On September 26, 2025, the California Privacy Protection Agency ("CPPA") issued a decision requiring Tractor Supply Company, the nation's largest rural lifestyle retailer with more than 2,500 stores in 49 states, to change its business practices. In addition, the CPPA required Tractor Supply to pay $1.35M to resolve multiple violations of the California Consumer Privacy Act (CCPA), which is the largest in the CPPA's history. This enforcement action and the decision are the first to address the importance of CCPA privacy notices and the privacy rights of job applicants. It also highlights critical compliance failures related to consumer opt-out rights, third-party data sharing, failure to send honor preference signals from websites, and inadequate privacy disclosures. This enforcement action signals the CPPA's continued focus on ensuring businesses properly implement consumer privacy choices and maintain transparent data practices.
Background
The CPPA began investigating Tractor Supply following a complaint from a consumer in Placerville, California. The investigation revealed that despite collecting personal information from California residents through its website, mobile application, and physical stores, Tractor Supply failed to properly implement several core CCPA requirements between January 2023 and July 2024.
Most significantly, the company's "Do Not Sell My Personal Information" link directed consumers to a web form that created the false impression of honoring opt-out requests while continuing to share personal information through tracking technologies with third parties for advertising purposes. In addition, Tractor Supply did not configure its website to honor opt-out preference signals (e.g., Global Privacy Control) until July 2024, and its privacy policy lacked required disclosures about consumer rights.
Key Issues
The enforcement action identified several critical compliance failures:
Ineffective "Do Not Sell My Personal Information" Form: Tractor Supply's "Do Not Sell My Personal Data" web form did not opt consumers out of the sale of their personal information and misled consumers into believing their privacy choices were being respected.
Failure to Honor Opt-Out Preference Signals and Disclose: The company did not process browser-based opt-out preference signals as required by the CCPA until mid-2024.
Inadequate Third-Party Contracts: Contracts with service providers and third parties lacked required CCPA provisions, including terms limiting data use to specified purposes and requiring compliance with consumer privacy requests.
Deficient Privacy Notices: Tractor Supply's privacy policy lacked required disclosures, including a provision about how it handles opt-out signals, was not updated annually as required, and failed to inform job applicants about their CCPA rights.
Next Steps for Businesses
This enforcement action provides important lessons for all businesses subject to the CCPA:
- Review your organization's opt-out mechanisms and procedures to ensure they effectively stop all applicable selling and sharing of personal information, including through cookies and tracking technologies.
- Configure your websites to recognize and honor opt-out preference signals in a frictionless manner.
- Inventory all tracking technologies on your digital properties and maintain accurate records of their purpose and data practices.
- Audit contracts with service providers and third parties to ensure they contain provisions required by state privacy laws.
- Update your privacy policies annually and ensure they include all required disclosures about consumer rights and how to exercise them.
- Implement regular training for personnel handling consumer privacy requests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
