The California Privacy Protection Agency has issued its largest fine to date, ordering Tractor Supply Company to pay $1.35 million for multiple violations of the state’s landmark consumer privacy law. The enforcement action, announced on September 30, 2025, targets the nation’s largest rural lifestyle retailer for failing to properly notify customers and job applicants of their privacy rights and for mishandling opt-out requests for the sale of personal data. This is yet another example of a company that should have been using Captain Compliance’s software and could have avoided a 1.35 million fine had they worked with us prior. It happens every month and we’re here to protect companies and save them millions by being compliant.

Tractor Supply, which operates more than 2,500 stores across 49 states, agreed to the penalty and sweeping remedial measures to resolve the allegations under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. The case marks the first time the CPPA Board has addressed the adequacy of privacy notices and the privacy protections owed to job applicants, signaling a heightened focus on these areas in future enforcement.

The violations stemmed from an investigation launched after a consumer in Placerville, California, filed a complaint about the company’s privacy practices. Regulators found that Tractor Supply did not maintain a privacy policy informing consumers of their rights under the law, such as the ability to access, delete or opt out of the sale or sharing of their personal information.

Additionally, the company failed to notify California job applicants of their privacy rights or how to exercise them, a requirement that took effect in 2023 to extend protections to employees, contractors and applicants. Tractor Supply also lacked an effective mechanism for consumers to opt out of data sales, including through the Global Privacy Control signal, a browser-based tool designed to simplify privacy preferences. Finally, the retailer disclosed personal information to third parties without contracts ensuring those recipients would honor consumer rights.

“We will continue to look broadly across industries to identify violations of California’s privacy law,” said Michael Macko, the agency’s head of enforcement. “We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike.”

Tom Kemp, the CPPA’s executive director, emphasized the role of public complaints in driving accountability. “California’s privacy rights protect everyone in the state, from the Central Valley to the Silicon Valley,” Kemp said. “We appreciate the members of the public who help us uphold these rights by submitting complaints to the CPPA.”

Under the settlement, Tractor Supply must overhaul its practices, including conducting scans of its digital properties to inventory tracking technologies and requiring a corporate officer or director to certify compliance annually for the next four years. The company also faces a prohibition on further violations and must train employees on privacy obligations.

The fine surpasses the CPPA’s previous record of $632,500 against American Honda Motor Co. earlier this year and comes amid a flurry of enforcement actions. Just last month, the agency sued Tractor Supply in a separate case to enforce an investigative subpoena, a dispute that will now be dropped as part of this resolution. Other recent penalties include $345,178 against clothing retailer Todd Snyder and a settlement with background check firm Background Alert that could force it to shut down or pay up.

Legal experts view the Tractor Supply case as a warning shot for retailers and other businesses handling consumer data. “This settlement signals that the CPPA is doubling down on privacy disclosures and opt-out mechanisms,” said a analysis from Polsinelli law firm. The violations highlight common pitfalls, such as ignoring the Global Privacy Control, which has gained traction as a user-friendly opt-out tool since its integration into major browsers.

Tractor Supply did not immediately respond to requests for comment on the settlement. The company, known for selling farm supplies, pet products and outdoor gear, has faced other scrutiny in recent years, including a 2024 backlash over its diversity, equity and inclusion policies that led to a reversal of some commitments.

The CPPA’s aggressive posture reflects California’s role as a pacesetter in U.S. privacy regulation. The CCPA, enacted in 2018 and strengthened by voter-approved amendments in 2020, gives consumers rights over their data and empowers regulators to impose fines up to $7,500 per intentional violation. Since the agency’s full enforcement powers kicked in last year, it has ramped up investigations, including sweeps targeting unregistered data brokers under the Delete Act.

Privacy advocates praised the action but called for even stronger measures. “This is a step forward, but we need to see the CPPA go after bigger tech players too,” said a post from privacy platform Osano on X, formerly Twitter. On social media, compliance experts shared takeaways, urging companies to audit vendor contracts and privacy notices to avoid similar fates.

The settlement also underscores growing protections for job seekers. Since 2023, California law treats applicants’ data with the same safeguards as customer information, covering details like resumes and contact info collected during hiring. “Businesses must now protect the privacy of their job applicants, not just their customers,” the CPPA noted in its announcement.

As enforcement heats up, the CPPA is expanding internationally through partnerships with regulators in Korea, France and the United Kingdom, and co-founding the Consortium of Privacy Regulators. For consumers, the agency directs those concerned about their data to visit privacy.ca.gov to learn how to exercise rights like opting out or requesting deletions.

With this fine, California continues to flex its privacy muscle, reminding companies nationwide that ignoring consumer rights can come at a steep cost. As one legal observer put it on X: “The CCPA strikes back.”

Book a demo today and get ahead of the privacy protection authorities with our software that fully satisfies and automates the CPPA’s requirements. Avoid litigation and regulatory fines with a compliance superhero team protecting you.