On September 30, 2025, the California Privacy Protection Agency (“CPPA”) and Tractor Supply Company announced a $1.35 million settlement to resolve claims that the company violated the California Consumer Privacy Act (CCPA).
Initially prompted by a consumer complaint, the CPPA’s investigation into Tractor Supply’s privacy practices resulted in several alleged privacy violations, including failing to: (1) maintain a privacy policy that sufficiently informed consumers of their rights; (2) notify California job applicants of their privacy rights and how to exercise them; (3) maintain contracts that protect personal information prior to disclosing that information to third parties; and (4) provide consumers with effective opt-out mechanisms from the selling and sharing of their personal information, including via Global Privacy Control (GPC).
In addition to the monetary penalty, Tractor Supply agreed to implement various remedial measures to address the allegations. The settlement offers key insights into the CPPA’s evolving priorities and enforcement tactics.
Judicial Enforcement of Investigative Subpoenas
The settlement side-stepped a significant jurisdictional question that precipitated the CPPA’s first-ever court petition to enforce an investigative subpoena under the CCPA. In its petition to the California Superior Court, the CPPA alleged that Tractor Supply had failed to comply with a subpoena requesting records from the period from January 1, 2020—the effective date of the CCPA—through the present. In re Investigation of Tractor Supply Co., No. 25CV018464 (Cal. Super. Ct. Aug. 6, 2025).
Tractor Supply objected to providing information prior to January 1, 2023, arguing that its practices before 2023 fell outside the scope of the CPPA’s enforcement authority because the agency had not yet issued its 2023 regulations and, thus, Tractor Supply lacked actual knowledge of what was prohibited under the CCPA.
While the Court ultimately did not have the opportunity to rule on the issue given the parties’ agreement to resolve the underlying allegations—and another company could make the same argument in the future—Tractor Supply conceded the argument as part of the settlement, acknowledging that “the Agency possesses broad authority to investigate potential violations of the CCPA, including those that occurred before January 1, 2023.”
Jurisdictional issues aside, Tractor Supply demonstrates that the CPPA will litigate the scope and enforceability of its administrative subpoenas if needed.
The CPPA Takes on Applicant and Employment Data Privacy
This investigation marks the first instance in which the CPPA has taken enforcement action regarding job applicant and employee privacy rights under the CCPA, alleging that Tractor Supply provided inadequate privacy notice of applicants’ consumer privacy rights. While Tractor Supply provided California applicants with a CCPA pop-up disclosure that detailed the types of information collected and the business purpose for which the information was being used, the disclosure did not inform applicants of their rights under the CCPA and how to exercise them.
Since January 1, 2023, job applicants and employees in California have the same rights as “consumers” under the CCPA, and Tractor Supply suggests that employee and applicant privacy is now an enforcement priority for the CPPA.
Global Privacy Control: A Continuing Enforcement Theme
The Tractor Supply dispute also unfolded against the backdrop of renewed state focus on compliance with the Global Privacy Control (GPC) signal—a browser-based opt-out mechanism that communicates a consumer’s request that their personal information not be sold or otherwise shared.
In September, the CPPA joined the Attorneys General of California, Colorado, and Connecticut in announcing a coordinated investigative sweep targeting potential noncompliance with GPC signals. Prior to the announcement, the California Attorney General emphasized opt-out request compliance in privacy settlements involving Sephora and Healthline Media LLC, while the CPPA highlighted the issue in settlements with Todd Snyder and American Honda Motor Co.
Soon after, on October 8, 2025, California Governor Gavin Newsom signed the California Opt Me Out Act into law, which amends the CCPA to require browser developers to offer functionality, configurable by a consumer, that enables the browser to send an opt-out preference signal (e.g., the GPC) to businesses with which the consumer interacts through the browser.
Key Takeaways
For companies collecting the personal information of Californians online, the Tractor Supply settlement and associated enforcement actions may offer helpful insights into what’s to come.
- GPC compliance should be a top priority. Investigative sweeps on other issues have precipitated numerous enforcement actions, so companies should confirm that their opt-out mechanisms are functional and that their systems recognize and honor GPC signals.
- Ensure that clear and comprehensive privacy notices are provided to applicants and employees and that contracts with third-party vendors that handle employee or applicant data include the required privacy provisions.
- In the event your organization receives a subpoena or other investigatory request, consult legal counsel on how to best respond. As the CPPA’s enforcement program matures, regulators are likely to continue to leverage judicial enforcement of investigative subpoenas and litigate the scope of their authority.
- Ensure privacy policies adequately inform consumers of their rights.
