On September 30, the California Privacy Protection Agency (CPPA) issued a landmark $1.35 million enforcement order against Tractor Supply Company for violations of the California Consumer Privacy Act (CCPA). While the fine itself is historic – the largest ever levied by the CPPA – the real significance lies in the broader implications for businesses navigating California’s privacy landscape.
How it Started: From Complaint to Courtroom
The enforcement action began with a consumer complaint filed by a resident of Placerville, California, which triggered a CPPA investigation in early 2023. The agency later took the unusual step of publicly disclosing its probe when it petitioned a Sacramento court to compel Tractor Supply to comply with investigative subpoenas covering practices dating back to 2020.
Tractor Supply pushed back, arguing that the CPPA lacked authority to investigate conduct prior to January 1, 2023, since its regulations weren’t finalized until March of that year. However, in the final resolution, Tractor Supply acknowledged the agency’s broad authority to investigate earlier conduct, effectively conceding the jurisdictional dispute and allowing the case to be dismissed.
Privacy Policies Under the Microscope
For the first time, the CPPA has explicitly cited deficiencies in the content of a company’s privacy policy as a violation, asserting Tractor Supply’s policy failed to adequately inform consumers of their rights under the CCPA and its implementing regulations. These regulations contain detailed requirements for what must be disclosed, and the agency found Tractor Supply’s disclosures lacking.
This signals an important shift: privacy policies are no longer just a compliance checkbox – they’re a focal point for regulatory scrutiny. Businesses should revisit their privacy policies to ensure they meet the letter of the law, not just the spirit.
Employee and Applicant Data: A New Enforcement Front
In another enforcement first, the CPPA also found that Tractor Supply’s privacy notice for job applicants was insufficient. California’s privacy law uniquely applies to personal information collected in employment contexts, including job applications. Tractor Supply’s notice reportedly consisted of just a few paragraphs, falling short of the law’s requirements.
This should serve as a wake-up call for businesses that may be focusing primarily on consumer data while neglecting employee and applicant privacy programs. The CPPA is watching both.
Persistent Issues with Cookie Tools
The order highlights recurring problems with cookie management and opt-out mechanisms. The agency claims Tractor Supply failed to fully implement Global Privacy Control and did not properly disable tracking technologies for users who opted out of data sharing. This issue has surfaced in multiple CPPA enforcement actions and underscores the importance of getting technical implementation right.
Ongoing Monitoring Requirements
In a departure from previous enforcement actions, the CPPA’s order requires Tractor Supply to submit annual compliance certifications for the next four years, signed by a company officer. This echoes the Federal Trade Commission’s approach to long-term oversight and suggests the CPPA may be adopting similar practices moving forward.
In addition to this annual certification requirement, the CPPA’s order also requires Tractor Supply to maintain a current inventory of tracking technologies through quarterly scans of digital properties, improve consumer opt-out processes, update training for personnel handling consumer data requests and ensure all third-party contracts and agreements meet CCPA standards.
Enforcement Trends to Watch
This enforcement action serves as a roadmap for future CPPA priorities. Businesses should take note of several emerging trends:
- Privacy policies and notices are now enforcement targets. Treat these documents as critical compliance tools, not boilerplate forms.
- Employee and applicant data is no longer exempt. Extend your privacy program beyond consumer-facing operations.
- Technical compliance is critical. Cookie tools, opt-out mechanisms, and browser-based controls must be fully functional.
- Long-term accountability is here. Expect ongoing monitoring and certification requirements in future enforcement actions
As CPPA Deputy Director for Enforcement Michael Macko stated, the agency is committed to “looking broadly across industries” to ensure privacy rights are properly implemented. This case underscores that commitment—and serves as a clear signal to businesses that privacy compliance must be holistic, proactive, and continuously maintained.
Need help reviewing your privacy program or updating your notices? We can help.
