The California Privacy Protection Agency (CPPA) has settled with retailer Tractor Supply for $1.35 million, its largest fine to date. The decision resolves claims that the company violated the California Consumer Privacy Act (CCPA).
The action is the first from the CPPA to specifically address the privacy rights of job applicants and highlights a new phase of enforcement focusing on technical compliance and vendor accountability.
The CPPA’s allegations
The CPPA’s investigation began after a consumer complaint. According to the agency, Tractor Supply violated the CCPA by:
- Failing to maintain a privacy policy that properly notified consumers of their rights
- Failing to provide California job applicants with a notice of their privacy rights and how to exercise them
- Failing to offer consumers an effective way to opt out of the selling and sharing of their personal information, including by honoring opt-out signals like Global Privacy Control (GPC)
- Disclosing personal information to third parties without contracts that included the required privacy protections
To resolve the allegations, Tractor Supply has agreed to pay the $1.35 million fine, implement significant remedial measures, and have a corporate officer certify its compliance annually for the next four years.
Beyond superficial compliance
This enforcement action demonstrates that California’s regulator is looking beyond surface-level compliance and expects businesses to implement meaningful and effective compliance programs – not just boilerplate privacy notices and ineffective opt-out links.
Retailers, in particular, must ensure their data practices can withstand regulatory scrutiny.
Honoring opt-out preference signals
A central issue for Tractor Supply was the failure to provide an “effective mechanism” for consumers to opt out.
The CCPA’s opt-out requirements extend beyond providing a “Do Not Sell or Share My Personal Information” link. Businesses must also be able to detect and honor browser-based opt-out preference signals, such as Global Privacy Control (GPC).
The CPPA expects these signals to be treated as legitimate, legally binding requests that are processed automatically at the technology layer. A link that directs users to a webform that does not stop tracking is not sufficient.
Extending privacy rights to job applicants
The decision underscores that CCPA rights are not limited to customers. Since 2023, job applicants, employees, and independent contractors have been afforded the same privacy protections as other California consumers.
CCPA-covered businesses hiring in California must ensure they provide clear, accessible privacy notices to applicants at or before the point of data collection. These notices must explain what data is collected, for what purpose, and how applicants can exercise their CCPA rights.
Holding vendors accountable
The CPPA found that Tractor Supply disclosed personal information to other companies without the necessary contractual safeguards. This finding is a clear warning that retailers will be held accountable for the data-sharing practices within their supply chain.
Service agreements can no longer be perfunctory. Contracts must explicitly restrict the secondary use of consumer data, require vendors to honor opt-out requests, and allow for audits to verify compliance.
The shift towards automated governance
The new wave of CCPA enforcement makes clear that manual, ad-hoc compliance measures are not sustainable, particularly for large retailers with complex data ecosystems.
Organizations must move towards proactive and systemic governance. This requires investing in technology and processes that provide visibility and control over data flows. Key areas of focus should include:
- Continuous monitoring and inventory of all cookies, pixels, and other tracking technologies across digital properties
- Automated systems for detecting and enforcing opt-out signals like GPC across all consumer touchpoints
- Robust vendor assessment and contract management to ensure third-party compliance
- The ability to generate audit logs and reports to demonstrate compliance to regulators
The Tractor Supply settlement is a clear signal of the CPPA’s enforcement priorities. Retailers must now prove that their privacy programs are not just policies on a webpage, but are operationally effective, technically sound, and fully integrated across their business.
You might also like to read:
