CPPA Enforcement Spotlight: Tractor Supply Investigation Highlights Critical CCPA Compliance Lessons

Insights

Our insights are intended to discuss in a general nature the legal developments relating to our core areas of practice. Insights should not be construed as legal advice or legal opinion. Furthermore, these matters are continually subject to change, and therefore the information below may not reflect the most current legal developments. Readers should not act or rely upon the information without seeking specific advice relating to their facts and circumstances from legal counsel.

CCPA Privacy Law Harry Richt August 10, 2025

Contents show

The California Privacy Protection Agency (CPPA) recently made its first public disclosure of an ongoing investigation by filing a petition to enforce a subpoena against Tractor Supply Company. This step underscores the CPPA’s increasing enforcement vigilance and the importance of complying with California’s landmark privacy law, the California Consumer Privacy Act (CCPA).

Background: Scope of the Investigation and Enforcement Authority

In January 2025, the CPPA served Tractor Supply with a subpoena demanding records related to the company’s CCPA compliance dating back to January 1, 2020, the effective date of the CCPA. Tractor Supply resisted providing documents prior to January 1, 2023, asserting that the CPPA’s enforcement authority only began when the agency was established in mid-2023. The CPPA maintains that its authority extends to conduct dating back to 2020, as the CCPA has been in effect since then.

This case represents a key test of the CPPA’s power to investigate alleged historical violations. You can read more about CPPA enforcement authority in our article on the CPPA enforcement against Honda.

Allegations Against Tractor Supply

According to the petition (available here) filed in Sacramento County Superior Court, Tractor Supply is accused of:

• Failing to update its privacy policy annually as required under the CCPA. The company’s policy reportedly had not been updated since 2021, violating consumer transparency obligations.

• Providing inadequate consumer notices, including failure to properly inform consumers of their privacy rights under the CCPA.

• Ignoring consumer opt-out requests related to the sale and sharing of personal information.

• Lacking sufficient mechanisms to enable consumers to exercise their CCPA rights, such as data access and deletion.

This investigation echoes other high-profile CPPA enforcement actions like the one against Todd Snyder, covered in detail on our site: Todd Snyder Faces CPPA Fine.

Why This Matters for Businesses

Tractor Supply’s case highlights several critical compliance areas every business should focus on:

• Privacy Policy Compliance. Businesses must review and update their privacy policies at least annually to meet legal requirements. Learn more about privacy policy compliance on our page: Privacy Policy Compliance Explained.

• Consumer Notices and Opt-Outs. Clear, accessible notices and reliable opt-out mechanisms are essential. Our Privacy Policy Lawyer page discusses how to structure these properly.

• Responding to Consumer Rights Requests. Businesses should implement processes that allow consumers to easily exercise rights such as access, deletion, and opting out of data sales, as outlined in our comprehensive CCPA Lawyer resource.

For a detailed primer on the CCPA itself, see our foundational guide: The California Consumer Privacy Act (CCPA).

Looking Ahead

The CPPA’s petition against Tractor Supply is a reminder that California’s privacy regulator is willing to pursue enforcement vigorously, including by compelling compliance through the courts. Companies subject to the CCPA should evaluate their privacy programs and ensure they maintain up-to-date privacy policies and effective consumer rights mechanisms.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights