The CCPA, as amended by the CPRA (the California Consumer Privacy Act and California Privacy Rights Act), is California's comprehensive privacy law and the most influential US state regime touching surveillance. It gives California residents rights over personal information that businesses hold about them — to know, to access, to delete, and to opt out of sale or sharing — and it explicitly treats biometric information as "sensitive personal information" subject to additional limits, which brings face templates and similar data from surveillance into scope.
For a surveillance operator the practical effect is that recognisable footage and biometric data of Californians is regulated personal information, and the business must be able to honour the rights attached to it: tell people what is collected, respond to access and deletion requests, and give the extra protections sensitive data requires. Unlike Illinois BIPA, the CCPA/CPRA is primarily enforced by a regulator (the California Privacy Protection Agency and the Attorney General) rather than a broad private right of action, though limited private claims exist for certain data breaches.
The pitfall is assuming US surveillance is unregulated because there is no federal GDPR equivalent. A growing patchwork of state laws — California's CCPA/CPRA plus around twenty other state privacy statutes and dedicated biometric laws — means a multi-state deployment faces overlapping rules, and the strictest applicable one tends to set the bar. Map which state laws apply to where the people and cameras are, build the access/deletion and sensitive-data handling those laws require, and treat biometrics as a higher tier everywhere. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
