In the Matter of Tractor Supply Company

California's first major CCPA enforcement action against Tractor Supply signals a new era of operational privacy compliance. This article examines the CPPA's findings, the extension of CCPA obligations to job applicants, and the practical lessons for businesses.

Share
In the Matter of Tractor Supply Company
ChatGPT modified from: Library of Congress, Prints and Photographs Division, Washington, D.C. 20540 USA, hdl.loc.gov/loc.pnp/pp.print

Key points

  • This case marks California’s first CCPA enforcement extending to job applicants, signaling a new era where privacy law meets employment law — making compliant applicant notices as essential as consumer disclosures.
  • Proper handling of consumer complaints in California is critical, as they can trigger agency investigations and potentially significant fines.
  • Procedurally, the CPPA has demonstrated its readiness to use its subpoena and adjudicatory powers.
  • Failing to act on opt-out requests — whether from consumers or job applicants — violates the CCPA; an online form alone isn’t enough if it leaves users believing their data is protected when it isn’t.

Background

Tractor Supply Company, is a Fortune 500 retailer that calls itself “the nation’s largest rural lifestyle retailer,” with more than 2,500 stores nationwide, including over 85 in California. Its California websites and mobile apps collect significant amounts of personal information through loyalty programs, online accounts, and recruiting portals.

In 2024, the California Privacy Protection Agency (CalPrivacy) opened an investigation after receiving a consumer complaint from Placerville. The inquiry focused on the period between January 1, 2023, and July 1, 2024, examining how the company handled opt-out requests under the California Consumer Privacy Act (CCPA).

When Tractor Supply declined to answer certain questions under oath, the CalPrivacy responded by filing a petition to enforce an investigative subpoena — its first judicial enforcement action.

That move signaled a turning point for the agency: the CalPrivacy was willing to use the courts to compel cooperation, setting the stage for the settlement that followed.

Findings of Violation

CalPrivacy issued its first full enforcement order under the CCPA against Tractor Supply Company, finding multiple violations affecting both consumers and job applicants.

The case marks a new enforcement frontier — one that extends California’s privacy regime beyond online commerce into employment data, signaling a more integrated approach to consumer and workforce privacy oversight.

Specifically, the CPPA found that Tractor Supply:

  • Failed to provide an effective opt-out mechanism.
    The “Do Not Sell My Personal Information” link on its website did not actually stop the flow of consumer data to third-party tracking technologies, leaving users with the false impression that their information was protected.
  • Ignored Global Privacy Control (GPC) signals.
    Until mid-2024, the company’s websites did not recognize or process browser-based opt-out signals as required by law.
  • Lacked proper service-provider contracts.
    Data shared with advertising and analytics vendors occurred without the contracts mandated by the CCPA to limit secondary use and onward sale of personal information.
  • Maintained deficient privacy notices — especially for job applicants.
    The company’s privacy policy omitted key disclosures on data categories, purposes, and consumer rights, and its job-application portal failed to provide California-specific applicant notices.

Together, these failures amounted to violations of CCPA §§ 1798.100, 120, 130, and 135, as well as the implementing regulations under 11 CCR §§ 7003–7053.

Enforcement Analysis

The case illustrates California’s shift toward integrated privacy oversight — a model that connects consumer protection, employment equity, and cybersecurity under one regulatory framework. It signals that privacy enforcement in California will now reach across the entire lifecycle of personal information, from retail analytics to workforce management.

Unlike earlier settlements focused mainly on policy language, the Tractor Supply order requires operational proof of compliance: technology scans, contract mapping, and executive attestations. This marks the CalPrivacy’s evolution from an advisory agency to an active regulator focused on how businesses actually implement data-governance controls.

