3 minute read | October.20.2025
On September 30, 2025, the California Privacy Protection Agency (CPPA) issued a final order against farm, ranch and rural lifestyle retailer, Tractor Supply Company (“Tractor Supply”), for violations of the California Consumer Privacy Act (CCPA) triggered by a consumer complaint.
The enforcement action imposes a $1.35 million administrative fine — the largest from the CPPA to date — and requires the company to take significant corrective steps. The CPPA’s investigation focused on Tractor Supply’s consumer and job applicant privacy notice disclosures, opt-out mechanisms, opt-out preference signal processing and contracting practices related to online tracking technologies and advertising partners.
The order requires Tractor Supply to implement broad compliance measures spanning opt-out processing and preference signal recognition, symmetry of choice in cookie banners and consent tools, annual privacy notice updates, workforce training, contract remediation across service providers, contractors, and third parties, annual metrics and certifications, and multi-year audits of tracking technologies and counterparties. These themes echo other recent CCPA cases and show that such enforcement actions are becoming more common and can lead to significant statutory penalties.
The case centered on four key violations of the CCPA:
1. Failure to honor opt-out requests. Tractor Supply’s “Do Not Sell My Personal Information” link routed to a privacy request web form. However, submitting a “do not sell” request via the form did not stop selling/sharing data through third-party tracking technologies used for advertising, leaving consumers with a misleading impression that their opt-outs were effective.
2. Failure to process opt-out preference signals (including the Global Privacy Control (GPC)) during the relevant period. The company failed to recognize or apply opt-out signals on its website until July 2024. In addition, its privacy notice did not explain how such signals would be processed or how consumers can use an opt-out preference signal.
3. Inadequate privacy notice disclosures and failure to update them annually. The company’s public-facing privacy notice and job applicant privacy notice lacked the disclosures required under the CCPA. In addition, the company did not make annual updates to its public-facing privacy notice during the period under review (January 2023, through July 2024).
4. Deficient contracts with service providers, contractors, and third parties engaged in cross-context behavioral advertising. Certain agreements lacked terms mandatory under the CCPA.
1. The CPPA continues to focus on non-compliance with opt-out requests. Companies must stop all downstream selling/sharing whenever a consumer opts out, whether by dedicated link, a webform, or an opt-out preference signal. A webform that does not implement opt-out across tracking technologies may be viewed as noncompliant and misleading. The CPPA also emphasized symmetry of choice in pop-up banners and consent management platforms. In addition to honoring opt-out preference signals, it’s important that the relevant privacy notices explain how the consumer can use an opt-out preference signal and how signals are processed (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances).
2. Privacy notices must be complete, accurate, and updated annually. Required disclosures include categories of personal information collected, sources, purposes, selling/sharing/disclosure practices, recipient categories, and clear instructions on how to exercise CCPA rights, including the use and effect of opt-out preference signals.
3. Workforce and job applicant data are squarely in scope with the CCPA. Since January 1, 2023, there is no CCPA exemption for employee and job applicant data. Employee- and applicant-facing disclosures and processes must describe CCPA rights and how to exercise them.
4. Contracts with relevant vendors must meet prescriptive regulatory terms. Agreements must include specific contractual terms, including purpose limitations, bans on the selling/sharing of data by service providers, CCPA compliance commitments, downstream honoring of opt-outs, audit/monitoring and remediation rights, and notification duties. Clickwrap or platform terms are not exempt – companies are responsible for ensuring these terms meet statutory requirements.
5. Enforcement activity and penalties are rising. This matter, alongside other recent settlements, signals that opt-out execution, tracking technology governance, and contract hygiene remain top CPPA priorities and will carry meaningful financial, reputational and operational consequences. In addition, remediation credit helps but does not eliminate liability. The CPPA credited post-investigation remediation in this case but still imposed a seven-figure penalty and extensive future obligations.
1. Ensure that opt-out mechanisms, including any webforms or cookie banners, are properly configured and allow consumers to exercise their privacy rights. Consider separating the opt-out request mechanism from other consumer rights mechanisms.
2. Configure websites and mobile apps to detect and effectuate the GPC and other opt-out preference signals in a frictionless manner, applying them to known consumers.
3. Incorporate symmetry of choice in your cookie banners and consent management platforms by ensuring “Reject” options match “Accept” in size and design.
4. Update and maintain comprehensive privacy notices annually. Incorporate all required disclosures, including all consumer rights, how to exercise them, and how opt-out preference signals will be processed and can be used by consumers.
5. Extend disclosures and rights mechanisms to job applicants and employees. Provide clear, accessible applicant and employee privacy notices describing CCPA rights and exercise pathways. All company careers pages should contain a relevant privacy notice. Notify the workforce of updates and provide points of contact for questions and rights requests.
6. Ensure all agreements with service providers, contractors, and third parties contain the required terms. Review and, where necessary, renegotiate clickwrap/platform terms. Regularly audit these entities to confirm CCPA and contract compliance.
7. Continually monitor third-party consent management tool and consumer request webforms. Ensure they are configured properly and comply with all consumer requests.
8. Train personnel who handle CCPA requests and AdTech operations.
9. Businesses that collect large amounts of personal information (as defined under CCPA Regulations Section 7102) should ensure they disclose metrics related to CCPA consumer rights requests. This disclosure should be found within the privacy notice or posted on the website, and accessible from a link in the privacy notice.
Early, proactive compliance remains the most cost-effective strategy. Our team helps companies build out and maintain robust, tailored compliance programs. We recommend companies continue to monitor these recent enforcement trends and to engage with counsel to review their opt-out, privacy notice and third-party vendor practices. Please reach out to your Orrick contact or one of the authors (Shannon Yavorsky or Tori Downey) for more information.