§What CCPA / CPRA requires
Source: California Consumer Privacy Act (Civil Code §1798.100 et seq.), as amended by the California Privacy Rights Act — accessed 2026-05-11.
Jurisdiction. Applies to for-profit businesses meeting threshold criteria that collect personal information of California residents. CCPA effective 1 Jan 2020; CPRA amendments operative 1 Jan 2023.
Personal data definition. CCPA defines personal information as information that identifies, relates to, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include name, identifiers, browsing history, geolocation, biometric data, and inferences drawn from any of the above to create a profile.
Special / sensitive categories. CPRA adds a category of sensitive personal information: government identifiers, financial account credentials paired with security codes, precise geolocation, contents of mail / email / text messages, genetic data, biometric data processed for unique identification, information concerning health or sex life or sexual orientation, and racial or ethnic origin, religious beliefs, or union membership. Consumers have the right to limit the use and disclosure of sensitive personal information.
Key requirements relevant to mobile analytics. Threshold for applicability: a business has gross annual revenue exceeding the statutory amount (currently $25M), or buys/sells/shares the personal information of 100,000 or more California consumers / households, or derives 50%+ of annual revenue from selling/sharing personal information. Consumers have rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information.
⚑Where mobile analytics typically creates exposure for dating apps
If a mobile app's analytics SDK collects identifiers that can be linked to a consumer (device IDs, advertising IDs, account IDs, IP addresses), the data is personal information under CCPA. If the SDK transfers that information to its vendor in exchange for analytics services, that flow can fall within CCPA's broad definitions of 'sale' or 'sharing' — opt-out obligations attach.
Dating apps process gender, sexual orientation, relationship preferences, geolocation, profile photos, chat metadata, and STI / health disclosures (some apps). Many integrate with payment SDKs for premium features and ad SDKs for monetisation.
Sexual orientation is special category personal data under GDPR Art. 9(1) and sensitive personal information under CPRA. A match_made event that implicitly reveals same-sex preferences carries that classification with it. Precise geolocation has its own sensitivity layer under CPRA.
▸What Respectlytics's design does (technical facts)
Respectlytics's strict 5-field schema rejects orientation, gender, and preference fields at the API. Geolocation is approximated to country only (IP processed transiently, discarded). A dating app's product analytics tracks funnel completion (profile_finished, first_message_sent) without carrying who matched with whom or where.
Reduces the surface. Removing the surface where the categories covered by CCPA / CPRA could be collected in the first place narrows what a CCPA / CPRA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does CCPA require a 'Do Not Sell or Share My Personal Information' link in mobile apps?
If the business is in scope and engages in selling or sharing personal information as defined by CCPA, yes — a clear and conspicuous opt-out mechanism is required. Whether your analytics SDK's data flow qualifies as 'sale' or 'sharing' is a fact-specific question for your legal team.
What is a 'service provider' under CCPA?
A vendor that processes personal information on behalf of the business under a contract restricting use to specified purposes. Service-provider status changes how data flows are characterised — and is a routine topic in CCPA privacy reviews.
Does using Respectlytics by itself resolve CCPA / CPRA obligations for our dating apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets CCPA / CPRA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies CCPA / CPRA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.