Tractor Supply Agrees to Pay Record CCPA Penalty of $1.35 Million

On September 26, the California Privacy Protection Agency (Agency) published a Stipulated Final Order by which Tractor Supply Company agreed to pay an administrative fine of $1.35 million and take other remedial measures for its alleged violations the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) between January 2023 and July 1, 2024.

California Laws to Protect Information of Residents
To protect personal information of California residents in this digital age, the California Legislature enacted the CCPA in 2018 and amended it in 2020 under the CPRA.  Those Acts govern how businesses, such as Tractor Supply, collect, use, share, and protect personal information of consumers, job applicants, employees, et. al. These laws grant rights such as access, deletion, correction, and the ability to opt out of the sale or sharing of their personal information to individuals. 

The Agency is California’s primary data privacy regulator, which is charged with enforcing the CCPA and CPRA.  Its broad authority allows it to investigate and enforce compliance across all sectors, not just tech or data brokers. Noncompliance with the CCPA and CPRA can lead to administrative penalties and other forms of relief to ensure compliance. 

What was Tractor Supply Accused of Doing?
Tractor Supply Company is a Tennessee-based rural lifestyle retailer, but it does business across the country including in California. Tractor Supply’s website uses cookies and similar tracking technologies that make available to third parties certain personal information of consumers, such as cookie identifiers, IP addresses and other unique identifiers for advertising purposes, resulting in the sale/share of consumer personal information. 

According to the Stipulated Final Order and other publicly available information, Tractor Supply allegedly:

• Did not provide adequate “privacy notices” to both consumers and job applicants, omitting required disclosures about their rights under California law.
  • “Privacy notices” are disclosures that explain what personal information is collected, how it is used, and how individuals can exercise their rights under the CCPA/CPRA. Notices must be posted online, accessible, and updated at least annually.
• Did not honor consumer opt-out requests from tracking technologies. Tractor Supply apparently offered a webform on its website that allowed users to opt-out. However, the opt-out apparently did not extend to third-party tracking technologies (such as pixels or cookies) used for advertising which, according to the Stipulated Final Order, left consumers with the false impression that their data was no longer being sold or shared. The Agency made clear that opt-out mechanisms must be effective and cover all tracking technologies, not just internal systems.
• Ignored browser-based opt-out signals, such as the Global Privacy Control (GPC), which regulations require businesses recognize as valid consumer requests.
• Lacked sufficient service provider agreements to ensure that third parties receiving personal information were contractually bound to protect it and to honor opt-out signals. The Agency’s Stipulated Final Order makes clear that businesses—not vendors—are responsible for ensuring compliance with the CCPA when using third-party tracking technologies.
• Shared job applicant data without proper notice or consent.  California is somewhat unique in that employee and applicant data is also covered by the CCPA (since 2023) so the sharing of applicant data without consent is a significant issue to the Agency.

Why and How was Tractor Supply Targeted?
In early 2024, the Agency received a complaint about Tractor Supply from a consumer in Placerville, Calif. The specific nature of the complaint—whether the individual was a job applicant, employee, or customer—is not publicly known; however, the Agency has the latitude to escalate a complaint into an investigation, and here, the investigation apparently expanded to include job applicant data after the Agency reviewed Tractor Supply’s privacy practices and disclosures.

The Agency also took the unusual step of publicly disclosing the investigation and even sought judicial enforcement of its subpoena to compel broader compliance data dating back to 2020. While Tractor Supply argued that pre-2023 practices were outside the Agency’s authority—given that regulations were finalized only in March 2023—Tractor Supply ultimately acknowledged the Agency’s broad investigative powers and settled the matter by way of the Stipulated Final Order dated September 26.

Settlement Terms
In addition to the $1.35 million administrative penalty, Tractor Supply agreed to a series of remedial measures designed to bring its practices into compliance, including:

• Enhanced consumer opt-out mechanisms: The company must ensure that opt-out requests are honored across all tracking technologies and configure its digital properties to recognize GPC signals.
• Quarterly scanning of digital properties to maintain a current inventory of tracking technologies.
• Annual compliance certification: A corporate officer or director must certify compliance to the Agency for the next four years.
• Contract management improvements: Tractor Supply must update and track agreements with all service providers to ensure required contractual terms are in place.
• Employee training: Personnel handling consumer data requests must receive updated training on California privacy law.
• Annual public reporting of privacy metrics for five years.

The Agency acknowledged that Tractor Supply has already “substantially revised” its practices and invested significant resources in remediation since learning of the investigation. But the Agency emphasized that self-correction after an investigation begins does not erase liability.  Rather, proactive compliance is essential.

Significance of the Agency’s Action and Resulting Penalty
The Tractor Supply matter is notable for several reasons.

• It is the largest penalty published by the Agency to date, surpassing earlier settlements with American Honda ($632,500) and Todd Snyder Inc. ($345,000).
• It is the first decision addressing job applicant rights, making clear that businesses must extend privacy protections not only to consumers but also to job applicants and employees.
• The Agency made clear that superficial or incomplete opt-out tools will not suffice. Businesses must ensure that opt-out requests are honored across all technologies and that browser-based signals like GPC are respected.
• This decision underscores the Agency’s broad investigative authority, including the ability to expand investigations from a single complaint and to scrutinize practices dating back before the finalization of regulations.
• It further demonstrates the Agency’s willingness to pursue significant penalties and impose detailed compliance obligations.

Practical Takeaways for Businesses
Businesses operating in California—or collecting data from California residents—should take this as a clear signal to proactively review and strengthen their privacy programs. The Agency’s focus on opt-out mechanisms, job applicant data, and vendor contracts reflects the evolving enforcement landscape under California’s privacy regime. 

The following are things companies should think about when doing business in California.

• Review privacy notices: Ensure that disclosures cover all categories of individuals, including job applicants and employees, and are updated at least annually.
• Audit opt-out mechanisms: Confirm that opt-out tools extend to all tracking technologies and that GPC and similar signals are honored.
• Strengthen vendor contracts: Verify that service provider agreements include all required CCPA terms, including obligations for vendors to honor opt-out signals and restrict secondary use of data.
• Implement monitoring and training: Regularly scan digital properties for tracking technologies and train staff on handling consumer requests.
• Prepare for heightened enforcement: The agency has signaled its intent to continue aggressive enforcement across industries, often in coordination with other state regulators. Enforcement can include administrative fines, mandatory remediation, ongoing audits, and public reporting.

Contact Chris Bach or any member of Phelps’ Cybersecurity, Privacy and Data Protection team if you have questions or need compliance advice and guidance.