Tractor Supply’s $1.35M CCPA Fine: Key Lessons for 2025

The California Privacy Protection Agency just issued its largest fine ever to a rural lifestyle retailer. Combined with recent enforcement patterns, it reveals where regulators are heading next.

The Enforcement Landscape Just Changed

A major retailer with 2,500 stores paid California's biggest privacy fine to date: $1.35M plus a written certification of compliance with the stipulated final order, signed by an officer or director of the company.  

What caught our eye was the detail in the Factual Findings noting that “In 2024, the Agency opened an investigation into the retailers privacy practices after receiving a complaint from a consumer in Placerville, California”. This appears to have been initiated by a single complaint from a California consumer. Not a class action. Not a data breach. One frustrated person who couldn't opt out.

The specific violations in this case:

• “Do Not Sell My Personal Information” link and Webform did not opt requesters out of third party tracking technologies used for advertising purposes

• Opt Out Preference Signals failed to be honored nor did the Privacy Policy reference the opt out preference signal provisions

• Improper contracting with with Service Providers, Contractors and Third Parties

• Deficient notices to consumers about the rights they have regarding their personal information under the CCPA

• Deficient notice to Job Applicants 

The trained eye will quickly notice some commonalities from prior enforcement actions but this appears to be the first publicized details specific to job applicants. 

With California currently representing a first chair position when it comes to consumer privacy enforcement, the April 2025 announcement of the multi-state privacy enforcement consortium expands the frontlines beyond the Golden State. The enforcement consortium has intentionally been designed to share resources, expertise and to coordinate efforts to investigate potential violations of applicable laws. 

zQuick Data Point: Michael Macko, the CPPAs Deputy Director of Enforcement shared at the September 26, 2025 CPPA Board Meeting that they are currently handling over 150 consumer complaints per week. Additionally, the CPPA is pursuing hundreds of open investigations with most businesses unaware they are currently being investigated and mixed between both small and large companies. 

The Breadcrumb Trail of 2025 Enforcement

It should be no surprise that the majority of complaints stem from the consumer facing components of the business. Connect the dots across recent actions (Honda's $632K, Todd Snyder's $345K, Healthline’s settlement, and now this $1.35M fine) and the patterns are clear:

The consistent violations across all three:

• Web/Digital Governance practices are unintentionally falling short, pointing to a lack of governance ownership between privacy, legal, and web/marketing 

• Upkeep of policies and notices are falling behind - provisions are being missed, web property sprawl remains challenging to audit

• Consumer Request processes are present but they struggle with data minimization, verification, and validated fulfillment audits

• Third Party Contractual Provisions and data sharing limitation clauses are inadvertently overlooked

• Opt-out Signals taking the center stage

The new enforcement frontier: This is the first time CPPA has explicitly addressed violations of job applicant privacy rights in an enforcement action. Companies should note this expansion of focus beyond consumer data.

These aren't random selections. It’s safe to assume that regulators are systematically checking the same fundamental requirements across every investigation. And that playbook is evolving.

The Organizational Disconnect Driving Violations

Privacy Teams Aren't Technologists

The majority of privacy professionals come from legal or compliance backgrounds, not technology. When GPC signals need implementation or opt-out mechanisms require API integration, the technical translation often fails.

What we're seeing: Privacy teams set requirements. IT thinks they've implemented them. Marketing operates independently. Nobody validates that the end-to-end flow actually works.

AI Governance Stealing Focus

While organizations chase AI governance frameworks and LLM usage controls and updated Acceptable Use Policies for the proliferation of AI, their foundational digital privacy infrastructure crumbles. Board presentations feature AI ethics while basic consent management fails daily audits (if audited at all).

The Four-Department Failure Pattern

This settlement, like Honda and others before it, exposed the same organizational gap: privacy, marketing, legal, and vendor/contract management continue to operate in silos. 

