§What CCPA / CPRA requires
Source: California Consumer Privacy Act (Civil Code §1798.100 et seq.), as amended by the California Privacy Rights Act — accessed 2026-05-11.
Jurisdiction. Applies to for-profit businesses meeting threshold criteria that collect personal information of California residents. CCPA effective 1 Jan 2020; CPRA amendments operative 1 Jan 2023.
Personal data definition. CCPA defines personal information as information that identifies, relates to, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Examples include name, identifiers, browsing history, geolocation, biometric data, and inferences drawn from any of the above to create a profile.
Special / sensitive categories. CPRA adds a category of sensitive personal information: government identifiers, financial account credentials paired with security codes, precise geolocation, contents of mail / email / text messages, genetic data, biometric data processed for unique identification, information concerning health or sex life or sexual orientation, and racial or ethnic origin, religious beliefs, or union membership. Consumers have the right to limit the use and disclosure of sensitive personal information.
Key requirements relevant to mobile analytics. Threshold for applicability: a business has gross annual revenue exceeding the statutory amount (currently $25M), or buys/sells/shares the personal information of 100,000 or more California consumers / households, or derives 50%+ of annual revenue from selling/sharing personal information. Consumers have rights to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information.
⚑Where mobile analytics typically creates exposure for telehealth apps
If a mobile app's analytics SDK collects identifiers that can be linked to a consumer (device IDs, advertising IDs, account IDs, IP addresses), the data is personal information under CCPA. If the SDK transfers that information to its vendor in exchange for analytics services, that flow can fall within CCPA's broad definitions of 'sale' or 'sharing' — opt-out obligations attach.
Telehealth apps routinely process appointment metadata, symptom descriptions, diagnosis codes, medication names, vitals (heart rate, blood pressure, glucose), and prescription details. Each of these is individually identifying when combined with a user identifier in an analytics event.
Health-related data is treated as a special category under most privacy regimes — GDPR Art. 9, CPRA sensitive personal information, and PHI under HIPAA. A single event like appointment_booked with parameters { specialty: 'oncology', user_id: '...' } is structurally health data tied to an identifier.
▸What Respectlytics's design does (technical facts)
Respectlytics's API stores exactly five fields per event: event_name, session_id (rotates every two hours, RAM-only), timestamp, platform, and country. Health-category fields are rejected at the API with a 400. A telehealth app can use Respectlytics to track product signals (appointment_booked_paid, prescription_renewal_attempted) at the session level — the actual clinical content stays in the EHR or telehealth platform where it belongs.
Reduces the surface. Removing the surface where the categories covered by CCPA / CPRA could be collected in the first place narrows what a CCPA / CPRA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does CCPA require a 'Do Not Sell or Share My Personal Information' link in mobile apps?
If the business is in scope and engages in selling or sharing personal information as defined by CCPA, yes — a clear and conspicuous opt-out mechanism is required. Whether your analytics SDK's data flow qualifies as 'sale' or 'sharing' is a fact-specific question for your legal team.
What is a 'service provider' under CCPA?
A vendor that processes personal information on behalf of the business under a contract restricting use to specified purposes. Service-provider status changes how data flows are characterised — and is a routine topic in CCPA privacy reviews.
Does using Respectlytics by itself resolve CCPA / CPRA obligations for our telehealth apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets CCPA / CPRA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies CCPA / CPRA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.