GDPR vs CCPA: Key Differences Explained (2026)
Regulation (EU) 2016/679 (GDPR) requires a documented lawful basis before any personal data processing begins, making it an opt-in framework. California's CCPA, codified at Cal. Civ. Code 1798.100, permits data collection by default and gives consumers the right to opt out. That structural difference defines the divide between the two laws.
The EU's General Data Protection Regulation (GDPR) and California's consumer privacy regime: the California Consumer Privacy Act (CCPA) as fundamentally reshaped by the California Privacy Rights Act (CPRA), are the two most influential data privacy frameworks operating in the English-speaking world. Both give individuals meaningful control over personal information. Beyond that broad alignment, the two laws diverge sharply in their scope, philosophy, consent model, enforcement machinery, and the specific obligations they impose on organizations.
This guide compares every major dimension of the GDPR and the CCPA/CPRA, incorporates the CPPA's September 2025 rulemaking on automated decision-making, and closes with practical guidance for businesses that must satisfy both frameworks.
Quick Answer
The GDPR is an opt-in, permission-based framework covering virtually any organization that processes EU/EEA residents' data. The CCPA/CPRA is an opt-out framework covering for-profit California businesses that meet defined size thresholds. GDPR penalties dwarf CCPA penalties in maximum dollar terms, but California's dedicated enforcement agency, the CPPA, has accelerated its enforcement pace significantly since 2024.
The Two Regimes at a Glance
| Feature | GDPR | CCPA/CPRA |
|---|---|---|
| Enacted / effective | May 25, 2018 | Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA amendments) |
| Geographic scope | EU/EEA + extraterritorial | California residents + extraterritorial |
| Who must comply | Nearly all data controllers/processors | For-profit businesses meeting thresholds |
| Revenue threshold | None | Annual gross revenue exceeding $25 million |
| Data volume threshold | None | 100,000+ consumers or households per year |
| Revenue-from-selling threshold | None | 50%+ of annual revenue from selling/sharing PI |
| Consent model | Opt-in (lawful basis required) | Opt-out |
| DPO required | Yes (certain organizations) | No |
| Breach notification | 72 hours to supervisory authority | "Most expedient time possible" (separate CA statute) |
| Maximum regulatory penalty | EUR 20M or 4% global revenue | $7,500 per intentional violation |
| Private right of action | Limited, varies by member state | Yes, for qualifying data breaches |
| Dedicated enforcement agency | DPAs in 27+ EU/EEA member states | California Privacy Protection Agency (CPPA) |
| ADMT opt-out right | Right to human review (Art. 22) | Right to opt out of ADMT (CPRA + 2025 regulations) |
Scope and Who Must Comply
GDPR Territorial Reach
The GDPR applies to any organization, regardless of where it is incorporated or physically located, that processes the personal data of individuals in the European Economic Area. A Chicago-based SaaS company with EU customers falls under the GDPR. A Japanese electronics manufacturer whose website is targeted at EU consumers falls under the GDPR. Article 3 makes this extraterritorial reach explicit: the regulation applies to organizations that offer goods or services to EEA individuals or monitor their behavior within the EEA.
Organizations outside the EU/EEA that fall within the GDPR's scope must appoint an EU representative under Article 27, unless they qualify for a narrow exception.
CCPA/CPRA Threshold Model
The CCPA, effective January 1, 2020, and significantly amended by the CPRA (Proposition 24, approved by California voters in November 2020, with most amendments effective January 1, 2023), applies to for-profit businesses that collect personal information from California residents and meet at least one of three thresholds:
- Annual gross revenues exceeding $25 million
- Buying, selling, receiving, or sharing for commercial purposes the personal information of 100,000 or more consumers or households per year
- Deriving 50% or more of annual revenues from selling or sharing consumers' personal information
Nonprofit organizations and government agencies fall entirely outside CCPA/CPRA scope. The GDPR, by contrast, covers virtually all organizations that handle personal data (including nonprofits, public bodies, and small businesses) with narrow exceptions only for purely personal or household activities.
