CPPA’s $1.35 Million Tractor Supply Settlement: Major CCPA Enforcement Lessons on Opt-Out Rights and Privacy Compliance

On September 26, 2025, the California Privacy Protection Agency (CPPA) Board adopted a Stipulated Final Order imposing a $1.35 million administrative fine against Tractor Supply Company for multiple violations of the California Consumer Privacy Act (CCPA). This enforcement action, announced by the CPPA, represents one of the agency’s most significant settlements to date and offers critical compliance lessons for businesses operating in California.

Background: Investigation Triggered by Consumer Complaint

The CPPA’s investigation began in 2024 following a complaint from a consumer in Placerville, California. Tractor Supply, which operates more than 85 brick-and-mortar stores across California, along with a website and mobile application, collects personal information from consumers and has an annual gross revenue well exceeding $26.625 million (the applicable CCPA revenue threshold for the laws application) while annually selling or sharing the personal information of 100,000 or more consumers or households—making it squarely subject to CCPA threshold requirements.

The investigation spanned the period from January 1, 2023, to July 1, 2024, during which Tractor Supply produced thousands of pages of documents and met with the Agency on numerous occasions. Importantly, the company remediated most identified issues before the settlement was finalized.

Critical Violation #1: Ineffective Opt-Out Mechanisms

The most significant findings centered on Tractor Supply’s failure to provide consumers with effective mechanisms to opt-out of the sale and sharing of their personal information—a core CCPA right under Civil Code § 1798.120(a).

The “Do Not Sell My Personal Information” Webform Failure

Tractor Supply provided a “Do Not Sell My Personal Information” link in its website footer that directed consumers to a privacy webform. While the webform appeared to allow consumers to submit opt-out requests, it had no actual effect on the third-party tracking technologies the company used for advertising purposes.

As the Order states: “Tractor Supply’s webform had no effect upon how the company shared consumers’ personal information through third party tracking technologies used for advertising purposes, leaving consumers with the false impression that Tractor Supply had stopped selling and sharing their personal information.”

This created a critical gap: consumers submitted opt-out requests believing their personal information would no longer be sold or shared, but Tractor Supply continued to make their information available to third parties through cookies and similar tracking technologies for advertising purposes.

These practices violated:

• Civil Code § 1798.135(a)(1) by failing to provide consumers with an effective opt-out method
• Civil Code § 1798.120(d) by continuing to sell/share personal information after receiving opt-out requests

Failure to Process Opt-Out Preference Signals

Equally problematic, Tractor Supply failed to honor opt-out preference signals such as the Global Privacy Control (GPC). Under CCPA regulations, businesses must process these browser-based signals that allow consumers to broadcast a universal “do not sell or share” preference across all websites they visit.

Tractor Supply’s violations included:

• Not configuring its website to honor opt-out preference signals until July 2024
• Failing to include required opt-out preference signal provisions in its privacy policy
• Not explaining how signals would be processed (device, browser, account scope, etc.)

This resulted in violations of Civil Code §§ 1798.120(a) and 1798.135(a), as well as California Code of Regulations, title 11, § 7026.

Critical Violation #2: Deficient Vendor Contracts

The Order revealed significant gaps in Tractor Supply’s data processing agreements with service providers, contractors, and third parties—particularly advertising technology companies that use consumers’ personal information for cross-contextual, behavioral-targeted advertising.

CCPA regulations require specific contractual provisions when businesses disclose personal information to external parties (Code of Regulations, title 11, §§ 7051 and 7053). Tractor Supply’s contracts failed to include numerous required terms, including:

• Prohibition on service providers selling or sharing personal information collected while providing services
• Prohibition on retaining, using, or disclosing personal information outside the direct business relationship
• Identification of limited and specified purposes for processing
• Requirements to comply with CCPA and provide equivalent privacy protection
• Obligations to honor forwarded consumer opt-out requests
• Rights for Tractor Supply to ensure compliant use and remediate unauthorized use
• Notice requirements if the vendor could no longer meet CCPA obligations

These contractual deficiencies prevented Tractor Supply from ensuring that third parties properly handled consumer data and respected privacy rights.