Beyond the $1.35 million civil penalty, the CalPrivacy imposed broad corrective measures, including:

  • Quarterly scans of all digital properties to inventory and monitor tracking technologies.
  • Contract audits confirming that every external data recipient — service provider, contractor, or third party — is bound by CCPA-compliant terms.
  • Symmetry of choice in cookie banners, ensuring “Reject All” buttons are as visible and accessible as “Accept All.”
  • Annual compliance certifications signed by a corporate officer through 2030.
  • Updated employee and applicant privacy notices and mandatory CCPA training for all staff handling requests.
  • Ongoing monitoring and annual reporting to the CalPrivacy Enforcement Division for four years.

Together, these obligations move compliance from paper to practice — requiring companies not only to state their privacy commitments, but to prove them.

The Agency credited Tractor Supply for post-investigation cooperation but made compliance verification a continuing condition.

Contractual Requirements and CCPA

Under the CCPA, contracts with service providers and third parties are a cornerstone of lawful data sharing. These agreements define how personal information may be used, retained, or disclosed, ensuring that any entity handling data on behalf of a business upholds the same level of privacy protection. Without this contractual language, companies risk losing control over how consumer data is processed, opening the door to unauthorized use, onward sale, or broader exposure than intended. Properly drafted contracts are therefore essential not only for compliance but also for demonstrating accountability — showing regulators that privacy protections extend throughout the company’s data ecosystem, not just within its own walls.

In the Tractor Supply case, CalPrivacy found that the company’s contracts with service providers and third parties failed to include multiple key CCPA-required provisions. Specifically, these contracts did not:

  • Prohibit service providers from selling or sharing personal information collected while providing services (§ 7051(a)(1)).
  • Prohibit them from retaining, using, or disclosing personal information outside the direct business relationship (§ 7051(a)(5)).
  • Identify the limited and specific purposes for which personal data could be processed (§§ 7051(a)(2), 7053(a)(1)).
  • Ensure data was used only for those defined purposes (§ 7053(a)(2)).
  • Require service providers and third parties to comply with the CCPA and provide the same level of privacy protection (§§ 7051(a)(6), 7053(a)(3)).
  • Require them to honor consumer opt-out requests forwarded by Tractor Supply (§ 7053(a)(3)).
  • Grant Tractor Supply the right to monitor compliance and verify that data was used appropriately (§§ 7051(a)(7), 7053(a)(4)).
  • Grant Tractor Supply the right to stop and remediate unauthorized uses (§§ 7051(a)(9), 7053(a)(5)).
  • Require contracting parties to notify Tractor Supply if they could no longer meet their CCPA obligations (§§ 7051(a)(8), 7053(a)(6)).

These omissions collectively demonstrated a lack of contractual oversight and contributed to CalPrivacy’s finding that Tractor Supply had not established adequate safeguards for consumer and job-applicant data.

Employment data and CPPA

This decision is the first to explicitly apply CCPA obligations to job applicants and employees, confirming that California’s privacy protections extend beyond consumer transactions. CalPrivacy interpreted “personal information” and “notice” duties to cover recruiting activities — effectively blending privacy and employment compliance regimes. So, if your job-application portal does not provide California-specific applicant notices, it’s time to start working on those.

The timing of this enforcement action is also significant. It coincides with the California Civil Rights Council’s (CRC) new rules on automated-decision systems (ADS) and CalPrivacy’s mandates on privacy-risk assessments. Together, these frameworks converge on workplace data fairness and transparency, requiring employers to treat HR-data governance and consumer-data compliance as part of a single legal ecosystem.

For more on this see Squire Patton Boggs Client Alert (Aug 2025) — California Employers Face New Challenges for HR Data Processing.

Conclusion

In the Matter of Tractor Supply Company establishes both procedural and substantive precedent. Procedurally, it demonstrates CalPrivacy’s readiness to use its subpoena and adjudicatory powers. Substantively, it affirms that failure to honor opt-out rights — whether for consumers or job applicants — is actionable under the CCPA.

The order’s lasting impact lies in its blueprint for compliance: detailed audits, transparent consent design, and the unified treatment of consumer and HR data. For organizations operating in California, this case marks a decisive shift from policy statements to verifiable accountability.

Resources