§What CCPA / CPRA requires
Source: California Consumer Privacy Act (Civil Code §1798.100 et seq.), as amended by the California Privacy Rights Act — accessed 2026-05-11.
Jurisdiction. Applies to for-profit businesses meeting threshold criteria that collect personal information of California residents. CCPA effective 1 Jan 2020; CPRA amendments operative 1 Jan 2023.
Personal data definition. CCPA defines personal information as information that identifies, relates to, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include name, identifiers, browsing history, geolocation, biometric data, and inferences drawn from any of the above to create a profile.
Special / sensitive categories. CPRA adds a category of sensitive personal information: government identifiers, financial account credentials paired with security codes, precise geolocation, contents of mail / email / text messages, genetic data, biometric data processed for unique identification, information concerning health or sex life or sexual orientation, and racial or ethnic origin, religious beliefs, or union membership. Consumers have the right to limit the use and disclosure of sensitive personal information.
Key requirements relevant to mobile analytics. Threshold for applicability: a business has gross annual revenue exceeding the statutory amount (currently $25M), or buys/sells/shares the personal information of 100,000 or more California consumers / households, or derives 50%+ of annual revenue from selling/sharing personal information. Consumers have rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information.
⚑Where mobile analytics typically creates exposure for edtech apps
If a mobile app's analytics SDK collects identifiers that can be linked to a consumer (device IDs, advertising IDs, account IDs, IP addresses), the data is personal information under CCPA. If the SDK transfers that information to its vendor in exchange for analytics services, that flow can fall within CCPA's broad definitions of 'sale' or 'sharing' — opt-out obligations attach.
Edtech apps process student names, grade levels, school identifiers, assignment scores, quiz answers, time-on-task, and parent/teacher communications. Many also log device persistent identifiers and IP-derived geolocation.
When the user is a child, the entire data set is regulated more strictly: personal information of children under COPPA (US under-13), the UK Children's Code (services likely to be accessed by under-18s in the UK), and personal data of a vulnerable group under GDPR. School-issued device IDs are persistent identifiers and trigger the rules even when no name is logged.
▸What Respectlytics's design does (technical facts)
Respectlytics's session-scoped session_id rotates every two hours — it is not a persistent identifier in the sense COPPA's §312.2 contemplates (which specifically references identifiers that recognise a user over time). Combined with the strict 5-field schema, an edtech app's product analytics can track learning-event completion without storing per-pupil identifiers.
Reduces the surface. Removing the surface where the categories covered by CCPA / CPRA could be collected in the first place narrows what a CCPA / CPRA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does CCPA require a 'Do Not Sell or Share My Personal Information' link in mobile apps?
If the business is in scope and engages in selling or sharing personal information as defined by CCPA, yes — a clear and conspicuous opt-out mechanism is required. Whether your analytics SDK's data flow qualifies as 'sale' or 'sharing' is a fact-specific question for your legal team.
What is a 'service provider' under CCPA?
A vendor that processes personal information on behalf of the business under a contract restricting use to specified purposes. Service-provider status changes how data flows are characterised — and is a routine topic in CCPA privacy reviews.
Does using Respectlytics by itself resolve CCPA / CPRA obligations for our edtech apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets CCPA / CPRA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies CCPA / CPRA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.