California Privacy Protection Agency Fines Tractor Supply $1.35 Million for CCPA Violations

In a significant privacy enforcement action, the California Privacy Protection Agency (CPPA) has fined Tractor Supply Company $1.35 million for multiple violations of the California Consumer Privacy Act (CCPA). This marks the largest fine issued by the CPPA to date and sets a precedent for how businesses must treat consumer and job applicant data under the CCPA. The agency stated that this fine underscores their ongoing commitment to “ensuring businesses respect the privacy rights of consumers and job applicants alike.”

Implications for Businesses

This enforcement action highlights the importance of ensuring that privacy rights of consumers are taken seriously. Businesses should:

1. Review and update their privacy policies annually. Ensure that they contain the required CCPA privacy rights, disclose information practices, and transparently explain sale/sharing practices with third parties;
2. Review and inventory all tracking technologies;
3. Configure their website to honor opt-out preference signals;
4. Audit contracts with third-parties to ensure they contain applicable CCPA provisions; and
5. Test and monitor the effectiveness of Do Not Sell My Personal Information requests.

Origins of the Case

The CPPA initiated its investigation after receiving a consumer complaint in Placerville, California. The complaint alleged that Tractor Supply’s website failed to honor opt-out requests under the CCPA. During the agency’s investigation, Tractor Supply refused to comply with investigative demands, prompting the CPPA to file a judicial action seeking to enforce its subpoena. The information obtained through the investigation revealed systemic compliance failures across the company’s digital platforms and internal privacy governance.

Summary of Violations

According to the CPPA’s Stipulated Final Order, Tractor Supply committed several violations between January 2023 and July 2024:

1. Misleading opt-out interface
   Tractor Supply’s “Do Not Sell My Personal Information” link required consumers to fill out a webform that gave the impression that they could opt-out of the sale of their personal information, while in reality, the completion of the webform had no effect on the collection and sale of personal data to third-parties for advertising purposes.
2. Tractor Supply did not process opt-out preference signals
   During the period between January 2023 and July 2024, Tractor Supply did not configure its website to recognize browser-based opt-out signals and did not include the required opt-out provisions in their privacy policy until July 2024.
3. Non-compliant service provider contracts
   Tractor Supply failed to ensure that all of its contracts with service providers and with third parties, such as advertising technology companies, contained provisions as required by the CCPA. Specifically, these contracts lacked:
   1. Provisions to prohibit the service provider from selling or sharing personal information it collected in providing the services;
   2. Provisions to prohibit the service provider from retaining, using or disclosing the personal information it collected outside the direct business relationship between the service provider and Tractor Supply;
   3. Provisions to identify the limited and specific purpose(s) for which consumers’ personal information was processed or disclosed;
   4. Provisions to ensure availability of consumers’ personal information only for those limited and specified purposes;
   5. Provisions to require the contracting party comply with the CCPA, and provide the same level of privacy protection required of Tractor Supply;
   6. Provisions requiring the contracting party to honor consumers’ opt-out of sale/sharing forwarded to it by Tractor Supply;
   7. Provisions granting Tractor Supply the right to take reasonable and appropriate steps to ensure the contracting party used consumers’ personal information in a manner consistent with Tractor Supply’s CCPA obligations;
   8. Provisions granting Tractor Supply the right to take reasonable and appropriate steps to stop and remediate unauthorized use of consumers’ personal information; and
   9. Provisions requiring the contracting party to notify Tractor Supply if the contracting party determined it could not longer meet its CCPA obligations.
4. Deficient privacy notices
   The company’s privacy policy failed to disclose how opt-out signals were processed and did not inform job applicants of their rights under the CCPA. Moreover, Tractor Supply’s privacy policy lacked:
   1. Annual updates – The CCPA requires businesses to update their privacy policies annually. Tractor Supply updated their policy in 2018, 2021, and then again after it learned of the investigation;
   2. Privacy rights – The CCPA requires that privacy policies must inform consumers of their statutory privacy rights. These rights include, but are not limited to, the right to correct inaccurate personal information, the right to limit the use or disclosure of sensitive personal information, the right to know what personal information the business has collected from the consumer; and
   3. Information practices – The CCPA requires that privacy policies disclose what categories of personal information the business collects from consumers in the preceding 12-month period, the sources of those collections, and the use of those collections.

Enforcement Terms

In addition to the $1.35 million fine, Tractor Supply agreed to a series of corrective actions:

• Technology audit: Conduct a full inventory of tracking technologies used on its website and mobile app;
• Signal compliance: Configure its platforms to honor opt-out preference signals;
• Policy updates: Revise its privacy notices to include all required disclosures, including those for job applicants;
• Contract remediation: Amend third-party contracts to include mandatory CCPA provisions; and
• Annual certifications: Submit annual compliance certifications signed by a senior officer for five years.

Conclusion

The Tractor Supply case sets a precedent for CCPA enforcement and highlights the CPPA’s evolving role as a proactive regulator. Businesses operating in California or subject to the CCPA should take steps to audit their privacy practices, update disclosures, and strengthen internal compliance programs to avoid similar penalties.