Tractor Supply Fined $1.3M for CCPA Violations
The Enforcement Division of the California Privacy Protection Agency (CPPA) fined Tractor Supply Company $1.3 million for CCPA violations. The fine is the largest ever issued by the CPPA. Tractor Supply Company is a large retailer with more than 2500 stores (85 in California) across 49 states. It also has websites and a mobile application that allow users to make purchases.
The CPPA began investigating Tractor Supply’s privacy practices after receiving a complaint from a consumer in Placerville, California. Tractor Supply responded with evidence and met several times with the Agency. Here is a breakdown of the violations that resulted in the penalty.
Not Honoring Consumer Opt-out Requests
Tractor Supply’s website uses cookies and tracking technology that share consumer data with third parties for advertising purposes. The company provided a “Do Not Sell My Personal Information” link in its website footer, which directed consumers to the web form below.
This form failed to provide consumers with the ability to opt out of sale/sharing with third-party trackers. Nor did it inform consumers of how to opt out of this activity.
Not Processing Opt-out Preference Signals
The CCPA gives consumers the right to submit opt-out requests through web browser configurations that transmit the opt-out signal. The company’s privacy policy failed to explain how opt-out preference signals are processed and how consumers can use the signals, a violation of the CCPA. Further, Tractor Supply also did not configure its website to honor requests sent via an opt-out preference signal.
Improper Contracts with Vendors
The CCPA requires businesses that collect and disclose personal information to a third party, contractor, or service provider to include specific provisions for consumer protection in a contract with the vendor. Not all of Tractor Supply’s contracts with its third parties, contractors, and service providers included all the necessary provisions. Below are some examples of missing provisions from the contracts:
- Prohibiting the service provider from selling or sharing personal information it collected in providing the services.
- Prohibiting the service provider from retaining, using, or disclosing the personal information it collected outside of the direct business relationship between the service provider and Tractor Supply.
- Identifying the limited and specified purposes for which consumers’ personal information was processed or disclosed.
- Requiring the contracting party to comply with the CCPA.
An important component to remember is that third-party and contractor contracts also have CCPA requirements. This has been identified as a deficiency in other enforcement actions taken by the Agency.
Insufficient Privacy Policies
Businesses are required to provide privacy policies that inform consumers about their privacy rights and how they can exercise them. Information that must be disclosed in the privacy policy includes but is not limited to:
- The categories of personal information the business collects.
- The sources from which the data is collected.
- The specific business or commercial purpose for the data.
- Whether the business sold, shared, or disclosed personal information in the previous 12 months.
- Categories of recipients to whom personal information was sold, shared, or disclosed.
Tractor Supply’s privacy policy (seen below) did not disclose that information.
The company also failed to notify job applicants of their privacy rights under the CCPA.
Along with the monetary penalty of $1,355,000, Tractor Supply also agreed to implement remedial measures, including scanning its digital properties to inventory tracking technologies on a quarterly basis, ongoing assessments, and for a corporate officer or director to certify compliance annually for the next four years.
The CPPA Order of Decision can be read here.
2025: A Big Year for CCPA Enforcements
2025 has been an active year for CCPA enforcement, both from the CPPA and California Attorney General Rob Bonta.
- In July, AG Bonta issued a $1.55M fine to Healthline for sharing data, including data that suggested the consumer could have had a health condition, with third parties without proper privacy protections.
- In May, clothing retailer Todd Snyder was fined $345,178 by the CPPA for not honoring opt-out requests for 40 days and requiring consumers to verify their identity to opt out of the sale or sharing of their data.
- In March, the CPPA fined Honda $632,500 for requiring excessive personal information to exercise privacy rights, having a longer process for opting out than opting in, and other violations.
These penalties highlight the importance of having website privacy and preference tools that function in a manner compliant with the CCPA. CompliancePoint offers Cookie Management Services to help businesses with privacy and consent functionality. We can also help with all aspects of CCPA compliance. Reach out to us at connect@compliancepoint.com to learn more.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.