Definitions: Personal Data vs Personal Information
GDPR: Broad Individual-Focused Definition
The GDPR defines "personal data" as any information relating to an identified or identifiable natural person. This deliberately broad definition covers names, identification numbers, location data, online identifiers (IP addresses, cookie IDs), and factors specific to a person's physical, physiological, genetic, mental, economic, cultural, or social identity. Aggregated and anonymized data that cannot be re-identified falls outside the definition; pseudonymized data generally does not.
Article 9 creates an elevated "special categories" tier for data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for identification purposes, health data, and data concerning sex life or sexual orientation. Processing special-category data requires explicit consent or another specific legal ground.
CCPA/CPRA: Consumer and Household Scope
The CCPA defines "personal information" as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. Notable differences from the GDPR definition: the CCPA explicitly covers household-level data, and it excludes publicly available information that a business has a reasonable basis to believe the consumer has voluntarily exposed to the general public.
The CPRA amendments added a "sensitive personal information" category that partially mirrors GDPR special categories. CPRA sensitive PI covers Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, contents of communications, genetic data, biometric data processed for identification, health information, and data concerning sex life or sexual orientation. The CPPA's 2025 regulations further expanded sensitive PI to include neural data and personal information of consumers the business knows are under 16 years old.
| Data Concept | GDPR | CCPA/CPRA |
|---|---|---|
| Core protected data | Personal data (any identified/identifiable natural person) | Personal information (consumer or household) |
| Household data | Not explicitly included | Included |
| Publicly available data | Still personal data if it identifies someone | Excluded from definition |
| Employee and B2B data | Fully covered | Covered (CPRA removed temporary exemptions as of Jan 2023) |
| Elevated sensitive tier | Special categories (Art. 9) | Sensitive personal information (CPRA) |
| Neural data | Covered as health/biometric data | Explicitly added by 2025 CPPA regulations |
The Consent Model: Opt-In vs Opt-Out
This is the sharpest philosophical divide between the two frameworks.
GDPR: Permission-Based Opt-In
The GDPR operates on a permission-based model. Organizations cannot process personal data without first establishing one of six lawful bases under Article 6: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. The lawful basis must be identified and documented before processing begins.
Where consent is the chosen basis, Article 7 demands it be freely given, specific, informed, and unambiguous. Pre-checked boxes, silence, and bundled consents are invalid. For special-category data and children's data, the GDPR requires explicit consent: an affirmative statement rather than any conduct that merely implies agreement.
CCPA/CPRA: Activity-Based Opt-Out
The CCPA follows an opt-out model for most processing. Businesses may collect and use personal information without prior consent but must: (1) disclose their data practices in a privacy notice; (2) provide a "Do Not Sell or Share My Personal Information" link; and (3) honor consumer opt-out requests. The CPRA added the right to limit use of sensitive personal information, which functions as a targeted opt-out.
Two notable opt-in exceptions exist: businesses must obtain opt-in consent before selling or sharing the personal information of consumers they know to be under 16 years old (with parental or guardian consent required for those under 13), and opt-in consent is required to re-engage a consumer who has opted out for at least 12 months.
| Consent Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Default posture | Processing prohibited until lawful basis established | Processing permitted; consumer can opt out |
| Where consent is used | Must be freely given, specific, informed, unambiguous | Not required for most processing |
| Children | Parental consent under 16 (member states may lower to 13) | Opt-in required for sale/sharing of under-16 data |
| Sensitive data | Explicit consent or specific exemption required (Art. 9) | Right to limit use (opt-out model) |
| Re-engagement after opt-out | No equivalent (withdrawal must be as easy as giving consent) | 12-month wait before re-asking |
Consumer and Data Subject Rights Compared
Both laws grant individuals a suite of privacy rights. The GDPR's rights are broader and the grounds for exceptions are narrower.
| Right | GDPR | CCPA/CPRA |
|---|---|---|
| Right to know / access | Yes (Art. 15) | Yes (expanded by CPRA to cover 12 months) |
| Right to delete / erasure | Yes, "right to be forgotten" (Art. 17) | Yes, with more business exceptions |
| Right to rectification | Yes (Art. 16) | No equivalent |
| Right to data portability | Yes (Art. 20) | Yes (added by CPRA) |
| Right to restrict processing | Yes (Art. 18) | Limited to sensitive PI |
| Right to object | Yes (Art. 21) | No direct equivalent |
| Right to opt out of sale | No "sale" concept | Yes, core CCPA right |
| Right to opt out of sharing | No "sharing" concept | Yes (added by CPRA) |
| Right to limit sensitive data use | Governed by Art. 9 restrictions | Yes (added by CPRA) |
| Right to non-discrimination | General equality principles | Explicit right; incentive programs permitted with disclosure |
| Automated decision-making | Right to human review; right to contest (Art. 22) | Right to opt out of ADMT plus access right (CPRA and 2025 regulations) |
The GDPR's Article 22 right against solely automated decisions is stronger in one respect: it applies by default and requires affirmative justification to override it. The CCPA/CPRA right to opt out of ADMT is an opt-out right; businesses using ADMT may continue to do so until a consumer exercises the opt-out.
Sensitive Personal Information
Both frameworks create an elevated category of data that receives heightened protection, though they define it and regulate it differently.
Under the GDPR, processing "special categories" data is prohibited by default. To process it, organizations must identify both a lawful basis under Article 6 and a specific condition under Article 9: such as explicit consent, employment law obligations, vital interests where consent cannot be obtained, or legitimate activities of nonprofit bodies. Biometric data processed for the purpose of uniquely identifying individuals is a special category.
Under the CCPA/CPRA, consumers have the right to direct a business to limit use and disclosure of sensitive PI to the purpose for which it was collected or other specifically permitted uses. Businesses must provide a "Limit the Use of My Sensitive Personal Information" link (which may be combined with the "Do Not Sell or Share" link). The CPPA's 2025 regulations expanded sensitive PI to cover neural data and expressly include personal information of known minors under 16.
Enforcement and Penalties
GDPR Enforcement
The GDPR is enforced by independent Data Protection Authorities (DPAs) in each EU/EEA member state. Article 83 establishes a two-tier penalty structure:
- Lower tier (up to EUR 10 million or 2% of global annual turnover): violations of data controller and processor obligations, certification rules, and monitoring body rules.
- Upper tier (up to EUR 20 million or 4% of global annual turnover): violations of core data processing principles, consent conditions, data subject rights, and international transfer rules.
Total cumulative GDPR fines had surpassed EUR 5.8 billion by early 2025. Notable recent enforcement actions include the Irish Data Protection Commission's EUR 1.2 billion fine against Meta in May 2023 for unlawful data transfers to the United States (the largest single GDPR fine on record) and a EUR 310 million fine against LinkedIn in October 2024 for unlawful processing for behavioral advertising.
CCPA/CPRA Enforcement
The California Attorney General enforced the CCPA from its July 1, 2020 enforcement start date through mid-2023. The California Privacy Protection Agency (CPPA) took over primary enforcement authority in July 2023 and is the first dedicated state-level privacy enforcement agency in the United States.
Penalties under the CCPA/CPRA:
- Up to $2,500 per unintentional violation
- Up to $7,500 per intentional violation, or per violation involving a minor's personal information
- The CPPA adjusts penalty amounts in January of odd-numbered years to reflect CPI changes
The CPPA's enforcement pace has accelerated considerably. Notable 2025 settlements include:
- Tractor Supply Company: $1.35 million for CCPA violations
- American Honda Motor Co.: $632,500 for CCPA violations, the second-highest fine in the law's history at the time
- Todd Snyder, Inc.: $345,178 for improperly administering its privacy portal, including requiring consumers to verify identity before exercising their opt-out rights
| Enforcement Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Enforcing authority | National DPAs (27+ in EU/EEA) | California Attorney General plus CPPA |
| Maximum regulatory fine | EUR 20M or 4% of global annual revenue | $7,500 per intentional violation |
| Cure period | No mandatory cure period | 30-day cure (AG enforcement only; no cure right in CPPA enforcement) |
| Cross-border mechanism | One-stop-shop via lead DPA | California jurisdiction only |
| Private right of action | Limited (varies by member state; Art. 82) | Yes, for qualifying data breaches (Cal. Civ. Code 1798.150) |
The Private Right of Action
Both laws provide some individual litigation rights, but the scope differs substantially.
GDPR Article 82
GDPR Article 82 grants any person who has suffered material or non-material damage as a result of a GDPR infringement the right to receive compensation from the controller or processor. In practice, the availability and scope of class actions for GDPR damages varies considerably by member state; EU law does not impose a unified class-action mechanism.
CCPA Section 1798.150
The CCPA's private right of action is narrower than the GDPR's general compensation right. Under California Civil Code 1798.150, consumers may sue only for qualifying data breaches involving unencrypted or unredacted personal information (or email addresses combined with passwords or security questions) that results from the business's failure to implement reasonable security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages if higher.
The private right of action does not extend to violations of consumers' access, deletion, opt-out, or other CCPA rights outside the data breach context. Those violations are enforced exclusively by the CPPA or the Attorney General.
In 2025, several California federal district court rulings signaled a possible expansion of the private right of action to situations where third-party tracking technologies constitute unauthorized disclosure of personal information. These cases are being closely watched by privacy practitioners.
The CPPA's 2025 Regulations: ADMT, Risk Assessments, and Cybersecurity Audits
The CPPA Board adopted comprehensive regulations on July 24, 2025. The California Office of Administrative Law approved and filed them on September 22, 2025. These regulations represent the most significant expansion of California's privacy framework since the CPRA's effective date.
Automated Decision-Making Technology (ADMT)
The 2025 ADMT regulations implement consumer rights introduced by the CPRA. ADMT means any technology that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making.
The regulations grant consumers two rights with respect to businesses using ADMT for significant decisions:
- Right to opt out of the business's use of ADMT to make significant decisions affecting the consumer, including employment eligibility, credit decisions, housing, health care treatment, and education access.
- Right of access to information about how ADMT is used, including the logic involved and the significance of the output.
Businesses that use ADMT for significant decisions must comply beginning January 1, 2027. Businesses using ADMT for advertising targeting have a separate compliance timeline under the regulations.
This right is conceptually similar to, but structurally different from, the GDPR's Article 22 right: GDPR Article 22 prohibits solely automated decisions that produce legal or similarly significant effects unless one of three specific conditions is met; the CCPA/CPRA right is an opt-out that leaves ADMT operational until a consumer invokes it.
Risk Assessments
Businesses must conduct risk assessments before engaging in certain processing activities that present significant risk to consumers' privacy. Risk assessments function like traditional privacy impact assessments and must be documented, reviewed at least every three years, and updated within 45 days of a material change in the processing activity. Businesses must submit an attestation and a summary of findings to the CPPA by April 1, 2028.
Cybersecurity Audits
Businesses that meet defined thresholds must conduct annual cybersecurity audits. Certification submissions to the CPPA are staggered:
- April 1, 2028: businesses exceeding $100 million in annual revenue
- April 1, 2029: businesses with $50 to $100 million in annual revenue
- April 1, 2030: businesses under $50 million in annual revenue
The cybersecurity audit requirement has no direct GDPR equivalent, though the GDPR requires appropriate technical and organizational measures under Articles 25 and 32.
The general effective date for all four rule areas is January 1, 2026, with the ADMT compliance obligation for significant decisions deferred to January 1, 2027.
International Data Transfers
The GDPR strictly regulates transfers of personal data outside the EEA. Organizations can transfer data only to countries with an EU adequacy decision, or through mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or the EU-US Data Privacy Framework. For more on the EU's transfer regime, see our guide to EU data privacy laws.
The CCPA/CPRA places no restrictions on international data transfers. A California business may transfer personal information to any country. Transfers that constitute a "sale" or "sharing" remain subject to opt-out rights, and the 2025 risk assessment regulations apply to certain cross-border transfers that present significant privacy risk.
Data Protection Officers and Compliance Infrastructure
The GDPR requires certain organizations to appoint a Data Protection Officer (DPO) under Article 37: public authorities, organizations whose core activities involve large-scale systematic monitoring of individuals, and organizations processing special-category data at scale. The DPO must report to senior management, be independent, and cannot be penalized for performing DPO duties.
