Screen Recording Privacy, Security & Compliance (GDPR & More)
A screen recording can capture far more than you intend. A single take of you walking through a dashboard might also pick up a customer's full name in a CRM tab, a Slack notification with someone's home address, an email subject line, or a session token in the URL bar. Once that file is shared with a link, those details travel with it. Treating screen recordings as casual throwaway artifacts is how sensitive data quietly leaks into Slack threads, support tickets, and public help docs.
This guide walks through the practical privacy, security, and compliance considerations for recording your screen at work — what consent rules tend to apply, how data protection regimes like the GDPR view recordings that contain personal data, how to keep sensitive information off the screen in the first place, the accessibility obligations that come with publishing video, and how to lock down storage and sharing afterward.
This is not legal advice. Laws vary widely by country, state, and industry, and they change. Treat everything below as a starting point for a conversation with a qualified attorney or your privacy/compliance team — not as a substitute for one. If a recording touches regulated data (health, finance, children's data, biometric data) or crosses borders, get professional counsel before you press record.
Consent and recording laws
Whenever a recording captures another person's voice or likeness — a call, a meeting, an interview — consent rules can apply, and they are not uniform. In the United States, wiretapping and eavesdropping statutes are split between one-party consent and all-party consent states. In a one-party-consent jurisdiction, it is generally enough that one participant (often you) knows the recording is happening. In an all-party-consent state — California, Florida, and several others — every participant typically needs to be informed and to agree before you record their conversation.
Two practical complications make this messier than it looks. First, when participants are in different states or countries, the stricter rule often governs, so a single call can pull in multiple regimes. Second, the law cares about what was captured, not just your intent — an audio track that picks up a side conversation can be in scope even if it was incidental.
The safe operating posture is simple: tell people before you record, every time, and capture that they were told. Say it out loud at the start of a meeting, enable the platform's "recording in progress" banner, and where you can, get a clear yes on the record. Notification is cheap; an undisclosed recording of a sensitive conversation is a liability you do not want to discover later.
Be especially careful with screen recordings that bystanders did not expect to be in. If you record your whole screen during a call, you may also capture the live video tiles of other participants, shared documents that belong to them, or chat messages — all of which carry the same consent questions as the audio. When in doubt, record a single application window rather than the entire display, and tell participants exactly what is in frame.
GDPR and personal data in recordings
If a recording can identify a living person — their face, their name on screen, their voice, an email address, even an account ID tied back to them — it likely contains personal data under the EU/UK General Data Protection Regulation, and processing it brings obligations. A few principles matter most for screen recordings.
Lawful basis
Under the GDPR you generally need a lawful basis to process personal data. For internal recordings, organizations often rely on legitimate interests (with a balancing assessment) or contract necessity; consent is another basis but it must be freely given and revocable, which is awkward when there is a power imbalance — for example, recording employees. Whichever basis applies, document it before you build a recording habit, not after.
Data minimization and purpose limitation
Capture only what you need for the specific purpose, and use it only for that purpose. If you are recording a bug, you do not need the customer list visible behind it. Minimization at the moment of capture — closing tabs, using test accounts — is far easier than scrubbing personal data out of a finished video.
Retention
Personal data should not be kept longer than necessary. Decide upfront how long a recording lives and delete it when its purpose is served. "We keep every recording forever in a shared drive" is the opposite of a retention policy.
Data subject rights
People whose data appears in a recording may have rights to access, rectification, and erasure. That is only workable if you can find a given recording, know who appears in it, and can delete it on request. If your recordings are scattered across personal cloud folders, you cannot meaningfully honor an erasure request — which is itself a compliance gap.
Again: how these principles apply to your situation is a legal question. Loop in your data protection officer or counsel before relying on any single basis or retention period.
Keeping sensitive data off the screen
The cheapest, most reliable privacy control is to never capture sensitive data in the first place. Spend two minutes preparing your screen and you avoid most of the redaction and compliance headaches downstream.
- Close everything you do not need. Other browser tabs, email clients, password managers, internal dashboards, and chat apps are the usual culprits. Record in a clean window or a fresh browser profile dedicated to recording.
- Silence notifications. Turn on Do Not Disturb / Focus mode before recording. A Slack or iMessage toast that pops up mid-take can expose a name, a phone number, or a confidential subject line in a fraction of a second — long enough to live in the file forever.
- Use dummy data. For demos and tutorials, record against a test account with fictional names, fake email addresses, and sample records. This is the single best way to publish a walkthrough without exposing real customers.
