In September, the California Privacy Protection Agency (CPPA) announced its largest enforcement action to date under the California Consumer Privacy Act (CCPA). Tractor Supply Company, a national retailer with stores across California, will pay $1.35 million and commit to extensive compliance reforms as part of a settlement addressing the CPPA's findings of non-compliance with California privacy law.
The CCPA applies broadly. It covers for-profit businesses that operate in California that either:
- Earn more than $25 million in annual gross revenues;
- Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices annually; or
- Derive at least half of their annual revenue from selling or sharing personal information.
However, even companies that fall below these thresholds aren't entirely exempt from the CCPA's reach. Many end up covered indirectly when they act as service providers, contractors, or vendors to larger, regulated businesses. In practice, this often means that a smaller company processing customer information, supporting targeted advertising, or providing software for a larger covered business must comply with the requirements imposed on it by its customer contracts, even if the company itself would not otherwise be directly regulated.
What Went Wrong: Key Compliance Gaps Unveiled
Initiated by a consumer complaint, the investigation into Tractor Supply uncovered a number of major compliance failures. To start, the company hadn't updated its consumer privacy notice since 2021, even though the CCPA requires annual reviews. It also failed to give California job applicants notice of their rights—a lapse that marks the CPPA's first enforcement action involving job applicant data. And while Tractor Supply offered a "Do Not Sell" link on its website, the option proved hollow: clicking it did nothing to stop third-party advertising or analytics trackers.
The CPPA's investigation also revealed significant gaps in Tractor Supply's oversight of third-party vendors. The company shared personal information with advertising and analytics partners but failed to put contracts in place requiring those partners to limit how the data could be used and to honor consumer opt-out requests. In addition, Tractor Supply had no system to track or monitor the technologies embedded in its websites and mobile apps, which left it unable to identify what data was being collected or how it was being used.
The Fallout: Penalties and Mandated Reforms
The settlement goes beyond financial penalty. Tractor Supply must overhaul its privacy program by scanning its websites and mobile applications quarterly to inventory all tracking technologies, revising its opt-out mechanisms to ensure effectiveness, and executing compliant agreements with every vendor handling consumer information. The company must also deliver updated privacy notices to both consumers and job applicants, conduct annual audits, and submit certifications signed by senior corporate officers for a multi-year period. In doing so, the CPPA confirmed that compliance will no longer be judged by written policies alone, but by evidence of ongoing, effective governance.
This action is significant for several reasons. First, it is the first major CPPA action to address job applicant data, signaling that the CCPA applies as much to employees and applicants as it does to consumers. Second, in pursuing the Tractor Supply enforcement action, the agency also clarified that conduct predating the July 2023 effective date of the CCPA regulations may still be subject to enforcement, suggesting that historical practices remain within its reach. Lastly and perhaps most importantly, the order illustrates the CPPA's willingness to impose both substantial fines and extensive, forward-looking remediation obligations, effectively putting companies under privacy probation for years at a time.
The Takeaway: A New Era of Accountability
With hundreds of CPPA investigations already underway and new California privacy regulations taking effect at the start of next year, enforcement is only set to expand. The forthcoming regulations, scheduled to become effective in January 2026, will broaden business obligations by introducing requirements for privacy risk assessments, cybersecurity audits, and oversight of automated decision-making. Certain businesses will be required to conduct formal risk assessments for high-risk data processing activities, undergo regular independent cybersecurity audits, and provide consumers with greater transparency and control over how automated decision-making technologies are used. Together, these measures represent the most substantial expansion of compliance duties since the CCPA's original implementing regulations and underscore the CPPA's shift from policy development to active enforcement.
Organizations that treat compliance as a one-time exercise expose themselves to multi-million dollar penalties and years of arduous and costly oversight. Companies can no longer afford piecemeal compliance. Organizations should take this as an opportunity to evaluate their privacy programs comprehensively, spanning consumer, workforce, and vendor data, and to implement governance procedures that will meet regulator expectations.
Steps to Strengthen Your Privacy Program
- Review and update privacy notices annually. Ensure policies are accurate, up to date, and tailored for both consumers and employees/applicants, as required by the CCPA.
- Verify opt-out mechanisms. Test "Do Not Sell/Share" links and forms regularly to confirm they actually disable third-party tracking and that universal signals (such as Global Privacy Control) are recognized.
- Audit vendor relationships. Confirm contracts with service providers and advertising/analytics partners include CCPA-mandated terms, including limits on data use and obligations to honor opt-outs.
- Inventory tracking technologies. Maintain a current record of all cookies, pixels, SDKs, and similar tools used across websites and apps and understand what data they collect and share.
- Monitor compliance proactively. Build systems for regular reviews (e.g., quarterly scans, annual audits) rather than waiting for issues to surface in an investigation.
- Extend compliance to workforce data. Include workforce data in your compliance program by providing required notices and rights mechanisms to job applicants, employees, and contractors.
- Document governance. Maintain clear internal processes and assign responsibility for compliance, including executive oversight, so that you can demonstrate accountability if regulators inquire.
We continue to monitor CPPA enforcement closely and advise clients on practical steps to strengthen their privacy programs, from updating notices and opt-out mechanisms to managing vendor contracts and governance processes. If questions arise about how this settlement may apply to your business, we are available to discuss considerations and next steps.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
