On September 30, the California Privacy Protection Agency (“CPPA” or “Agency”) announced a $1.35 million settlement – the largest in the agency’s brief history – with Tractor Supply Company (“Tractor Supply”), a rural lifestyle retailer. The settlement follows an investigation by the CPPA, which was prompted by a complaint from a California consumer.

According to the CPPA, Tractor Supply violated Californian’s privacy rights by failing to provide consumers with an effective mechanism to opt-out of the selling or sharing of their personal information. Furthermore, Tractor Supply allegedly failed to notify California consumers, including job applicants, of their privacy rights in its privacy policy and disclosures. Finally, the CPPA alleged that Tractor Supply disclosed personal information to service providers, contractors, and third parties without certain contractual privacy protections required under the California Consumer Privacy Act (CCPA).

This settlement follows a series of enforcement actions by the CPPA, including against Todd Snyder, and Background Alert. Additionally, the CPPA brought nearly a half-dozen enforcement actions against unregistered data brokers following an investigative sweep of data broker registration compliance under the Delete Act. Collectively, these actions, along with the CPPA’s recent automated decision-making technology (ADMT) regulations, signal that the CPPA is an increasingly active regulator and that compliance with the CCPA (and other laws that fall within the agency’s jurisdiction) should continue to be an area of priority for companies.

In this post, we summarize the CPPA’s allegations against Tractor Supply and identify key takeaways from the Agency’s settlement. To stay up to date on the latest California privacy law developments, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

Summary of the Final Order

The CPPA’s Final Order asserts the following actions by Tractor Supply to be violations of the CCPA and its corresponding regulations (the CCPA regulations).

Failure to Provide Consumers an Effective Mechanism to Submit Opt-Out Requests

According to the CPPA, Tractor Supply failed to honor consumers’ opt-out requests submitted via Tractor Supply’s webform and did not configure its website to recognize opt-out preference signals. While Tractor Supply provided consumers with a webform in which consumers could submit CCPA requests, the Agency alleged that “the completion of the webform did not opt-out consumers from the third-party tracking technologies that Tractor Supply used for advertising purposes.” In fact, the Agency concluded that Tractor Supply’s webform “had no effect upon how the company shared consumers’ personal information” and left consumers “with the false impression that Tractor Supply had stopped selling and sharing their personal information.”

Additionally, the CPPA alleged that Tractor Supply failed to process opt-out preference signals. Under the CCPA regulations, companies are required to explain in their privacy policies “how an opt-out preference signal will be processed for the consumer (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances) and how the consumer can use an opt-out preference signal.” According to the Agency, Tractor Supply neither included such an explanation in its privacy policy nor configured its website to honor consumers’ opt-out preference signals.

Failure to Notify Consumers, Including Job Applicants, of Their Privacy Rights

Under the CCPA regulations, companies’ privacy policies must “inform consumers about the rights they have regarding their personal information and provide any information necessary for them to exercise those rights.” Additionally, the CCPA requires companies to include certain disclosures in their privacy policies, including a list of the categories of personal information the company has collected about consumers in the past 12 months, the categories of sources from which consumers’ personal information is collected, and the specific purpose for which the personal information was collected. Furthermore, the CCPA requires companies to review their privacy policies on an annual basis.

According to the CPPA, Tractor Supply failed to inform California consumers of their privacy rights, as well as the CCPA’s required disclosures. Instead, Tractor Supply’s privacy policy stated: “residents of California have the right to request from a business…certain information with respect to types of personal information the business shares with third parties for direct marketing by such third parties and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year.” Furthermore, the CPPA alleged Tractor Supply failed to update its privacy policy on an annual basis, only updating its 2021 privacy policy “years later, after the company learn of the Agency’s investigation.”

Additionally, the CPPA alleged that Tractor Supply failed to notify job applicants about their CCPA rights and how to exercise those rights. Under the CCPA, the definition of consumer means “a natural person who is a California resident” and is not limited to exclude individuals acting in an employment context. As such, companies are required to provide employees and job applicants with notice of their rights under the CCPA, similar to other notices afforded to California consumers. While Tractor Supply had a pop-up disclosure on its careers webpage that included information on the CCPA, the Agency concluded that “the disclosure at the time failed to provide job applicants with any notice of their CCPA rights, nor any description of how to exercise those rights.”

Disclosure of Personal Information to Third Parties Without Contractual Privacy Protections

Under the CCPA, companies that collect and disclose consumers’ personal information to a third party, contractor, or service provider must enter into a contract with the recipient that contains certain privacy protections. More specifically, the contract must (1) specify that the company is disclosing the personal information for “limited and specific purposes;” (2) obligate the recipient to comply with the CCPA and provide the same level of privacy protections required under the CCPA; (3) grant the company the right to take “reasonable and appropriate steps” to ensure the recipient uses the disclosed personal information in a matter that is consistent with the company’s obligations under the CCPA; (4) require the recipient to notify the company if the recipient determines it is no longer able to meet its obligations under the CCPA; and (5) grant the company the right to take “reasonable and appropriate steps” stop and remediate any unauthorized use of the disclosed personal information. According to the Agency, Tractor Supply failed to ensure that its contracts, including those with “advertising technology companies that use consumers’ personal information for cross-context behavioral advertising purposes,” included the provisions required under the CCPA.

Key Takeaways

• Settlement is Part of Broader Focus on Opt-Out Preference Signals. The Agency’s settlement with Tractor Supply is just the latest CPPA action focused on opt-out preference signals. On September 9, 2025, the CPPA, along with the Attorneys General (AGs) of California, Colorado, and Connecticut, announced an investigative sweep involving companies’ noncompliance with the opt-out preference signal, Global Privacy Control (GPC). According to the announcement, the coalition is contacting companies that may not be processing consumers’ opt-out requests, similar to the alleged actions of Tractor Supply.

• Companies Should Ensure Employees and Applicants Have Notice of Their Rights Under the CCPA. The Agency’s settlement with Tractor Supply marks the CPPA’s first enforcement action for a violation of a consumer’s privacy in the employment context. Notably, most state comprehensive privacy laws narrowly define the term “consumer” to exclude individuals acting in an employment context. However, the CCPA’s definition of consumer is broader and includes employees and job applicants. As such, companies should ensure that employees and applicants are provided with appropriate notices that inform them of their rights under the CCPA.

• Contractual Oversight with Third Parties Remains Critical. The Agency’s settlement with Tractor Supply is the just the latest enforcement action under the CCPA focused on contracts with third parties, contractors, and service providers. On July 1, 2025, the California AG announced a $1.55 settlement with Healthline, which included allegations that the online health and wellness knowledge platform failed to include CCPA-compliant language in its third-party contracts. Notably, the CCPA is the only state comprehensive privacy law that requires companies to include specific provisions in relation to disclosures of personal information in its contracts with third parties, contractors, and service providers.

• Settlement Represents the Largest CPPA Penalty to Date. At $1.35 million, the Agency’s settlement with Tractor Supply represents the largest penalty in the CPPA’s history. While the California AG’s recent settlement with Healthline remains the largest publicly reported penalty secured under the CCPA to date, the Tractor Supply settlement is notable given the CPPA’s first enforcement action was only just last year.