California Privacy Protection Agency Drops First-Ever Enforcement Lawsuit, Fines Tractor Supply Company $1.35M

On September 26, 2025, the California Privacy Protection Agency (CPPA) entered a stipulated order fining Tractor Supply Company (TSC), a rural lifestyle retailer, $1.35 million for deficient privacy measures. The fine is the largest the agency has assessed and its third fine in seven months. The order also resolves the first time the CPPA sought judicial support to enforce its investigatory powers under California's privacy law.

The CPPA began investigating TSC in 2024 after receiving a consumer complaint. When TSC objected to the scope of the investigation, the CPPA filed a petition in Sacramento Superior Court to enforce its subpoena seeking TSC's privacy-related records from 2020 to 2025. TSC argued that because the CPPA did not finalize its regulations until March 2023, TSC's practices before that date "fall outside the scope of the agency's enforcement authority" and TSC lacked actual knowledge of what was prohibited under California's privacy law. But the stipulated order entered this week acknowledges that the CPPA possesses "broad authority" to investigate potential privacy violations, including those that occurred prior to January 2023.

The CPPA alleged that TSC failed to honor consumers' opt-out requests and failed to process opt-out preference signals automatically expressed through browsers. Although TSC maintained an interactive webform that included a "Do not sell my information" option, the CPPA alleged that consumer selections on the webform "had no effect upon how the company shared consumers' personal information through third party tracking technologies." As in prior enforcement actions, the CPPA also found TSC did not properly contract with its service providers and other third parties to protect consumers' privacy. TSC's data-sharing agreements did not prohibit the downstream sale or sharing of personal information, identify limited and specific purposes for its use, require the third parties to honor opt-out requests, or grant TSC the right to ensure appropriate use of personal information by third parties and remediate improper use, among other things.

In another first, the CPPA also found TSC did not provide job applicants with adequate notice of their privacy rights or any description of how to exercise those rights. This is the first time the CPPA has publicly faulted a company for privacy practices in relation to job applicants. Unlike most state privacy laws, California's law does not exclude personal information processed in the employment context.

Companies may often reduce monetary exposure by complying with the CPPA's investigation or showing good-faith attempts at substantial compliance — a discretion expressly afforded to regulators under California's privacy law. Here, despite the court petition it filed to enforce its investigatory powers, the CPPA stated in the final order:

Along with paying the $1.35 million fine, for four years TSC will be required to conduct a quarterly review of its privacy practices, share the results of its reviews with the CPPA and submit a certificate of compliance, signed by an officer or director of the company, stating that it has continued to comply with the CPPA's decision. TSC must also review its data inventories and update its contracting review processes to ensure compliant terms, among other injunctive measures.

Michael Macko, deputy director of enforcement, announced the CPPA's "enforcement priority to investigate whether businesses are properly implementing privacy rights" and that the CPPA will "continue to look broadly across industries to identify violations of California's privacy law." Macko also stated recently that the CPPA has "hundreds" of active enforcement actions under investigation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.