Skip to Main Content

Parker Poe

Keeping you informed

California Privacy Regulator Imposes $1.35 Million Fine on Tractor Supply Company

    Client Alerts
  • October 10, 2025

On September 26, 2025, the California Privacy Protection Agency (CPPA) issued a decision requiring Tractor Supply Company to restructure its privacy practices and pay a $1.35 million fine to resolve alleged violations of the California Consumer Privacy Act (CCPA). This comes on the heels of the California attorney general’s $1.55 million penalty under CCPA against Healthline in June. The Tractor Supply decision is the largest penalty to date under CPPA enforcement and marks a pivotal moment in California’s privacy enforcement regime — which often sets the tone for privacy regulators nationwide.

The enforcement action underscores the CPPA’s focus on pursuing businesses that fail to: (1) implement effective opt-out mechanisms, (2) honor global privacy control (GPC) signals, and/or (3) provide adequate disclosures to consumers and job applicants. Notably, this is the first enforcement action that directly addresses a business’s privacy obligations related to employment and applicant data.

Key Allegations & Compliance Failures

The CPPA’s decision alleged that Tractor Supply committed several violations demonstrating both technical and governance failures:

  • Ineffective opt-out mechanism. Consumers who used the “Do Not Sell My Personal Information” link continued to have data shared with third-party advertising and analytics providers.
     
  • Failure to honor GPC signals. Until July 2024, Tractor Supply’s digital properties did not recognize browser-based opt-out preference signals, in violation of CCPA regulations.
     
  • Incomplete and outdated privacy disclosures. The company’s policy failed to describe how opt-out signals were handled, omitted categories of data shared, and lacked required notices for job applicants.
     
  • Deficient employment-related disclosures. The CPPA found that applicant data was collected without proper notice or explanation of rights to access, deletion, or correction.
     
  • Inadequate vendor contracts. Agreements with service providers and advertising partners did not include CCPA-mandated provisions restricting data use, prohibiting downstream sharing, or enabling audits.

Settlement Terms

Under the stipulated final order, Tractor Supply agreed to:

  • Pay $1.35 million to resolve all alleged CCPA violations.
     
  • Conduct an enterprise-wide audit and inventory of tracking technologies across its websites and mobile applications.
     
  • Update its privacy policy and provide compliant notices to job applicants and employees.
     
  • Revise all vendor and service provider contracts to include statutory limitations on use, purpose, and sharing.
     
  • Require a corporate officer or director to certify compliance annually for four years.
     
  • Undergo periodic monitoring and cooperate with follow-up inquiries from the CPPA.

The CPPA, in turn, agreed to drop its pending court action to enforce subpoenas and close the matter contingent on Tractor Supply’s ongoing compliance.

Procedural Challenges 

The enforcement did not unfold quickly. The CPPA initiated its investigation shortly after its enforcement authority became active in 2023, issuing subpoenas seeking records of Tractor Supply’s data-sharing practices and technical configurations. Tractor Supply initially resisted, challenging both the scope of the CPPA’s subpoenas and the agency’s authority to investigate conduct that predated the effective date of the CCPA regulations.

This procedural challenge significantly prolonged the matter. The CPPA sought judicial enforcement of its subpoenas in California Superior Court, arguing that its authority extended to violations dating back to January 1, 2020 — the date the CCPA itself took effect, regardless of when implementing regulations became final. The court sided with the agency, affirming the CPPA’s broad investigatory reach.

After nearly two years of back-and-forth, Tractor Supply agreed to settle without admitting liability. The drawn-out process underscores the growing procedural maturity of the CPPA, which has shown it is willing to litigate discovery disputes and test the boundaries of its investigative powers before imposing a penalty.

Lessons Learned

The Tractor Supply decision illustrates the CPPA’s evolution from guidance to enforcement. While the penalty itself is substantial, the settlement’s structural reforms are more consequential: they signal that the agency expects demonstrable, operational compliance.

Key Takeaways

The enforcement action offers more than a list of violations — it provides a clear signal of how the CPPA intends to interpret and enforce the CCPA going forward, and what regulators now expect from mature privacy programs.

Companies operating outside California or subject to other state privacy laws should note that California’s enforcement priorities and interpretations frequently influence legislative and regulatory trends elsewhere. Proactive compliance with CCPA requirements can help future-proof privacy programs against evolving standards.

  • Functionality over form. Consumer facing privacy tools must actually stop data flows, not merely present the appearance of control.
     
  • GPC compliance is mandatory. The CPPA views failures to recognize browser-based opt-out recognition as a material compliance failure.
     
  • Employment data is now an enforcement priority. The CPPA has signaled that it is actively auditing and penalizing lapses in applicant and HR privacy compliance.
     
  • Contract clauses will be reviewed. In nearly every CCPA enforcement action, both regulators have included failures to include required contract clauses with service providers. 
     
  • Resistance carries cost. Tractor Supply’s initial procedural challenge likely increased both scrutiny and penalty severity.

Conclusion

The Tractor Supply enforcement represents a defining moment for California’s privacy regime. It underscores the CPPA’s willingness to litigate procedural issues, test its authority, and demand real-world functionality from privacy programs. Tractor Supply’s initial resistance to CPPA subpoenas prolonged the investigation and likely increased penalty exposure — highlighting the importance of engaging constructively with regulators from the outset. 

This action also signals that near-term compliance audits will extend beyond consumer-facing tools to internal systems, vendor contracts, and HR data. For businesses subject to the CCPA, the message is clear: compliance must be verifiable, technically enforced, and continuously monitored. Early cooperation can help limit risk, reduce penalties and streamline resolution. The CPPA’s approach against Tractor Supply demonstrates that partial compliance is, in practice, noncompliance.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.