ARTICLE
8 October 2025

California Privacy Protection Agency Drops First-Ever Enforcement Lawsuit, Fines Tractor Supply Company $1.35M

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
On September 26, 2025, the California Privacy Protection Agency (CPPA) entered a stipulated order fining Tractor Supply Company (TSC), a rural lifestyle retailer, $1.35 million for deficient privacy measures
United States Privacy
Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy, Environment and Coronavirus (COVID-19) topic(s)
  • with Inhouse Counsel
  • in United States

On September 26, 2025, the California Privacy Protection Agency (CPPA) entered a stipulated order fining Tractor Supply Company (TSC), a rural lifestyle retailer, $1.35 million for deficient privacy measures. The fine is the largest the agency has assessed and its third fine in seven months. The order also resolves the first time the CPPA sought judicial support to enforce its investigatory powers under California's privacy law.

The CPPA began investigating TSC in 2024 after receiving a consumer complaint. When TSC objected to the scope of the investigation, the CPPA filed a petition in Sacramento Superior Court to enforce its subpoena seeking TSC's privacy-related records from 2020 to 2025. TSC argued that because the CPPA did not finalize its regulations until March 2023, TSC's practices before that date "fall outside the scope of the agency's enforcement authority" and TSC lacked actual knowledge of what was prohibited under California's privacy law. But the stipulated order entered this week acknowledges that the CPPA possesses "broad authority" to investigate potential privacy violations, including those that occurred prior to January 2023.

The CPPA alleged that TSC failed to honor consumers' opt-out requests and failed to process opt-out preference signals automatically expressed through browsers. Although TSC maintained an interactive webform that included a "Do not sell my information" option, the CPPA alleged that consumer selections on the webform "had no effect upon how the company shared consumers' personal information through third party tracking technologies." As in prior enforcement actions, the CPPA also found TSC did not properly contract with its service providers and other third parties to protect consumers' privacy. TSC's data-sharing agreements did not prohibit the downstream sale or sharing of personal information, identify limited and specific purposes for its use, require the third parties to honor opt-out requests, or grant TSC the right to ensure appropriate use of personal information by third parties and remediate improper use, among other things.

In another first, the CPPA also found TSC did not provide job applicants with adequate notice of their privacy rights or any description of how to exercise those rights. This is the first time the CPPA has publicly faulted a company for privacy practices in relation to job applicants. Unlike most state privacy laws, California's law does not exclude personal information processed in the employment context.

Companies may often reduce monetary exposure by complying with the CPPA's investigation or showing good-faith attempts at substantial compliance — a discretion expressly afforded to regulators under California's privacy law. Here, despite the court petition it filed to enforce its investigatory powers, the CPPA stated in the final order:

The CPPA recognizes and credits Tractor Supply's remediation efforts. Since learning of the investigation in 2024, Tractor Supply has substantially revised its practices, remediated many of the issues identified above, and has committed substantial financial and other resources to remediating the shortcomings identified.

Along with paying the $1.35 million fine, for four years TSC will be required to conduct a quarterly review of its privacy practices, share the results of its reviews with the CPPA and submit a certificate of compliance, signed by an officer or director of the company, stating that it has continued to comply with the CPPA's decision. TSC must also review its data inventories and update its contracting review processes to ensure compliant terms, among other injunctive measures.

Michael Macko, deputy director of enforcement, announced the CPPA's "enforcement priority to investigate whether businesses are properly implementing privacy rights" and that the CPPA will "continue to look broadly across industries to identify violations of California's privacy law." Macko also stated recently that the CPPA has "hundreds" of active enforcement actions under investigation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More