Most enterprise security teams can tell you exactly how their databases are encrypted. They know who has access to their CRM and can pull audit logs for every sensitive document that’s been opened, copied, or shared in the last 90 days.
Ask those same teams what’s happening with the thousands of hours of video footage their organization stores, and you’ll usually get silence, or at best, a vague answer.
Security cameras are recording lobbies, parking lots, and hallways around the clock. Zoom meetings are saved to the cloud by default. Marketing teams shoot content in public with dozens of strangers in the background.
Every one of these files contains identifiable human faces. And in the vast majority of organizations, not a single one of those faces has been redacted or otherwise regulated.
This is the blind spot. Not a theoretical one, either. It’s already being exploited, litigated, and regulated.
The regulatory pressure is no longer avoidable
For years, visual data privacy lived in a gray area. Regulations focused on structured data only: names, email addresses, financial records, and health information stored in databases. Video and image data were treated more like a storage issue than a security issue.
That’s changing. Quickly.
Under the General Data Protection Regulation (GDPR), facial images can be classified as biometric data when they are processed for the purpose of uniquely identifying an individual. That puts them in one of the most protected categories the regulation offers. Any organization capturing or storing video containing the faces of individuals in Europe needs a lawful basis for processing that data. In practice, most haven’t really thought through whether they have one, and regulatory enforcement around video-related GDPR obligations has intensified in 2026, with authorities increasingly distinguishing between reversible pseudonymization and true irreversible anonymization.
In the United States, the regulations are tightening too. The Health Insurance Portability and Accountability Act (HIPAA) applies to telehealth recordings containing identifiable patient faces. The Family Educational Rights and Privacy Act (FERPA) can apply to recordings in educational settings when a video is directly related to a student and maintained by the institution as part of its records. Illinois’s Biometric Information Privacy Act (BIPA) has already produced hundreds of millions of dollars in settlements from companies that collected facial data without proper consent.
Then came February 2026. Sixty-one data protection authorities from around the world issued a coordinated joint statement specifically targeting AI systems that generate realistic images and videos of identifiable individuals without their consent — with particular concern about harm to children and the rise of non-consensual intimate imagery.
This wasn’t just guidance or best practices. It was a signal.
Enforcement around visual data is starting to align internationally across jurisdictions.
For security leaders, the message is hard to misread: visual data is moving from loosely regulated to actively enforced, and faster than most organizations are prepared for.
What happens when visual privacy fails
The consequences aren’t hypothetical. They’re already playing out.
In early 2026, Meta was hit with a class action lawsuit over its Ray-Ban smart glasses. The company had marketed the product with privacy-first messaging, telling customers the glasses were “designed for privacy”.
What actually happened was very different.
Contractors working for a subcontractor in Kenya were reviewing footage captured by users’ glasses. That footage included people undressing, using the bathroom, and being in bed. Meta had claimed its systems blurred faces in the footage before human review, but sources disputed how consistently that worked.
The result: a class action in the United States and an investigation by the UK’s Information Commissioner’s Office.
The core failure wasn’t the technology itself. It was that the organization promised visual privacy protections it hadn’t actually built into its pipeline.
This is the pattern that should concern every security team. The issue isn’t that organizations are deliberately exposing visual data. It’s that visual data hasn’t been categorized as a security concern in the first place, so no one built controls around it.
Surveillance camera networks offer another example. Flock Safety now operates more than 80,000 AI-powered license plate readers across over 5,000 U.S. communities. In one documented case, the cameras were exposed to the internet without login protection. In another case, police used the system to track a woman who had received a legal medical procedure.
The technology is scaling quickly. The governance around it isn’t.
Why cybersecurity frameworks miss visual data
The root of the problem is structural. Most enterprise security frameworks were designed for structured data. They classify, monitor, and protect information stored in fields and databases, including names, addresses, account numbers, and health records.
The tools that enforce these frameworks (DLP, encryption, access controls, SIEM) operate on the same premise.
Video and image files don’t fit that model.
They’re unstructured. A security camera recording is just a blob of data to a DLP system. It doesn’t know there are faces in it. It doesn’t scan for identifiable individuals. It won’t flag a Zoom recording that captured someone’s child in the background of a home office. It doesn’t recognize that a marketing B-roll clip contains license plates and bystander faces that were never consented.
Compliance teams run into the same issue. They know how to handle a customer’s name in a database. They don’t have a system for handling the same customer’s face in recorded footage.
The result is a growing archive of visual data, containing biometric information and personally identifiable imagery, all of which sits outside the organization’s security controls.
Every month the archive grows. And with it, the legal risk.
The technology to fix this already exists
AI-powered face detection and redaction tools have reached a level of maturity that makes this problem genuinely solvable.
Modern anonymization systems can scan video footage, detect every face, and apply automated blurring in a fraction of the time manual review would take.
These tools now come in several forms, depending on how organizations want to integrate them. Browser-based platforms now let teams blur faces in videos and photos directly in the browser, without installs, making redaction accessible to non-technical staff. API-driven solutions plug into existing surveillance systems so that footage gets anonymized automatically before it ever reaches long-term storage. Desktop applications offer heavier processing power for large-scale footage libraries.
Selective redaction, available across most of these tools, allows organizations to blur faces while keeping the rest of the footage intact, so it remains usable for analytics, evidence, or training.
What used to make this impractical at scale isn’t really a barrier anymore.
What remains is a prioritization gap at the security leadership level.
What security teams should do now
Closing the visual data blind spot doesn’t require rearchitecting an organization’s entire security flow. It’s more about extending existing governance principles to a data category that’s been overlooked.
Start by mapping your visual data sources. Identify every system that captures, stores, or processes video and images. Security cameras, meeting recording platforms, customer-uploaded media, LMS recordings, and marketing asset libraries. The list is almost always longer than expected.
Then classify the risk. For each source, determine whether the visual data contains identifiable faces or other biometric information. Assess who has access, how long it’s retained, whether it’s shared externally, and which regulations apply.
Evaluate anonymization tools that match your highest-risk, highest-volume sources. Detection accuracy, processing speed, deployment model, and data handling all matter here.
Set a visual data policy. Define redaction standards, retention limits, and access controls specific to video and image data, just as you would for any other category of sensitive information.
And treat this as ongoing work. Visual data volumes are growing. Regulations are tightening. New use cases for video in enterprise settings keep emerging.
This isn’t a one-time audit. It’s a program.
The window is closing
Organizations that bring visual data under their security umbrella now will be ahead of the enforcement curve.
The ones that wait will likely be reacting to an incident, lawsuit, or regulatory action that forces their hand.
The blind spot has been there for years.
The difference now is that regulators, courts, and the public have started looking directly at it.
Danielle King is a growth engineer at BlurMe, an AI platform for automated face blurring and video anonymization across images, video, and live surveillance footage. She holds a degree in Computer Science and Engineering and specializes in visual data privacy, working with organizations across healthcare, law enforcement, and enterprise security to implement privacy controls and address regulatory requirements around facial and biometric data.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.