On September 30, 2025, the California Privacy Protection Agency (CPPA) announced a $1.35 million settlement with the Tractor Supply Company for allegedly violating the privacy rights of residents of California. The CPPA claimed that Tractor Supply violated California privacy requirements by failing to provide an effective mechanism to opt out of the selling or sharing of personal information, failing to have the required disclosures in its Privacy Policy, and failing to have the appropriate contractual protections when disclosing personal information to third parties. In this article, we will discuss the important aspects of this settlement to provide lessons learned and hopefully help your business avoid similar enforcement actions.
Jurisdiction
The investigation by the CPPA was brought under the California Privacy Rights Act (formerly known as the California Consumer Privacy Act). The CPRA applies to businesses that collect the personal information of residents of California, do business in California and meet one or more of the following factors:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers or households; or
- Annually buy, sell, or share the personal information of 100,000 or more California consumers or households.
Even though Tractor Supply is headquartered in Brentwood, TN, the Agency found that it is subject to the CPRA as it:
- Operates a website and a mobile app where California consumers can make purchases;
- Operates more than 85 store locations in California;
- Has annual gross revenue in excess of $25,000,000; and
- Annually shares or sells the personal information of 100,000 or more California consumers or households.
Failure to comply with “do not sell personal information” requirements
Under the CPRA, California consumers have the right to opt out of sales of their personal information. Since the CPRA defines “sale” very broadly, exchanging personal information for improved advertising can be considered the sale of personal information under the CPRA. The CPPA found that since Tractor Supply’s website uses cookies and similar tracking technologies that make consumers’ cookie identifiers, IP addresses and other identifiers available to third parties for advertising purposes, that it was subject to the do not sell requirements.
In an attempt to comply with the do not sell requirements, Tractor Supply provided consumers with a link in the footer of its website titled “Do Not Sell My Personal Information.” Upon clicking the link, consumers were brought to a form that allowed consumers to exercise their privacy rights, including the right to opt out of sales of personal information. However, the CPPA found that submitting this form has no effect on how the company shared the consumers’ personal information for advertising purposes. In fact, if a consumer submitted that form, Tractor Supply would continue to sell or share their personal information for advertising purposes. As such, the CPPA found that Tractor Supply failed to comply with the CPRA’s requirement to allow consumers to opt out of the sale or sharing of their personal information.
Failure to process opt-out preference signals
CPRA also allows consumers to submit requests to opt out of sales and sharing of personal information by configuring their browsers to transmit an opt-out preference signal. Businesses must explain in their Privacy Policy how an opt-out preference signal will be processed and how consumers can use the opt-out preference signal. In this case, the CPPA found that Tractor Supply violated the CPRA as:
- Its Privacy Policy did not include the required disclosures regarding the opt-out preference signal; and
- It did not configure its website to honor consumers’ requests to opt out of the sharing or sale of their personal information.
Failure to properly contract with service providers, contractors and third parties
The CPRA requires businesses that disclose, share or sell personal information to third parties to enter into contracts with those third parties that contain certain terms. These terms include identifying the purposes for which personal information may be used, requiring the third parties to comply with the CPRA, and requirements to provide the same level of privacy protections that the CPRA requires of the disclosing business. Tractor Supply failed to ensure that its contracts with the receiving entities contained the required provisions listed above, thereby violating the requirements of the CPRA.
Failure to provide the required Privacy Policy disclosures
The CPRA requires businesses to provide a comprehensive Privacy Policy that includes the disclosures required by the law. These disclosures include a list of privacy rights provided to consumers, the categories of personal information collected, the sources from which the information was collected, the purpose for which personal information will be used, and whether personal information has been sold, shared or disclosed, including the categories of third parties to whom it was sold, shared or disclosed.
The CPPA found that Tractor Supply violated California privacy requirements as its Privacy Policy did not include any of the disclosures required by the CPRA. In addition, the CPRA requires businesses to review and update their Privacy Policies annually, which Tractor Supply also failed to do. Lastly, Tractor Supply failed to notify job applicants of their CPRA rights, as well as how to exercise those rights.
As you can see from above, the CPRA has quite a few requirements that businesses subject to the law must meet in order to comply with the law. As Tractor Supply failed to meet those requirements, it was subject to the $1.35 million settlement. As CPRA enforcement ramps up, businesses that need to comply with the CPRA should review these requirements and ensure that they are fully met to reduce the chance of similar enforcement actions.