The breakdown: When departments don't communicate effectively, privacy requirements get lost in translation. Marketing teams have consent tools but may not fully understand their configuration or limitations. Legal and vendor management teams operate on parallel tracks without coordinating on privacy requirements. Each department assumes the others have their pieces covered.

Result: Failures that span all four departments, with no single team aware of the complete picture.

The Technical Gaps Costing Millions

Global Privacy Control Remains Invisible

Despite being legally binding in California since 2021, most organizations still don't recognize GPC signals. This retailer's systems ignored them completely.

Test this yourself: Enable GPC in your browser. Visit your website. Does your consent banner recognize it? If not, you're vulnerable. On the other hand, perhaps you’re recognizing the opt out signal but when was the last time you completed an audit across your web properties to identify what’s changed since your prior deployment? 

Job Applicant Privacy: The Overlooked Requirement

Since 2023, CCPA fully covers employment data. Yet HR systems operate like it's 2019. No privacy notices. No deletion rights. No retention policies.

Quick check: Can a rejected job applicant from 2023 request their data be deleted from your ATS? If you don't know, we’d suggest this question be surfaced.

Third-Party Contracts: The Universal Failure

Every 2025 enforcement action has flagged missing vendor privacy amendments. Organizations share data with dozens of partners but are continuing to fail to include (and audit) for the appropriate privacy provisions.  

Your Risk Assessment Framework

Immediate indicators you're vulnerable:

1. Your privacy team can't explain how GPC technically works

2. HR and Privacy rarely communicate about applicant data

3. Vendor contracts are managed without privacy involvement

4. Your opt-out process has never been tested end-to-end

5. Marketing owns your consent platform with minimal oversight

The coordination test: Can privacy, marketing, legal, and vendor management jointly explain your consent architecture? If they can't present a unified view, regulators will find the gaps.

The Bottom Line

This isn't about one retailer's failure. It's about systematic enforcement of requirements most organizations still haven't properly implemented. With multi-state coordination accelerating and hundreds of investigations underway, the enforcement risk has multiplied.

The breadcrumbs are clear: regulators are checking job applicant privacy, GPC signals, vendor contracts, and opt-out mechanisms. In that order. At every company they investigate.

Organizations focused on tomorrow's AI governance while ignoring today's privacy foundations are building on sand. The question isn't whether you'll be investigated, but whether you'll be ready when it happens.

How FLLR Bridges the Gap

We've implemented privacy programs at over 200 organizations. We know exactly where these failures happen, why they cost millions, and how fixing them actually improves business performance.

The hidden business value in privacy compliance:

Unlock Marketing Reach: When GPC signals and opt-out mechanisms actually work, you maintain 15-20% more addressable audience. That's millions of additional touchpoints for marketing. We configure your consent platforms to maximize compliant data collection while respecting user choice.

Accelerate Vendor Velocity: Proper privacy amendments don't slow deals - they accelerate them. We've seen clients reduce vendor onboarding from 12 weeks to 2 weeks with the right contract frameworks. New partnerships launch faster, capturing opportunities competitors miss.

Convert Compliance into Competitive Advantage: While others scramble during investigations, our clients use privacy certifications to win enterprise deals. We position your privacy program as a business enabler, not a cost center.

Protect Revenue Streams: Each enforcement action triggers customer questions, partner reviews, and potential contract losses. We implement monitoring that catches issues before they become headlines, protecting both reputation and revenue.

The operational reality we fix:

We don't just document requirements - we implement working solutions. Our team validates opt-out flows end-to-end. We align Privacy, IT, Marketing, and Legal into unified operations. We audit your HR tech stack for the job applicant requirements others haven't even noticed. We ensure vendor contracts match actual data flows.

The difference? We're former OneTrust employees who've seen what drives ROI and what drives investigations. We bridge the gap between privacy investment and business value, keeping you compliant and competitive.

Need help connecting privacy, marketing, legal, and vendor management into a functioning program? FLLR specializes in bridging organizational silos and implementing the technical requirements that regulators actually check.