Overview
The California Privacy Protection Agency (CPPA) announced its latest enforcement action on September 30, 2025. The CPPA alleged that Tractor Supply Company violated multiple requirements of the California Consumer Privacy Act (CCPA), marking the first public enforcement action since CPPA Deputy Director of Enforcement Michael Macko recently said that the agency has “hundreds” of open investigations. This latest enforcement comes in the wake of CPPA finalizing massive changes to CCPA regs, which will take effect January 1, 2026 (see our prior summaries here and here, which include details about the new cybersecurity audit, privacy risk assessment, and automated decision-making technology requirements).
In Depth
Key takeaways
- The risks are increasing: The CPPA obtained its largest fine ($1.35 million) and strongest remedial measures yet.
- Don’t forget HR data: The CPPA targeted HR data privacy practices for the first time and addressed HR privacy practices in the remedial measures.
- Notices, cookies, and contracting are still priorities: The CPPA once again targeted privacy notice, cookie/other tracking technology, and contracting practices.
Allegations
The CPPA alleged multiple violations of the CCPA:
- Consumer privacy notice: The CPPA alleged that Tractor Supply Company failed to inform consumers of their CCPA rights and how to exercise them. In addition, the CPPA faulted Tractor Supply Company for allegedly failing to update its consumer privacy notice annually.
- Job applicant privacy notice: The CPPA alleged that Tractor Supply Company failed to notify job applicants of their rights under CCPA and how to exercise them.
- Sale/sharing opt-outs: The CPPA alleged that Tractor Supply Company failed to comply with CCPA’s sale/sharing opt-out requirements, including:
- Failing to inform consumers about how to opt out of sale/sharing through tracking technologies
- Not allowing consumers to opt out of sale/sharing through tracking technologies, only allowing opt-out requests through a webform that did not opt consumers out of tracking technologies
- Failing to include the required opt-out preference signal disclosures in the privacy notice and not honoring Global Privacy Control until July 2024
- Contracts: The CPPA alleged that Tractor Supply Company failed to execute CCPA-required contract terms with service providers/contractors and third parties. The CPPA specifically called out contracts with advertising technology companies that use personal information for cross-contextual behavioral advertising.
Fines and remediation
The CPPA issued a $1.35 million fine. It also imposed onerous remedial measures, requiring Tractor Supply Company to:
- Scan digital properties at least quarterly and maintain a current inventory of tracking technologies (including whether Tractor Supply believes each tracker is used for selling/sharing and supported by a CCPA-compliant contract)
- Properly configure digital properties to recognize and fully effectuate opt-out preference signal requests
- Ensure symmetry of choice, including through website cookie banners and the site’s cookie preference center
- Review privacy notices to ensure compliance with CCPA
- Email all employees and job applicants that it has updated its privacy notice and employee privacy notice, provide copies of the notices as attachments or links, and provide points of contact for questions and exercise of consumer rights
- Ensure that all personnel handling CCPA requests are informed of all requirements under CCPA and confirm in writing to CPPA that it has provided updated training to all such personnel
- Modify contract management and tracking process to ensure all required contract terms are in place and confirm completion to CPPA by March 31, 2026
- Post the metrics required for businesses collecting large amounts of personal information for five years
- Submit annual compliance certification for four years
- Implement and maintain a program to assess whether it is effectively processing requests to opt out of sale/sharing, including via opt-out preference signal, for five years
- Conduct an annual review for four years of its website and mobile apps to determine the third parties and service providers/contractors to whom it makes personal information available through tracking technologies, share the results with the CPPA, and execute contracts with service providers/contractors and third parties that meet the requirements of CCPA
What to do
The CPPA showed its continued commitment to enforce CCPA. Both the CPPA and California attorney general have focused on similar issues in recent enforcement actions. All businesses should prioritize the following:
- Privacy notices: Make sure that all privacy notices – consumer, job applicant, and employee – have all required disclosures.
- Data subject rights: Review data subject request procedures and make sure the methods for exercising data subject rights are clearly explained.
- HR data: Review data management practices for California job applicant and employee data to make sure CCPA requirements are met.
- Cookies: Ensure cookie banners and cookie preference centers function correctly and as required by CCPA and other laws, and make sure that cookie banners, cookie preference centers, and privacy notices have all required cookie-related disclosures.
- Contracts: Make sure that form contracts, including contracts with third parties who are not vendors, have all required terms, and develop a plan to update existing contracts to include required terms (particularly with tracking technology partners).