On September 30, the California Privacy Protection Agency (CPPA) announced its latest enforcement action against Tractor Supply Company, imposing a $1.35 million penalty for alleged CCPA violations tied to its websites and mobile apps. This follows litigation the CPPA initiated against Tractor Supply to enforce an investigative subpoena. Here is the CPPA's press release. Below are our key takeaways.

• Record-setting fine. At $1.35 million, this is the largest penalty the CPPA has issued to date (slightly below the California AG’s $1.55 million Healthline settlement). It underscores that the CPPA is willing to impose meaningful fines to deter noncompliance.
• Why the fine is this high. Although the allegations are fairly standard (with some exceptions noted below), the penalty is larger than average. One reason is that the CCPA has now been in effect for several years and regulators expect compliance. The days of “grace periods” are over, a point both the CPPA and the California AG’s office have emphasized. We expect penalties to continue climbing as enforcement becomes more aggressive.
• Noncooperation likely impacted the settlement. The penalty size may also reflect Tractor Supply’s posture during the investigation: specifically, its alleged resistance to cooperating, followed by settlement only after litigation was filed. This underscores a theme we’ve emphasized: working constructively with regulators, and building a working relationship rather than taking an adversarial stance, can help mitigate the scope and severity of enforcement.
• Job applicant rights in focus. This is the first public CPPA action that expressly discusses job applicant data. The CPPA emphasized that Tractor Supply failed to provide proper disclosures and rights to job applicants. This is an area many companies overlook and should carefully review.
• Tracking technologies and vendor opt-outs. Once again, we see allegations tied to tracking technologies. In this case, Tractor Supply offered an opt-out form (through a vendor) but allegedly failed to provide a mechanism, such as honoring the required opt-out preference signal, that effectively applied to tracking technologies. We see this type of issue frequently because vendor tools often separate opt-outs for CRM data from those for tracking technologies. While not explicitly addressed in this decision, regulators are increasingly focused on the need for a unified mechanism to cover both CRM and tracking data. If your vendor doesn’t support this, you may need to reassess vendors. There is no safe harbor if a vendor says its tool is “CCPA compliant” but fails to meet regulatory expectations.
• Contract deficiencies. The CPPA once again flagged inadequate CCPA provisions in contracts, particularly in advertising technology agreements. Companies should confirm that all their contracts contain the statutory language required by law.
• Privacy policy issues. The CPPA also alleged insufficient privacy policy disclosures and pointed out that the CCPA requires companies to update their privacy policies annually. Regulators continue to target this “low-hanging fruit,” and by now companies should have an ongoing process to review and update their policies at least annually.
• Any company can be targeted. Tractor Supply is headquartered outside California and operates in a sector not typically seen as high-risk for privacy enforcement. The takeaway: regulators are casting a wide net, and no company should assume it’s outside the CPPA’s focus.