On September 30, 2025, the California Privacy Protection Agency ("CPPA" or "Agency") announced that it had fined Tractor Supply Company ("Respondent") $1,350,000 for alleged violations of the California Consumer Privacy Act ("CCPA"). As our readers are aware, the CCPA went into effect on January 1, 2022, with the aim of protecting the privacy of California consumers, in large part, by giving them "more control" over the collection, use, and sharing of their personal information.
Respondent is the nation's largest rural lifestyle company, operating more than 2,500 stores across the United States. In 2024, the CPPA opened an investigation into Respondent's privacy practices after receiving a complaint from a consumer in Placerville, California. The Agency's investigation found that a company-wide failure to protect California consumer privacy rights had occurred.
How Did Respondent Allegedly Fail to Honor California Resident Privacy Rights?
The CCPA reviewed Respondent's consumer privacy practices for the period of January 1, 2023 through July 1, 2024. Among other alleged violations, the Agency found that:
- Respondent did not effectively process consumer opt-out requests. Specifically, Respondent's website utilized cookies and other technology to track consumer website activity. This personal information was then sold to third parties. California privacy law requires that, if a business receives consumer opt-out requests, it must honor such requests. Respondent's website provided a link to a "Do Not Sell My Personal Information" webform. However, Respondent continued to sell and share consumers' personal information even after consumers submitted the opt-out forms.
- Respondent's contracts with third party data recipients were inadequate. California privacy law requires that certain terms must be included in contracts between a business that collects and discloses personal information and the third party recipients of such information. Among other terms, the contracts must "identify the limited and specified purposes for which the personal information can be used." Furthermore, the contracts must mandate that the third party recipients of such information comply with the CCPA's requirements. The Agency's investigation revealed, among other things, that Respondent's contracts failed to: 1) prohibit its service providers from selling or sharing the personal information that they collected; 2) identify the limited and specified purpose(s) for which consumer personal information was processed and/or disclosed; and 3) make available consumer personal information only for the limited and specified purposes set forth in the contracts.
Why Does the Tractor Supply Action Matter to Your Business?
Adhering to the CPPA's final order will cost Respondent a substantial sum. In addition to paying a $1,350,000 administrative fine, Respondent also agreed to implement broad remedial measures in order to comply with various aspects of California privacy law and appoint a corporate officer to annually certify such compliance over the next four years.
The Agency's massive judgment underscores the seriousness of observing California consumer privacy rights. In the years since the CCPA took effect, the CPPA has moved swiftly to investigate and prosecute companies accused of violating the law. To state the obvious, businesses that collect, sell, or transfer the personal information of the State's consumers must familiarize themselves with the CCPA and other privacy regulations.
Related Blog Posts:
Coming Soon: A Federal Privacy Policy Mandate
California Strengthens its Automatic Renewal Law
Connecticut Privacy Law Advances to House
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.