§What CCPA / CPRA requires
Source: California Consumer Privacy Act (Civil Code §1798.100 et seq.), as amended by the California Privacy Rights Act — accessed 2026-05-11.
Jurisdiction. Applies to for-profit businesses meeting threshold criteria that collect personal information of California residents. CCPA effective 1 Jan 2020; CPRA amendments operative 1 Jan 2023.
Personal data definition. CCPA defines personal information as information that identifies, relates to, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include name, identifiers, browsing history, geolocation, biometric data, and inferences drawn from any of the above to create a profile.
Special / sensitive categories. CPRA adds a category of sensitive personal information: government identifiers, financial account credentials paired with security codes, precise geolocation, contents of mail / email / text messages, genetic data, biometric data processed for unique identification, information concerning health or sex life or sexual orientation, and racial or ethnic origin, religious beliefs, or union membership. Consumers have the right to limit the use and disclosure of sensitive personal information.
Key requirements relevant to mobile analytics. Threshold for applicability: a business has gross annual revenue exceeding the statutory amount (currently $25M), or buys/sells/shares the personal information of 100,000 or more California consumers / households, or derives 50%+ of annual revenue from selling/sharing personal information. Consumers have rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information.
⚑Where mobile analytics typically creates exposure for fitness & wellness apps
If a mobile app's analytics SDK collects identifiers that can be linked to a consumer (device IDs, advertising IDs, account IDs, IP addresses), the data is personal information under CCPA. If the SDK transfers that information to its vendor in exchange for analytics services, that flow can fall within CCPA's broad definitions of 'sale' or 'sharing' — opt-out obligations attach.
Fitness apps process step counts, heart-rate readings, sleep stages, weight, BMI, workout types, calorie intake, and frequently the user's age, sex, and menstrual phase. Many integrate with HealthKit (iOS) or Health Connect (Android), which restrict on-device access but say nothing about what flows to an analytics SDK.
Although consumer fitness apps are typically not HIPAA covered entities, their data is special category personal data under GDPR Art. 9 (data concerning health), sensitive personal information under CPRA, and falls within the scope of regulators' interest in children's services when used by under-18s.
▸What Respectlytics's design does (technical facts)
Respectlytics is designed for the product-analytics layer, not the data store. Step counts, heart-rate values, and sleep stages stay in HealthKit / Health Connect, where they have their own privacy model. Respectlytics records whether a feature was used (run_logged, sleep_session_synced) — without the values the user just generated.
Reduces the surface. Removing the surface where the categories covered by CCPA / CPRA could be collected in the first place narrows what a CCPA / CPRA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does CCPA require a 'Do Not Sell or Share My Personal Information' link in mobile apps?
If the business is in scope and engages in selling or sharing personal information as defined by CCPA, yes — a clear and conspicuous opt-out mechanism is required. Whether your analytics SDK's data flow qualifies as 'sale' or 'sharing' is a fact-specific question for your legal team.
What is a 'service provider' under CCPA?
A vendor that processes personal information on behalf of the business under a contract restricting use to specified purposes. Service-provider status changes how data flows are characterised — and is a routine topic in CCPA privacy reviews.
Does using Respectlytics by itself resolve CCPA / CPRA obligations for our fitness & wellness apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets CCPA / CPRA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies CCPA / CPRA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.