California Privacy Protection Agency Fines Tractor Supply $1.35M For Privacy Law Violations

Highlights

• A $1.35 million fine against Tractor Supply Co. is the largest issued by the California Privacy Protection Agency to date.
• Consistent with prior complaints, the violations center on avoidable failures in consumer-facing disclosures and choice processes, as well as a failure to enter into proper contracts with recipients of personal information.
• The action is the first to address violations of law in workforce disclosures, faulting Tractor Supply for not including notice of privacy rights in its job applicant notice.

The California Privacy Protection Agency (CPPA) announced on Sept. 30, 2025, that it had entered into a Stipulated Final Order (the Order) imposing a $1.35 million administrative fine on retailer Tractor Supply Co. The enforcement action followed a consumer complaint and investigation into alleged failures to honor consumer opt-out requests and provide statutory privacy notices.

Background

Tractor Supply describes itself as a "rural lifestyle retailer." It operates brick-and-mortar stores (including in California), as well as an e-commerce website and mobile application.

The CPPA previously filed a petition against Tractor Supply in California Superior Court to enforce a subpoena seeking evidence regarding Tractor Supply's compliance with the California Consumer Privacy Act (CCPA). The CPPA sought information about privacy and data processing practices dating back to 2020, and Tractor Supply refused to provide information prior to Jan. 1, 2023, on the grounds that practices before 2023 fell outside the CPPA's enforcement authority because the agency did not issue regulations until 2023. The court did not rule on the petition. The Order only covers conduct from January 2023 through July 2024 but includes an acknowledgment by Tractor Supply of the CPPA's authority to investigate alleged violations occurring prior to Jan. 1, 2023.

Identified Violations of Law

The Order alleges that Tractor Supply committed the following violations of law:

1. Failure to Honor Opt-Out Requests via Webform. The CPPA alleges Tractor Supply violated Cal. Civ. Code Sections 1798.120(d) and 1798.135(a)(1) by failing to effectuate consumer opt-out requests submitted through its "Do Not Sell My Personal Information" webform. The company operated a "Do Not Sell My Personal Information" link that directed consumers to a privacy webform, but this mechanism failed to opt consumers out of data sales or sharing that occurred via website trackers.
2. Failure to Process Opt-Out Preference Signals. The agency also alleges Tractor Supply violated Cal. Civ. Code Sections 1798.120(a) and 1798.135(a), as well as California Code of Regulations Section 7026, by failing to honor opt-out preference signals until July 2024.
3. Inadequate Third-Party Contracting. The CPPA contends Tractor Supply violated Cal. Civ. Code Section 1798.100(d) and California Code of Regulations Sections 7051 and 7053 by failing to include required contractual terms when disclosing personal information to service providers, contractors and third parties.
4. Deficient Notice to Consumers. Though Tractor Supply added a California section to its consumer privacy policy and published a job applicant notice, the CPPA alleges Tractor Supply nonetheless violated California Code of Regulations Section 7011 for failing to provide information necessary for consumers to exercise their rights. The consumer privacy notice allegedly provided no information about CCPA rights. The job applicant policy had a California-section that provided information about data processing practices but did not mention rights under the CCPA.

Consequences for Tractor Supply

Under the Order, Tractor Supply must pay an administrative fine of $1.35 million to the CPPA. The company must also implement comprehensive compliance measures, including:

• honoring opt-out preference signals in a frictionless manner
• conducting quarterly scans of its digital properties to create an inventory of tracking technologies
• ensuring symmetry of choice in tracking technology consent mechanisms
• implementing proper third-party contracting with required CCPA terms

Tractor Supply must also provide certifications of compliance and an annual report to the CCPA for four years beginning in 2026.

Implications

The Order does not advance any novel theories of law but rather alleges violations of clear text of the statute and regulations. Companies seeking to avoid similar enforcement actions should consider:

• designing an opt-out process to comprehensively cover all sales/sharing, including through trackers/cookies, devices and manual processes
• determining whether vendor-provided consumer request forms are fit for purpose for the company's data processing practices
• implementing governance processes to prevent digital trackers from operating on websites without appropriate controls, as well as regular testing as to whether opt-outs function as expected
• conducting a detailed audit of privacy disclosures to ensure the many proscriptive technical requirements of the CCPA are met

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.