The California Privacy Protection Agency (CPPA) shows no signs of slowing its California Consumer Privacy Act (CCPA) enforcement. Its latest action against Tractor Supply Company once again targets CCPA opt-out compliance, among other alleged violations of the law. This time, the CPPA imposed a hefty $1.35 million fine, the largest in the CPPA’s history, and the second largest fine issued under the CCPA. (The fine amount is second only to the California attorney general’s recent $1.55 million fine against Healthline).
CCPA Privacy Enforcement Trends Continue
Building on the agency’s recent enforcement actions, the CPPA’s order reflects continued scrutiny across industries into CCPA compliance, particularly related to the effectiveness of opt-out mechanisms and advertising contracts. The agency reiterated its attention on the following areas:
- Ineffective webforms
The CPPA alleged that Tractor Supply’s privacy rights webform did not opt consumers out of third-party tracking technologies, such as cookies, used for advertising purposes, despite the webform claiming to allow consumers to opt out of all sales of personal data. The interaction (or lack thereof) between webforms and cookies is a challenge many companies are seeking to address given the technical difficulties related to implementing cookie-based and non-cookie-based sale opt-outs.
- Processing of opt-out preference signals
The CPPA also claimed that Tractor Supply failed to configure its website to honor consumers’ opt-out requests using an opt-out preference signal. (Opt-out preference signals must be configured in addition to enabling opt-outs through another method.) This point will continue to be front and center in 2026 when businesses must, under the newly updated CCPA regulations, provide a notice to California consumers about whether a preference signal has been honored.
- Deficient (and outdated) privacy policy disclosures
According to the CPPA, Tractor Supply’s privacy notice lacked certain provisions required under the CCPA, including those related to consumer rights and opt-out preference signals. The agency added that privacy policies must be updated at least annually. Notably, the CPPA also alleged that Tractor Supply’s notice to job applicants failed to inform applicants of their CCPA privacy rights and how to exercise them, an issue unique to the CCPA with its broad application to employees and applicants.
- Contracts with service providers and third parties
The CPPA scrutinized the sufficiency of Tractor Supply’s contracts with service providers and third parties, alleging that such contracts did not contain provisions required under the CCPA.
Novel Settlement Terms Signal Expanded CPPA Enforcement
As part of the settlement, the CPPA ordered Tractor Supply to comply with a variety of remedial requirements, including to conduct quarterly scans of its digital properties and maintain a “full and current inventory of tracking technologies.” The inventory must identify, for each such tracking technology, whether Tractor Supply believes it is “used for a selling or sharing purpose and is supported by a CCPA-compliant contract.” It remains to be seen whether the CPPA will begin to expect companies to maintain similar recordkeeping as a means of demonstrating CCPA compliance.
Furthermore, for a period of four years, Tractor Supply will need to document and share with the agency audit results confirming that all contracts with service providers and third parties who collect personal data from Tractor Supply through tracking technologies meet CCPA requirements. The introduction of time-limited certifications and reports to the CPPA in this decision may signal that the agency is seeking greater ongoing monitoring power over companies that settle with the agency.
What Should You Do to Maintain CCPA Compliance?
The CPPA’s action underscores the importance of buttoning up privacy compliance on an ongoing basis, not as a one-time exercise. Regulators in California and other states have recently ramped up privacy enforcement and are working together with a specific focus on mechanisms in place to enable and honor consumer opt-out requests.
Companies should regularly review their practices related to advertising and third-party tracking technologies, assess their opt-out obligations and tools, ensure that all privacy rights mechanisms correctly effectuate consumer requests, and review their privacy policies—including privacy notices for job applicants and employees in California—at least annually.
For assistance with state law compliance, including how to configure opt-outs, contact the authors or visit Venable’s Privacy and Data Security web page.