.

6. Respond Promptly To Data Requests

Anyone caught on your CCTV has the right under GDPR to request a copy of footage they appear in. You must:

  • Respond within 30 days
  • Provide the images, unless there’s a valid reason to refuse (such as if giving them the footage would reveal images of other people)

Carefully review any footage before release and blur out anyone else, or refuse (with an explanation), if there’s a legal justification.

What If I Need Covert Surveillance?

Occasionally, you may suspect criminal behaviour by staff or others but worry that putting up notices will tip them off. In UK law, covert CCTV is only justified in rare, serious circumstances, and you must document:

  • Why you think overt CCTV (notifying everyone) would undermine your objectives
  • That there’s no less intrusive way to achieve your aim
  • That covert monitoring is strictly limited in duration and scope, and reviewed regularly

You’ll likely need to show your DPIA if challenged. Before considering covert surveillance, always get professional legal advice – wrongful use can expose you to claims for breach of privacy, unfair dismissal, or even criminal liability.

What Else Should I Consider When Using CCTV?

Setting up CCTV in your café brings a few more legal and practical considerations. Make sure you:

  • Review your contracts: If you’re in rented premises, your lease may have rules about installing security equipment – always check with your landlord (see our guide to cafe and restaurant leases).
  • Check your insurance policy: Your insurer may require (or reward) good security, but they’ll also expect you to comply with privacy law.
  • Don’t go overboard: More cameras ≠ more security if it means unnecessary privacy intrusion. Strike a sensible balance.
  • Stay up to date: Laws change, so regularly review your privacy and CCTV policies.
  • Train your staff: Make sure your team knows the policies, how to answer questions about CCTV and how to respond to data requests.

Do I Need To Register As A CCTV Operator?

Businesses that use CCTV for non-household purposes generally need to register with the Information Commissioner’s Office (ICO) as a data controller and pay a small annual fee. Failing to register can lead to fines, so double-check your obligations before you switch those cameras on.

What About Audio Recording?

Be extra cautious: recording audio alongside video is a much greater invasion of privacy. In almost all cases, audio capture is considered unnecessary and disproportionate in cafés, unless there’s a compelling reason. Strictly limit your system to video-only unless advised otherwise by a legal professional.

Key Takeaways

  • CCTV footage is personal data – recording customers and staff carries legal obligations under GDPR and the Data Protection Act 2018.
  • You must be transparent: display clear signage, inform staff, and clearly communicate why and how cameras are operating.
  • Only install CCTV for a legitimate purpose like preventing crime or ensuring safety – avoid unnecessary monitoring or any filming of private areas.
  • Conduct a Data Privacy Impact Assessment (DPIA) before installation and review it regularly.
  • Limit access to footage, set appropriate retention periods, and secure recorded data.
  • Prepare a comprehensive Privacy Policy and ensure you can respond to data requests within 30 days.
  • If in doubt, get tailored legal advice – penalties for non-compliance can be severe.

Setting up lawful CCTV in your café is all about balance: securing your business while respecting everyone’s privacy and rights. By following the right steps from day one, you’ll protect your staff, customers and your reputation – and feel confident that your café is operating safely and legally.

If you’d like help ensuring your café’s CCTV is fully compliant, reviewing your privacy policy, or have questions about UK CCTV law, our friendly legal team is ready to help. You can reach us at 08081347754 or [email protected] for a free, no-obligations chat.

Alex Solo
Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Meet some of our Regulatory Compliance Lawyers

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're an award-winning, online law firm for small businesses in the UK.

5.0 Review Stars
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is hidden when viewing the form
  • This field is for validation purposes and should be left unchanged.

Related Articles
Protect Your eCommerce Business: How Credit Check Companies Safeguard Against Bad Debts and Unreliable Partners
Posted 6th May, 2025
Joint Controllers Under UK GDPR: Key ICO Data Controller Rules and Compliance Steps
Posted 6th May, 2025
Data‑Protection Managers: ROI & Compliance Benefits
Posted 6th May, 2025
Understanding Your GDPR Role: Navigating Data Controller and Processor Responsibilities
Posted 6th May, 2025
Patent Attorneys: Expert Help to Avoid Costly Mistakes
Posted 6th May, 2025
Retention‑of‑Title Clauses: Buyer Risks and How to Negotiate Them
Posted 6th May, 2025