On September 30, 2025, the California Privacy Protection Agency (CPPA) issued a $1.35 million fine, the largest in the CPPA’s history, against Tractor Supply Company, the nation’s largest rural lifestyle retailer. The fine was issued based on allegations that the company violated its obligations under the California Consumer Privacy Act (CCPA). The CPPA coined its decision against Tractor Supply as “the first to address the importance of CCPA privacy notices and privacy rights of job applicants.”
Below, we have provided additional information on the CPPA’s decision and the key takeaways for businesses subject to the CCPA in light of the decision.
Background
The CPPA first opened an investigation into the Tractor Supply after it received a complaint from a consumer in Placerville, California. Based on its investigation, the CPPA alleged Tractor Supply:
- Failed to maintain an adequate privacy policy notifying consumers of their rights;
- Failed to notify California job applicants of their privacy rights and how to exercise them;
- Failed to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as the Global Privacy Control; and
- Disclosed personal information to other companies without the entering into contracts that contain the requisite privacy protections.
In addition to issuing the record $1.35 million penalty for these violations, the CPPA has also required Tractor Supply to implement broad remedial measures, which include, but are not limited to, the following:
- Updating its privacy notices and notifying employees and job applicants of the updated notices;
- Modifying the methods it provides consumers to submit requests to opt-out of targeted advertising;
- Ensuring all required contractual terms are in place with all external recipients of personal information;
- Recognizing opt-out preferences signals like the Global Privacy Control;
- Regularly auditing its tracking technologies; and
- Designating a compliance officer to certify adherence to its compliance for the next four (4) years.
Key Takeaways
This decision underscores several practical points for businesses subject to the CCPA:
- Employees and job applicants are treated like consumers under the CCPA, so businesses should ensure their CCPA compliance programs adequately cover California workforce members and applicants;
- A single consumer complaint can trigger a broad investigation; and
- Investigations from the CPPA may not only result in remediation, but also significant monetary penalties.