The California Privacy Protection Agency (CPPA) Board has issued a decision based upon the Stipulation of the employer requiring Tractor Supply Company, the nation’s largest rural lifestyle retailer with more than 2,500 stores in 49 states, to change its business practices and pay a $1,350,000 fine to resolve claims that the company violated the California Consumer Privacy Act (CCPA). The fine is the largest in the CPPA’s history, and the decision is the first to address the importance of CCPA privacy notices and privacy rights of job applicants.

Tractor Supply Company is, a Delaware corporation with its principal place of business at 5401 Virginia Way, Brentwood, TN 37027. It is a for-profit corporation that describes itself as the nation’s largest rural lifestyle retailer. Tractor Supply has a large presence in California as farmers, ranchers, and agricultural workers form an important component of the state’s fabric and economy. Tractor Supply operates more than 85 brick-and-mortar stores across California, as well as a website and mobile application for online purchases.

In 2018, the Legislature took action to protect Californians’ privacy in the digital age by enacting the California Consumer Privacy Act (“CCPA”), Civ. Code §§ 1798.100–1798.199.100. The CCPA gives consumers certain rights with regard to their personal information, such as the right to know what personal information businesses collect from them, the right to stop businesses from selling their personal information, and the right to have it deleted.

In November 2020, California voters approved Proposition 24 with the aim of giving consumers more control over how businesses collect, use, share, and profit from their personal information. Prop. 24 strengthened the CCPA and established the Agency as an “independent watchdog” to “vigorously enforce the law,” recognizing that the unauthorized use and sharing of personal information creates a “heightened risk of harm” for consumers. Prop. 24, § 3(L) (2020).

The CPPA opened an investigation into Tractor Supply’s privacy practices after receiving a complaint from a consumer in Placerville, California. Tractor Supply produced thousands of pages of documents, answered the Agency’s questions, met with the Agency numerous times, and has remediated most of the issues described in the Stipulation. According to the Board’s decision, Tractor Supply violated Californians’ privacy rights by:

– – Failing to maintain a privacy policy that notified consumers of their rights;
– – Failing to notify California job applicants of their privacy rights and how to exercise them;
– – Failing to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control; and
– – Disclosing personal information to other companies without entering into contracts that contain privacy protections.

To resolve the allegations, Tractor Supply agreed to pay $1,350,000, implement broad remedial measures, such as scanning its digital properties to inventory tracking technologies, and require a corporate officer or director to certify compliance annually for the next four years.

The Board’s decision underscores the need for businesses to review their privacy notices and opt-out mechanisms, as well as the need for businesses to protect the privacy of their job applicants, not just their customers. Since 2023, job applicants, employees, and independent contractors have been afforded greater privacy protections.

The Board’s decision follows on the heels of a separate court case brought against Tractor Supply last month to enforce an investigative subpoena. With today’s resolution, the CPPA’s Enforcement Division will be discontinuing that litigation.

The CPPA’s Recent Enforcement Actions to Protect Californians The CPPA continues to actively enforce California’s cutting-edge privacy laws. Recent actions include:

– – Issuing a decision requiring clothing retailer Todd Snyder to change its business practices and pay a $345,178 fine for CCPA violations.
– – Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
– – Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
– – Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
– – Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

In addition, the agency has secured more than half a dozen successful enforcement actions against unregistered data brokers following an investigative sweep launched late last year to assess compliance with the Delete Act.

The California Delete Act (SB 362) is a state law designed to enhance data privacy for California residents. It establishes a one-click mechanism for consumers to request that registered data brokers delete their personal information. The Act requires data brokers to register with the California Privacy Protection Agency, which will enforce compliance. This legislation builds upon previous privacy laws, such as the California Consumer Privacy Act, and aims to create a centralized deletion platform for easier consumer access to their data rights.