Critical Violation #3: Inadequate Privacy Notices

The investigation uncovered major deficiencies in Tractor Supply’s privacy policy and notices to consumers and job applicants.

Privacy Policy Deficiencies

CCPA requires comprehensive privacy policies that inform consumers about their rights and provide detailed disclosures about data practices (Code of Regulations, title 11, § 7011). Tractor Supply’s privacy policy failed to include:

• Categories of personal information collected in the preceding 12 months
• Categories of sources from which information was collected
• Specific business or commercial purposes for collection
• Affirmative statements about whether the business sold, shared, or disclosed personal information
• Categories of recipients to whom information was sold, shared, or disclosed
• Explanations of consumer privacy rights (right to know, delete, correct, limit use of sensitive information, non-discrimination)
• Instructions on how to exercise those rights
• How opt-out preference signals would be processed

Instead, Tractor Supply provided only a brief, generic statement about California privacy rights that fell far short of CCPA requirements.

Additionally, the company violated the annual update requirement under Civil Code § 1798.130(a)(5). The privacy policy was posted in September 2018, updated in November 2021, and not updated again until after the CPPA investigation commenced—years beyond the required annual update cycle.

Job Applicant Notice Failures

Starting January 1, 2023, businesses must notify job applicants about their CCPA rights and provide information needed to exercise those rights (Civil Code § 1798.145(m)(1), (m)(4)).

Tractor Supply’s job application disclosure provided only a description of what information was collected and how it would be used. The disclosure completely failed to:

• Notify applicants of their CCPA rights
• Explain how to exercise those rights

This gap left California job applicants uninformed about their statutory privacy protections.

The Settlement Terms and Compliance Requirements

The $1.35 million administrative fine represents a significant penalty, but the Order’s compliance requirements may have even greater long-term impact:

Immediate Compliance Obligations

Tractor Supply must comply with Civil Code §§ 1798.100, 1798.120, 1798.130, and 1798.135, and Code of Regulations, title 11, §§ 7003, 7004, 7010, 7011, 7013, 7025, 7026, and 7050–7053.

Tracking Technology Management

The company must:

• Scan digital properties at least quarterly and maintain a current inventory of all tracking technologies
• Identify whether each technology is used for selling/sharing purposes
• Verify that CCPA-compliant contracts support each technology
• Properly configure properties to recognize and honor opt-out preference signals
• Ensure symmetry of choice in tracking technology management platforms (reject buttons must be similar in size and design to accept buttons)

Enhanced Vendor Management

By March 31, 2026, Tractor Supply must confirm that all required contractual terms are in place with all external recipients of personal information. The company must also:

• Conduct annual reviews of websites and mobile applications to identify third parties and service providers receiving personal information through tracking technologies
• Document and report results to the CPPA annually for four years
• Maintain audit records confirming contracts contain required CCPA provisions
• Verify opted-out consumers’ information is not sold/shared to third parties

Privacy Notice Updates

The company must:

• Review and update privacy policies to ensure CCPA compliance
• Notify employees and job applicants of updated privacy policies via email
• Post annual CCPA metrics on its website for five years (Code of Regulations, title 11, § 7102)

Training and Monitoring

• Ensure all personnel handling CCPA requests are informed of relevant requirements
• Implement programs to assess and monitor effective processing of opt-out requests
• Provide annual written certifications of compliance signed by an officer or director for four years

Key Takeaways for Businesses

This enforcement action, following similar CPPA actions against companies like Honda, Todd Snyder, and Healthline’s record settlement, provides critical compliance lessons:

1. Opt-Out Mechanisms Must Actually Work

It’s insufficient to simply provide an opt-out link or webform. The mechanism must functionally stop the sale and sharing of personal information. As McDermott Will & Emery notes, businesses should conduct regular testing to ensure opt-out mechanisms effectively prevent personal information from being made available to third parties for advertising purposes.