The CCPA/CPRA requires no equivalent role. Businesses must respond to consumer requests within defined timeframes (45 days, with one 45-day extension), maintain records of requests for at least 24 months, and maintain reasonable security practices, but there is no mandated internal privacy governance structure.
Both laws require record-keeping. The GDPR's Article 30 requires detailed Records of Processing Activities (RoPAs). The CCPA/CPRA requires records of consumer requests and how they were handled.
Data Breach Notification
Under the GDPR, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If the breach poses a high risk, the organization must also notify affected individuals directly. Our GDPR overview covers the breach notification requirements in detail.
The CCPA/CPRA does not contain its own breach notification rule. California relies on its preexisting breach notification statute (Cal. Civ. Code 1798.82), which requires notification to affected residents "in the most expedient time possible and without unreasonable delay." The CCPA's private right of action under Section 1798.150 is specifically tied to breaches of unencrypted or unredacted personal information.
The Broader US Privacy Landscape
The CCPA/CPRA did not arrive in isolation, and it has not remained unique for long. As of early 2026, approximately 20 US states have enacted comprehensive consumer privacy laws. Indiana, Kentucky, and Rhode Island have laws taking effect January 1, 2026. While no new comprehensive state privacy law was enacted in 2025, the first such gap in five years, the focus in the US has shifted from legislation to enforcement and rulemaking.
None of the other state laws match the CCPA/CPRA in rigor, the breadth of consumer rights, or the presence of a dedicated enforcement agency. For businesses operating nationally, a CCPA/CPRA-compliant program provides a solid foundation for multi-state compliance, typically with adjustments for each state's specific definitions, thresholds, and opt-out mechanisms.
There is no federal comprehensive privacy law in the United States as of the date of this review.
How Businesses Subject to Both Should Approach Compliance
Organizations serving both EU/EEA and California markets often build a unified privacy program anchored in GDPR compliance. Because the GDPR is the stricter framework in most areas, GDPR compliance typically satisfies most CCPA/CPRA baseline requirements. The reverse is not true.
Key CCPA/CPRA-specific obligations that remain even for GDPR-compliant organizations:
- "Do Not Sell or Share My Personal Information" link on the homepage and privacy policy (no GDPR equivalent)
- "Limit the Use of My Sensitive Personal Information" link (or a combined link)
- Financial incentive disclosures: businesses offering rewards or price differences tied to data collection must explain the value basis
- ADMT opt-out and access notices (effective January 1, 2027 for significant decisions)
- Risk assessments for certain high-risk processing activities (effective January 1, 2026)
- Annual cybersecurity audits if revenue and data processing thresholds are met
- Service provider contracts using CCPA-specific terminology in addition to GDPR processor agreement language
For the GDPR side of a dual-compliance program, see our EU data privacy laws overview and our guide to what the GDPR requires.
Recent Developments
September 2025: The CPPA finalized ADMT, cybersecurity audit, risk assessment, and CCPA-update regulations. General effective date: January 1, 2026. ADMT compliance for significant decisions deferred to January 1, 2027.
2025 CPPA enforcement: The agency settled with American Honda ($632,500), Tractor Supply Company ($1.35 million), and Todd Snyder ($345,178), among others. The CPPA reported hundreds of investigations in progress as of its 2025 annual report.
October 2024: Ireland's DPC fined LinkedIn EUR 310 million for unlawful processing for behavioral advertising. Cumulative GDPR fines surpassed EUR 5.8 billion by early 2025.
January 2025: The CPPA adjusted CCPA fine amounts for CPI inflation. Neural data added to the sensitive PI definition.
January 1, 2026: Indiana, Kentucky, and Rhode Island comprehensive privacy laws take effect, bringing the total number of US states with comprehensive privacy laws to approximately 20.
Frequently Asked Questions
Does the CCPA/CPRA apply to businesses outside California?
Yes. The CCPA/CPRA applies to any for-profit business that collects personal information from California residents and meets at least one of the three thresholds (revenue over $25 million, data on 100,000+ consumers per year, or 50%+ of revenue from selling or sharing data) regardless of where the business is located. A company with no physical presence in California but with California customers and a qualifying website can be covered.
