CPPA Expands Enforcement With Record $1.35 Million Fine Against Tractor Supply

State Attorneys General continue to expand their reach into areas once dominated by federal agencies—from data privacy and cybersecurity to healthcare, financial services, and emerging technologies such as AI. Buchalter’s State Attorneys General Practice brings together leading subject-matter experts across these sectors to help companies anticipate and respond to evolving state and multistate enforcement priorities. Our interdisciplinary team tracks regulatory trends nationwide and guides clients through the full life cycle of investigations and enforcement actions, combining practical insight with a defense-first approach.

Recent State Enforcement Spotlight: California Privacy Protection Agency (CPPA)

On September 30, 2025, the CPPA announced a record $1.35 million fine against Tractor Supply, marking its largest penalty to date and its first to address job-applicant privacy rights under the CCPA.

The CPPA alleged that Tractor Supply:

1. Failed to maintain an adequate privacy policy notifying consumer of their rights;
2. Failed to provide adequate privacy notices to consumers and job applicants;
3. Did not implement effective opt-out mechanisms, including browser-based global privacy control signals; and
4. Lacked CCPA-compliant agreements with other companies.

As part of the deal, Tractor Supply must overhaul its privacy practices, including quarterly scanning of digital properties, updating opt-out requests, amending third-party contracts by March 31, 2026, and having a senior officer or director certify compliance annually for the next four years.

What Is the CPPA?

The California Consumer Privacy Act, enacted in 2018 and expanded by the California Privacy Rights Act ballot initiative in 2020, is one of, if not the most comprehensive state privacy law in the U.S. Unlike most state laws, the Act applies not only to consumers, but also to employees, job applicants, and independent contractors.

Key rights under the Act include:

• The right to access, correct, and delete personal information.
• The right to opt-out of the sale or sharing of data, including through browser-based global privacy controls.
• The right to receive clear privacy notices explaining how personal data will be used.

The Act is enforced by the CPPA, the nation’s first and only standalone data privacy regulator, established in 2020. The CPPA has broad investigative powers and continues to issue regulations covering notice requirements, consumer request processes, risk assessments, cybersecurity audits, and emerging technologies such as artificial intelligence.

Why This Matters

The action against Tractor Supply follows other recent CPPA enforcement activity including:

• American Honda Motor Co. (March 2025): Fined $632,500 for failing to comply with data access and opt-out processes.
• Todd Snyder Inc. (May 2025): Paid over $345,000 to resolve claims of mishandling opt-out requests.
• Background Alert, Inc. (February 2025): Targeted for failing to meet registration and consumer rights obligations under California’s Delete Act.

Together, these cases highlight a growing enforcement trend across industries, with penalties increasing in size and scope. Earlier this year, the CPPA announced a joint investigative privacy sweep with Colorado and Connecticut aimed at businesses opt-out preferences. And, the CPPA made clear that they will not be slowing down: “We will continue to look broadly across industries to identify violations of California’s privacy law,” said Michael Macko, the agency’s head of enforcement.

The Tractor Supply settlement underscores the CPPA’s expectation of strict compliance and its willingness to impose significant fines. Businesses operating in California—or collecting data from California residents—should take note of the following compliance priorities:

• Privacy Notices Must Be Comprehensive: Ensure notices cover not only customers, but also job applicants, employees, and contractors.

• Opt-Out Must Be Frictionless: Businesses must honor global opt-out signals and make opt-out requests easy to submit and process.

• Vendor Contracts Require Updates: Review and update agreements with service providers to include CCPA-required terms.

• Training and Oversight Are Critical: Provide staff with ongoing training and designate a responsible officer to oversee compliance.

• Audits and Monitoring: Implement regular privacy audits and maintain detailed records demonstrating compliance.

The Tractor Supply settlement reflects the maturation of California’s privacy regime and the rise of a new enforcement model in which dedicated state privacy regulators operate alongside and sometimes ahead of Attorneys General. As agencies like the CPPA continue to define the boundaries of compliance through high-impact actions, companies should view privacy obligations as part of a broader, ongoing governance framework that extends across business units and vendor relationships. Buchalter’s Privacy and State Regulatory teams are working with clients across industries to align their programs with these evolving state-level expectations.

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.