- Watch the edges. URLs can contain tokens, query parameters, and account identifiers. Browser autofill can reveal saved addresses. Bookmarks bars leak project names. Hide or clear these before you start.
- Blur or crop after the fact. If something sensitive did make it into the take, redact it — blur a region, crop it out, or cover it with a shape — before you share or publish. In Reqo you can trim and edit the recording in the same browser tab right after capturing it, so you can cut a bad segment or cover an exposed area without exporting to another tool.
Accessibility laws and requirements
Once a recording becomes content you publish — a help video, a course, a marketing clip, a training module — accessibility obligations can attach, and they are increasingly enforced. The relevant standards and laws depend on who you are and where your audience is.
WCAG (the Web Content Accessibility Guidelines) is the technical baseline most regulations point to. For video, the headline requirements are captions for prerecorded audio and, where applicable, transcripts and audio descriptions of important visual information. Captions are not just a legal checkbox — they make videos usable in sound-off environments and dramatically improve comprehension and search indexing.
In the United States, Section 508 requires federal agencies (and many contractors) to make electronic content accessible, and courts have repeatedly read the ADA to cover the digital content of businesses open to the public — which is why caption-related complaints against video are common. In the EU, the European Accessibility Act extends accessibility expectations to a broad set of products and services. Whether any specific law applies to your video is, once more, a question for counsel — but if you are publishing video to customers, the realistic default is to caption it.
Reqo includes captions on the free plan, so adding them does not require an upgrade. Generate captions for the recording, review the text for accuracy (auto-captions get names and jargon wrong), and keep a transcript alongside the video where you can. A few accessibility habits make a real difference and cost almost nothing: speak the on-screen action out loud so the audio track stands on its own for people who cannot see the visuals, keep contrast high enough that text in the recording is legible, and avoid relying on color alone to point things out. None of this slows you down once it becomes routine, and it widens your audience while reducing the chance of an accessibility complaint.
Secure storage and sharing
A recording is only as private as the place it lives and the link you hand out. The most common leak is not a sophisticated breach — it is a "anyone with the link can view" URL that gets forwarded one hop too far.
- Control who can view. Prefer access scoped to specific people or your organization over fully public links for anything that is not deliberately public. Default to the most restrictive setting that still lets the right people watch.
- Use link expiry. For one-off shares — a bug repro sent to a vendor, a review clip for a client — a link that expires limits how long the recording stays reachable after it has served its purpose.
- Mind storage location and access. Know where recordings are stored, who administers that storage, and whether access is logged. Personal cloud drives with broad sharing defaults are a poor home for anything containing personal data.
- Delete on a schedule. Tie deletion to your retention policy. A recording you no longer need is pure liability sitting on disk.
- Re-check before publishing widely. Embedding a clip in public docs or a marketing page is a one-way door. Watch the whole thing once more, at full size, looking specifically for anything you would not want a stranger to freeze-frame.
Reqo records in your browser and gives you straightforward sharing controls so you decide who can open a recording rather than blasting an open link by default. You can review what you can see and adjust in our privacy policy.
Compliance checklist
Run through this before, during, and after a recording that might contain personal or confidential data:
- Decide the purpose. Know why you are recording and what the file is for before you start.
- Confirm consent. If other people's voices or faces are captured, tell them and — where required — get agreement on the record.
- Establish a lawful basis. For personal data, know which GDPR basis you are relying on and document it.
- Clean the screen. Close extra tabs and apps, enable Do Not Disturb, and switch to test data.
- Capture only what you need. Apply data minimization at the source.
- Redact before sharing. Blur, crop, or cut anything sensitive that slipped in.
- Add captions and a transcript. Meet accessibility expectations for any published video.
- Scope the share. Restrict viewers, set expiry, and avoid open public links for sensitive content.
- Set retention and delete. Give the recording an expiry date and honor erasure requests.
- Get sign-off when in doubt. If regulated data or cross-border transfer is involved, consult legal/compliance before publishing.
None of this requires heavy tooling. Most of the risk in screen recording is avoidable with a clean screen, a clear heads-up to participants, captions, and a sensible sharing default — plus a real lawyer in the loop when the stakes are high. Reqo is free to record, edit, share, and caption with no time limit; a small badge appears on free exports, while Pro at $19/month removes the badge and adds unlimited team seats and the AI Studio. See pricing for details.
Record with control
Reqo records in your browser and gives you simple sharing controls and captions — free to start.
Start recording free →