Can a business be subject to both GDPR and CCPA/CPRA?
Yes. Any business that processes personal data of EU/EEA individuals and collects personal information from California residents meeting CCPA thresholds must comply with both laws. Many multinational companies build unified privacy programs anchored in GDPR requirements, then layer CCPA/CPRA-specific obligations on top.
Which law has stricter penalties?
The GDPR has far higher maximum penalties: EUR 20 million or 4% of global annual revenue, whichever is higher. CCPA/CPRA penalties cap at $7,500 per intentional violation. However, class-action litigation under the CCPA's private right of action can produce substantial aggregate damages, and the CPPA's active enforcement has resulted in seven-figure settlements.
Does GDPR require opt-in consent for all data processing?
No. Consent is one of six lawful bases under GDPR Article 6. Businesses can also rely on contract performance, legal obligation, vital interests, public task, or legitimate interests. However, where consent is the chosen basis it must be freely given, specific, informed, and unambiguous. For special-category data, explicit consent is required unless another Article 9 condition applies.
What is the CPPA's ADMT regulation and when does it take effect?
The CPPA finalized automated decision-making technology (ADMT) regulations on September 22, 2025, with a general effective date of January 1, 2026. Businesses using ADMT to make significant decisions affecting consumers (such as employment eligibility, credit approvals, housing, and healthcare decisions) must comply with consumer opt-out and access rights beginning January 1, 2027. Businesses using ADMT for advertising targeting have a separate compliance timeline.
What is the biggest practical difference between GDPR and CCPA/CPRA compliance?
The consent model. GDPR requires a documented lawful basis before data processing begins, which often means obtaining opt-in consent upfront. The CCPA/CPRA allows data collection by default but requires businesses to honor opt-out requests, post a 'Do Not Sell or Share My Personal Information' link, and (under the 2025 regulations) provide ADMT opt-out and access notices. This fundamental difference shapes website design, cookie banners, privacy notices, and internal data governance.
Does GDPR compliance satisfy CCPA/CPRA requirements?
Mostly, but not entirely. A GDPR-compliant program satisfies most CCPA/CPRA baseline requirements because GDPR is generally the stricter framework. However, several CCPA/CPRA-specific obligations have no GDPR equivalent: the 'Do Not Sell or Share' link, financial incentive disclosures, the ADMT opt-out right, risk assessment and cybersecurity audit requirements under the 2025 regulations, and CCPA-specific service provider contract language.
Sources and References
- GDPR - Regulation (EU) 2016/679 Full Text (EUR-Lex)(eur-lex.europa.eu).gov
- GDPR Article 3 - Territorial Scope(gdpr-info.eu)
- GDPR Article 6 - Lawfulness of Processing(gdpr-info.eu)
- GDPR Article 9 - Special Categories of Personal Data(gdpr-info.eu)
- GDPR Article 17 - Right to Erasure(gdpr-info.eu)
- GDPR Article 22 - Automated Individual Decision-Making(gdpr-info.eu)
- GDPR Article 37 - Designation of the Data Protection Officer(gdpr-info.eu)
- GDPR Article 83 - General Conditions for Imposing Fines(gdpr-info.eu)
- European Commission - Data Protection in the EU(commission.europa.eu).gov
- European Data Protection Board - Guidelines(edpb.europa.eu).gov
- California Consumer Privacy Act - Full Text (Cal. Civ. Code 1798.100 et seq.)(leginfo.legislature.ca.gov).gov
- Cal. Civ. Code 1798.150 - Private Right of Action(leginfo.legislature.ca.gov).gov
- California Attorney General - CCPA/CPRA Information(oag.ca.gov).gov
- CPPA - CCPA Updates, Cybersecurity Audits, Risk Assessments, ADMT Regulations(cppa.ca.gov).gov
- CPPA Announcement: California Finalizes Regulations to Strengthen Consumers Privacy (Sept. 22, 2025)(cppa.ca.gov).gov
- CPPA: Honda Settles Over Privacy Violations - $632,500 Fine(cppa.ca.gov).gov
- CPPA Orders Todd Snyder to Pay $345,178 Fine, Overhaul Privacy Practices(cppa.ca.gov).gov