§What CCPA / CPRA requires
Source: California Consumer Privacy Act (Civil Code §1798.100 et seq.), as amended by the California Privacy Rights Act — accessed 2026-05-11.
Jurisdiction. Applies to for-profit businesses meeting threshold criteria that collect personal information of California residents. CCPA effective 1 Jan 2020; CPRA amendments operative 1 Jan 2023.
Personal data definition. CCPA defines personal information as information that identifies, relates to, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include name, identifiers, browsing history, geolocation, biometric data, and inferences drawn from any of the above to create a profile.
Special / sensitive categories. CPRA adds a category of sensitive personal information: government identifiers, financial account credentials paired with security codes, precise geolocation, contents of mail / email / text messages, genetic data, biometric data processed for unique identification, information concerning health or sex life or sexual orientation, and racial or ethnic origin, religious beliefs, or union membership. Consumers have the right to limit the use and disclosure of sensitive personal information.
Key requirements relevant to mobile analytics. Threshold for applicability: a business has gross annual revenue exceeding the statutory amount (currently $25M), or buys/sells/shares the personal information of 100,000 or more California consumers / households, or derives 50%+ of annual revenue from selling/sharing personal information. Consumers have rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information.
⚑Where mobile analytics typically creates exposure for fintech & mobile banking apps
If a mobile app's analytics SDK collects identifiers that can be linked to a consumer (device IDs, advertising IDs, account IDs, IP addresses), the data is personal information under CCPA. If the SDK transfers that information to its vendor in exchange for analytics services, that flow can fall within CCPA's broad definitions of 'sale' or 'sharing' — opt-out obligations attach.
Fintech apps process account numbers, transaction amounts, merchant categories, card last-four, IBANs, transfer recipients, and KYC documents. Many also log credit-score read events, loan-application data, and balance snapshots.
Account credentials paired with security codes are sensitive personal information under CPRA. Account numbers and full PANs are personal data under GDPR Art. 4(1) and trigger the PCI-DSS data flow obligations regardless of jurisdiction. Even transaction descriptions can reveal special-category information (e.g., merchant names tied to health, religion, or politics).
▸What Respectlytics's design does (technical facts)
Respectlytics is not your payments processor or your transaction store. It tracks product signals — transfer_initiated, card_added, investment_purchase_completed — without per-event amounts, account numbers, or merchant descriptions. The authoritative financial data lives in your payments backend; product analytics tells you the funnel rate, not the dollar values.
Reduces the surface. Removing the surface where the categories covered by CCPA / CPRA could be collected in the first place narrows what a CCPA / CPRA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does CCPA require a 'Do Not Sell or Share My Personal Information' link in mobile apps?
If the business is in scope and engages in selling or sharing personal information as defined by CCPA, yes — a clear and conspicuous opt-out mechanism is required. Whether your analytics SDK's data flow qualifies as 'sale' or 'sharing' is a fact-specific question for your legal team.
What is a 'service provider' under CCPA?
A vendor that processes personal information on behalf of the business under a contract restricting use to specified purposes. Service-provider status changes how data flows are characterised — and is a routine topic in CCPA privacy reviews.
Does using Respectlytics by itself resolve CCPA / CPRA obligations for our fintech & mobile banking apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets CCPA / CPRA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies CCPA / CPRA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.