2. Opt-Out Preference Signals Are Non-Negotiable

With the CPRA amendments, processing opt-out preference signals like GPC is mandatory, not optional. Businesses must:

• Configure websites and applications to recognize and honor these signals
• Document in privacy policies how signals will be processed
• Apply signals to known consumers appropriately
• Ensure frictionless implementation

3. Vendor Contracts Require Comprehensive CCPA Provisions

Standard vendor agreements are likely insufficient. As Troutman LLP observes, businesses should:

• Review all contracts with service providers, contractors, and third parties
• Ensure inclusion of all required CCPA contractual terms
• Implement processes to verify ongoing compliance
• Maintain audit documentation

Consider working with a CCPA lawyer or CPRA attorney to review and update vendor agreements.

4. Privacy Policies Must Be Comprehensive and Current

Generic privacy statements don’t satisfy CCPA requirements. Privacy policies must:

• Provide all required disclosures about data collection, use, and sharing
• Clearly explain consumer rights and how to exercise them
• Include opt-out preference signal information
• Be updated at least annually

The annual update requirement is an enforcement priority that businesses can’t afford to overlook.

5. Job Applicant Privacy Notices Need Attention

Many businesses focus on customer-facing privacy compliance while overlooking employee and applicant requirements. Ensure job application processes include:

• Notice of CCPA rights specific to applicants
• Instructions on exercising those rights
• Appropriate data collection limitations

6. Implement Robust Tracking Technology Governance

The Order’s emphasis on tracking technology inventory and management highlights the need for:

• Regular audits of all cookies, pixels, tags, and SDKs
• Documentation of business purposes for each technology
• Verification that opt-out mechanisms affect all relevant technologies
• Processes to ensure new technologies are properly evaluated and contracted

7. Build a Comprehensive Privacy Compliance Program

Isolated fixes won’t suffice. As discussed in our guide to building effective privacy compliance programs, businesses need:

• Regular privacy assessments and audits
• Clear policies and procedures
• Ongoing training for relevant personnel
• Monitoring and testing of privacy mechanisms
• Incident response and remediation processes
• Documentation and recordkeeping systems

The CPPA’s Enforcement Posture

This settlement continues the CPPA’s pattern of aggressive enforcement, particularly regarding opt-out rights and vendor management. The agency has demonstrated willingness to:

• Investigate consumer complaints thoroughly
• Impose significant financial penalties
• Require extensive ongoing compliance monitoring
• Prioritize practical effectiveness over technical compliance

As we’ve noted in our analysis of CPPA enforcement actions, the agency is establishing clear expectations that businesses must not just claim compliance but demonstrate it through functioning privacy controls.

Conclusion

The Tractor Supply enforcement action serves as a stark reminder that CCPA compliance requires more than checking boxes. Businesses must ensure that privacy mechanisms actually protect consumer rights, vendor relationships include comprehensive contractual protections, and privacy notices provide meaningful transparency.

With the CPPA demonstrating consistent enforcement priorities—particularly around opt-out rights, vendor contracts, and privacy disclosures—now is the time for businesses to:

1. Audit opt-out mechanisms to ensure they’re truly effective
2. Review and update vendor contracts with required CCPA provisions
3. Comprehensively update privacy policies and ensure annual refreshes
4. Implement tracking technology governance processes
5. Build robust privacy compliance programs

For businesses seeking guidance on CCPA compliance, working with experienced privacy counsel can help identify gaps, implement effective controls, and avoid costly enforcement actions. The $1.35 million price tag in this case, combined with the ongoing compliance obligations, demonstrates that proactive compliance is far more cost-effective than reactive remediation.

---

The information in this article is for general informational purposes only and does not constitute legal advice. For specific guidance on CCPA compliance for your business, consult with qualified legal counsel.