Client Insight: CCPA Enforcement: Tractor Supply Hit With Record $1.35M Fine for Privacy Violations
On September 30, 2025, the California Privacy Protection Agency (“Agency”) announced a landmark decision imposing a $1.35 million fine—the largest in the Agency’s history—on Tractor Supply Company (“Tractor Supply”), the nation’s largest rural lifestyle retailer, for violating the California Consumer Privacy Act (“CCPA”). This action also marks the Agency’s first case addressing privacy notices and rights for job applicants, with significant compliance lessons that reach beyond retail. This case affirms the Agency’s broad investigative and enforcement powers and spotlights the need for businesses to maintain robust, up-to-date privacy programs, including clear notices and opt-out mechanisms for all personal information collected.
Key Takeaways
-
- A Record $1.35 Million Fine. Tractor Supply must pay $1.35 million, the largest fine issued by the Agency to date, to resolve allegations that it failed to honor consumer rights and provide adequate privacy notices.
- Mandated Remedial Measures. The settlement mandates extensive remedial measures, including annual compliance certifications, enhanced opt-out mechanisms, strict vendor contract provisions, and regular audits of tracking technologies for at least four years.
- Obligations to Customers and Job Applicants/Employees[1]. The enforcement action is the first by the Agency to address CCPA obligations regarding both end-customer and job applicant privacy rights.
What Happened?
The Agency’s investigation determined that Tractor Supply fell short in several areas, including:
-
- Failure to Inform Consumers of Their Rights. Tractor Supply did not maintain or post privacy notices informing consumers (both end-customers and job applicants) of their CCPA rights and how to exercise them.
- Failure to Provide Right to Opt-Out. Tractor Supply’s opt-out mechanism was misleading, failing to prevent ongoing sharing of personal information through tracking technologies used for advertising and marketing.
- Failure to Honor Opt-Out Preference Signals. Tractor Supply’s website did not honor browser-based opt-out preference signals (such as GPC) until July 2024.
- Deficient Contracts with Service Providers. Contracts with service providers lacked required restrictions on data use, failing to comply with CCPA’s requirements for third-party safeguards.
Tractor Supply agreed to comprehensive remediation, including quarterly scanning of its websites for tracking technologies, annual reviews and certifications by a corporate officer, and stricter documentation and oversight of privacy practices.
Practical Steps for Businesses and Employers
-
- Provide compliant and up-to-date privacy notices, including to employees and job applicants: Ensure that website and mobile app privacy disclosures meet CCPA requirements, and make sure you also provide compliant notices to job applicants, employees, and contractors. Review these notices at least once every 12 months.
- Enable meaningful opt-outs: Provide clear mechanisms for opting out of personal information sales or sharing. Implement technical solutions to honor global browser-based opt-out signals (GPC).
- Check your vendor agreements: Vendor and service provider contracts must include terms restricting data use and require compliance with privacy requests. Standardized “off-the-shelf” contracts may be insufficient.
- Audit and document compliance: Conduct quarterly or annual audits of tracking technologies and document all privacy compliance activities.
- Train staff and update protocols: Ensure HR, marketing, and technology teams understand the expanded scope of CCPA rights and compliance steps.
- Cooperate with regulators in the event of an investigation: Work with regulators in the event of inquiries or investigations. This can lessen the severity of an enforcement action against you.
How can GD help?
If you have any questions regarding this client alert, or your company needs assistance with this topic, including practical guidance and hands-on support for navigating evolving privacy and data protection laws, please reach out to your Gunderson Dettmer attorney or contact any of the following members of our data privacy group.
[1] Note: CCPA defines a “Consumer” as any natural person who is a California resident. This includes not only end-customers, but also employees, job applicants, and contractors, regardless of their role or relationship to the business-company.