How long can a business keep security camera and CCTV footage before it has to be deleted?
There is no single, universal answer. How long a business may keep security camera (CCTV) footage depends on the laws that apply to it, the purpose for which the footage was collected, and the organization’s own retention schedule. The guiding principle is that footage should be kept only as long as it serves a legitimate, documented purpose, and then disposed of consistently.
What Drives the Retention Period
Several factors typically determine how long footage should be held:
- Operational need. Most routine surveillance footage is reviewed within days. Many organizations retain it for a short, fixed window, then overwrite it automatically.
- Applicable law and regulation. Certain industries (for example, banking, gaming, healthcare, transportation, or licensed premises) are subject to sector-specific rules that set minimum retention periods. State and local privacy laws may also impose limits.
- Privacy obligations. Video that captures identifiable individuals is often personal data. Privacy principles favor retaining it no longer than necessary and limiting access.
- Legal hold. If footage is relevant to an incident, claim, investigation, or litigation, it must be preserved beyond its normal period until the matter is resolved. Deleting footage under a hold can carry serious consequences.
Setting a Defensible Policy
A defensible approach is to adopt a written retention schedule rather than relying on whatever the recorder defaults to. Good practice includes:
- Documenting the purpose of the cameras and the retention period for each footage type.
- Applying automatic deletion or overwrite once the period expires.
- Suspending deletion immediately when a legal hold applies.
- Restricting who can view, export, or copy footage, and logging that access.
- Reviewing the schedule periodically against changing legal requirements.
Common retention windows for routine footage range from a couple of weeks to several months, but you should confirm the minimum and maximum that apply to your jurisdiction and industry rather than assuming a number.
The Bottom Line
Keep footage long enough to meet operational and legal needs, no longer than necessary for privacy, and never delete footage subject to a hold. Documenting these decisions in a retention schedule is what makes deletion defensible.
For broader context on building retention rules, see the compliance and standards topic hub.
Sources & further reading
Authoritative government and non-profit references.
- ISO 15489-1 Records management — ISO
- NIST Privacy Framework — NIST
How to cite this page
APA
RM University Editorial. (2026). How long can a business keep security camera and CCTV footage before it has to be deleted?. Records Management University. https://www.recordsmgmt.org/questions/how-long-keep-security-camera-and-cctv-footage/
MLA
RM University Editorial. "How long can a business keep security camera and CCTV footage before it has to be deleted?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-keep-security-camera-and-cctv-footage/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?