California Privacy Protection Agency issues record $1.35 million fine against Tractor Supply Company

On September 30, 2025, the California Privacy Protection Agency (CPPA) announced a record $1.35 million settlement with Tractor Supply Company for violations of the California Consumer Privacy Act (CCPA).  The settlement resolves claims that Tractor Supply failed to properly notify aconsumers and job applicants of their privacy rights, maintain adequate service provider agreements, and provide effective opt-out mechanisms for the sharing and sale of personal information.

This enforcement action—the third CPPA settlement in 2025 and the largest to date—signals the agency's increasingly aggressive enforcement posture and expanding interpretation of its authority under California's data privacy laws. The settlement notably confirms the CPPA's position that it can investigate potential violations dating back to January 1, 2020, when the CCPA first became operative, despite regulations being finalized later.

Background and Allegations

Tractor Supply Co. operates more than 85 brick-and-mortar stores across California, as well as a website and mobile application for online purchases.  The CPPA initiated its investigation in early 2024 after receiving a consumer complaint regarding the company's privacy practices.  Although the stipulated final order primarily addresses conduct between January 1, 2023, and July 1, 2024, a significant aspect of this settlement is Tractor Supply's acknowledgment that "the agency possesses broad authority to investigate potential violations of the CCPA, including those that occurred before January 1, 2023." This acknowledgment resulted in the CPPA discontinuing a separate subpoena enforcement action it had initiated in August 2025 to compel Tractor Supply to comply with its investigative demands.

Key Violations

The CPPA identified several significant violations in its investigation:

1. Ineffective Opt-Out Mechanisms: Tractor Supply's website included a "Do Not Sell My Personal Information" link that directed consumers to a webform. However, submitting requests through this webform did not effectuate consumers' choice of halting the sale or sharing of their personal information through third-party tracking technologies thereby leaving consumers with the false impression that their opt-out requests had been honored.
2. Failure to Honor Opt-Out Preference Signals: Tractor Supply did not configure its website to recognize and honor opt-out preference signals (e.g., Global Privacy Control) until July 2024.  This meant that prior to that date, browser-based opt-out requests were ineffective.
3. Inadequate Privacy Disclosures: The company failed to update its privacy policy annually, as required by the CCPA. Specifically, Tractor Supply updated its policy in November 2021 but did not update it again until years later, after learning of the CPPA's investigation.  The privacy policy also lacked required disclosures about opt-out preference signals.
4. Deficient Job Applicant Notices: Tractor Supply's job application disclosures failed to notify job applicants about their CCPA rights and provide them information needed to exercise those rights.
5. Insufficient Service Provider Contracts: Tractor Supply failed to ensure that its contracts with service providers and third parties, including advertising technology companies, contained all CCPA-required provisions. 

Settlement Terms

In addition to the $1.35 million administrative fine, Tractor Supply agreed to implement comprehensive remedial measures, including:

1. Opt-Out Mechanisms and Tracking Technologies:

• Conduct quarterly scanning of digital properties to maintain a current inventory of tracking technologies
• Configure digital properties to properly honor opt-out preference signals
• Ensure symmetry of choice in tracking technology interfaces

2. Privacy Policy and Consumer Notices:

• Review and update privacy policies to ensure CCPA compliance
• Notify employees and job applicants of their privacy rights

3. Training and Contract Management:

• Provide updated CCPA training to personnel handling consumer requests
• Modify contract management processes to ensure all required contractual terms are in place with external recipients of personal information by March 31, 2026 

4. Ongoing Compliance:

• Implement a program to monitor opt-out request processing effectiveness
• Conduct annual reviews of third-party data sharing practices
• Submit annual compliance certifications signed by a corporate officer for four years
• Publicly post CCPA metrics on its website for five years 

Key Takeaways and Recommendations

This landmark settlement provides several important insights for businesses subject to California privacy laws. 

1. The CPPA's Enforcement Authority Is Broad and Retroactive: The CPPA has firmly established its position that it can investigate and penalize conduct dating back to the CCPA's operative date (January 1, 2020), even if specific regulations were finalized later. This interpretation significantly expands the potential liability window for businesses.
2. Technical Implementation Matters: Simply having an opt-out link or form is insufficient; businesses must ensure these mechanisms including "Do Not Sell or Share My Personal Information" links and forms, prevent the sale or sharing of personal information across all technologies, including third-party tracking technologies used for advertising purposes.
3. Opt-Out Preference Signals Are Mandatory: California businesses must configure their websites to honor browser-based opt-out preference signals, such as Global Privacy Control (GPC), in a frictionless manner.
4. Job Applicant Privacy Rights Are Being Enforced: Unlike some other privacy laws, California does not exempt job applicant data from CCPA requirements. Businesses must provide job applicants with privacy notices that inform them of their CCPA rights.
5. Service Provider Contract Requirements Are Being Scrutinized: The CPPA is closely examining whether businesses have proper contractual safeguards in place with service providers, contractors, and other third parties receiving personal information. Businesses must review all contracts with service providers, contractors, and third parties to ensure they contain all CCPA-required provisions.
6. Routinely Review Privacy Policies. Ensure privacy policies are updated annually and contain all required disclosures, accurately describe data processing practices, including information about opt-out preference signals and how they are processed.
7. Enforcement Is Intensifying: This settlement, following earlier enforcement actions against Honda ($632,500) and Todd Snyder Inc. ($345,000), demonstrates the CPPA's commitment to aggressive enforcement.  Notably, the California Attorney General also has authority to enforce CCPA violations and has independently investigated and announced settlements with other businesses who have violated the CCPA. The CCPA also recently announced a joint investigative sweep with attorneys general from California, Colorado, and Connecticut focusing on opt-out compliance. 

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}