ARTICLE
2 October 2025

California Privacy Protection Agency Imposes A $1.35 Million Fine On Tractor Supply Company For CCPA Violations

RJ
Roth Jackson

Contributor

Roth Jackson and Marashlian & Donahue’s strategic alliance delivers premier regulatory, litigation,and transactional counsel in telecommunications, privacy, and AI—guiding global technology innovators with forward-thinking strategies that anticipate risk, support growth, and navigate complex government investigations and litigation challenges.
On September 26, 2025, the California Privacy Protection Agency ("CPPA") issued a decision requiring Tractor Supply Company, the nation's largest rural lifestyle retailer with more than 2,500 stores in 49 states...
United States California Privacy

On September 26, 2025, the California Privacy Protection Agency ("CPPA") issued a decision requiring Tractor Supply Company, the nation's largest rural lifestyle retailer with more than 2,500 stores in 49 states, to change its business practices. In addition, the CPPA required Tractor Supply to pay $1.35M to resolve multiple violations of the California Consumer Privacy Act (CCPA), which is the largest in the CPPA's history. This enforcement action and the decision are the first to address the importance of CCPA privacy notices and the privacy rights of job applicants. It also highlights critical compliance failures related to consumer opt-out rights, third-party data sharing, failure to send honor preference signals from websites, and inadequate privacy disclosures. This enforcement action signals the CPPA's continued focus on ensuring businesses properly implement consumer privacy choices and maintain transparent data practices.

Background

The CPPA began investigating Tractor Supply following a complaint from a consumer in Placerville, California. The investigation revealed that despite collecting personal information from California residents through its website, mobile application, and physical stores, Tractor Supply failed to properly implement several core CCPA requirements between January 2023 and July 2024.

Most significantly, the company's "Do Not Sell My Personal Information" link directed consumers to a web form that created the false impression of honoring opt-out requests while continuing to share personal information through tracking technologies with third parties for advertising purposes. In addition, Tractor Supply did not configure its website to honor opt-out preference signals (e.g., Global Privacy Control) until July 2024, and its privacy policy lacked required disclosures about consumer rights.

Key Issues

The enforcement action identified several critical compliance failures:

Ineffective "Do Not Sell My Personal Information" Form: Tractor Supply's "Do Not Sell My Personal Data" web form did not opt consumers out of the sale of their personal information and misled consumers into believing their privacy choices were being respected.

Failure to Honor Opt-Out Preference Signals and Disclose: The company did not process browser-based opt-out preference signals as required by the CCPA until mid-2024.

Inadequate Third-Party Contracts: Contracts with service providers and third parties lacked required CCPA provisions, including terms limiting data use to specified purposes and requiring compliance with consumer privacy requests.

Deficient Privacy Notices: Tractor Supply's privacy policy lacked required disclosures, including a provision about how it handles opt-out signals, was not updated annually as required, and failed to inform job applicants about their CCPA rights.

Next Steps for Businesses

This enforcement action provides important lessons for all businesses subject to the CCPA:

  • Review your organization's opt-out mechanisms and procedures to ensure they effectively stop all applicable selling and sharing of personal information, including through cookies and tracking technologies.
  • Configure your websites to recognize and honor opt-out preference signals in a frictionless manner.
  • Inventory all tracking technologies on your digital properties and maintain accurate records of their purpose and data practices.
  • Audit contracts with service providers and third parties to ensure they contain provisions required by state privacy laws.
  • Update your privacy policies annually and ensure they include all required disclosures about consumer rights and how to exercise them.
  • Implement regular training for personnel handling consumer privacy requests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More