- within Compliance, Tax and Intellectual Property topic(s)
- with readers working within the Environment & Waste Management industries
On September 26, 2025, the California Privacy Protection Agency (CPPA) announced a $1.35 million fine against Tractor Supply Company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA). The settlement with Tractor Supply is the latest in a streak of enforcement actions addressing violations of the CCPA this year. Earlier this year, the CPPA announced an enforcement sweep in collaboration with Connecticut and Colorado focused on opt-out preference signals, and the state Attorney General (CA OAG) announced an investigative sweep of location data brokers selling sensitive personal information. We have previously reported on the CPPA's settlements with American Honda Motor Co. and Todd Snyder, and the CA OAG's settlement with Healthline Media.
We breakdown what you need to know about the Tractor Supply settlement and its main compliance takeaways.
Background:
Tractor Supply is the largest rural lifestyle retailer in the U.S., with more than 2,500 stores across 49 states, including 85 stores in California. In 2024, the CPPA opened an investigation into Tractor Supply following a consumer complaint about the company's privacy practices. Through the investigation, in which the CPPA sought the court's intervention to enforce its subpoena, the Agency identified alleged deficiencies with the company's privacy notices, employee privacy disclosures, opt-out processes, and partner contracts.
Consumer privacy notice: The CCPA requires specific disclosures in consumer-facing privacy policies, including a comprehensive description of a business's offline and online data collection and processing practices, and information detailing consumer privacy rights and how to exercise those rights. Tractor Supply's privacy policy, however, included only a short paragraph describing California consumers' right to request access to their personal information. What is more, the CCPA requires businesses to review and update their privacy policies annually, but Tractor Supply's last update before the CPPA's investigation occurred in November 2021.
Employee privacy: The CCPA is the only state privacy law that includes employee data in the definition of personal information, and it is the only state in which companies must provide employees with specific notice and rights regarding the processing of this information. However, the CPPA found that Tractor Supply's career site did not provide notice of employees' California privacy rights or a description of how to exercise those rights.
Consumer opt-out rights: The CCPA requires businesses to provide two mechanisms by which a consumer may exercise the right to opt out of the sale of personal information – through a link in the footer of a business's website and through an opt-out preference signal such as GPC. Although Tractor Supply provided a "Do Not Sell My Personal Information Link" in the footer of its website that led consumers to a webform, submitting an opt-out request did not stop the third-party technologies from collecting and selling personal information. Additionally, Tractor Supply's consumer disclosures did not explain how consumers could use an opt-out preference signal to make a request to opt out of sale, nor did the company configure its website to accept and honor such signals.
Partner Contracting: Any business that discloses, sells or shares personal information to another party must enter contracts governing the exchange of data, and each entities' respective obligations pursuant to the CCPA. Tractor Supply disclosed personal information collected from its website to service providers and third parties, but it failed to implement legally required contract terms – putting the privacy and security of consumer information at risk.
Key Takeaways:
The Tractor Supply settlement reinforces compliance principles addressed in prior California privacy settlements, and it represents regulators' willingness to pursue enforcement for a range of activities.
- California regulators are focused on consumers' right to opt out of sale and the use of opt-out preference signals
A common theme across CCPA enforcement in 2025, including in Tractor Supply, has been regulators' focus on consumers' right to opt out of the sale of personal information/the processing of personal information for targeted advertising. Businesses would be wise to reexamine their current practices to help confirm that: consumer choices are described clearly, without dark patterns; opt-out mechanisms effectively stop all sales of personal information; and that opt-out preference signals are being honored.
- Disclosures of personal information must be governed by contract terms
Like the right to opt out, the CPPA and CA OAG have also addressed contracts with third parties and service providers in various scenarios, including in the Tractor Supply matter. Businesses that disclose, sell, or share personal information should review their existing vendor due diligence practices and contract terms, and amend agreements that do not comply with the CCPA. Where applicable, such agreements should also specify each party's rights with respect to facilitating consumer privacy rights, and how opt-out requests will be passed and honored by downstream recipients. Additionally, businesses should ensure they regularly audit vendor compliance with these agreements and remediate improper data use where necessary.
- Consumer inquiries regarding privacy create opportunities
The Tractor Supply settlement serves as an important reminder to consistently monitor consumer contact methods such as email addresses and telephone numbers listed in privacy policies, and to swiftly resolve consumer inquiries and complaints. Strong customer service practices not only help to build brand loyalty, but also to identify and remediate potential privacy issues before regulators get involved.
- Employee data is in scope
Businesses with employees in California must inform them of their privacy rights and offer a mechanism by which employees can exercise their rights. This may include in the right to opt out of sale in instances where, for example, a business hosts third-party tracking technologies on an employee or applicant portal.
- Is it time for a privacy policy checkup?
Deficient privacy policies are low-hanging fruit for regulatory inquiries and consumer complaints – even when a business's internal privacy practices are sound. Businesses should review their privacy policies annually to help confirm they provide clear disclosures regarding privacy practices, inform consumers of applicable privacy rights, and clearly explain how consumers can exercise those rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.