Privacy & Cybersecurity Law Blog

On September 26, 2025, the California Privacy Protection Agency (“CPPA”) issued a $1.35 million fine against Tractor Supply Company (“Tractor Supply”), the largest rural lifestyle retailer in the United States, for CCPA violations.

The CPPA’s investigation was prompted by a consumer complaint, with the CPPA demanding information about Tractor Supply’s privacy practices dating back to 2020. Tractor Supply challenged the CPPA’s authority to investigate past conduct predating implementation of the 2023 CCPA Regulations, but the CPPA maintained its broad investigation powers. See Hunton’s previous post here.

The CPPA determined that Tractor Supply failed to maintain a privacy policy that notified consumers of their rights, did not inform California job applicants of their privacy rights and how to exercise them, lacked effective mechanisms for consumers to opt out of the sale and sharing of their personal information, and disclosed personal information to other companies without entering into contracts that contained privacy protections.

In addition to paying the fine, Tractor Supply is required to implement significant changes to its privacy policies, including quarterly scans of its digital properties to inventory tracking technologies, improvements to its mechanisms for honoring opt-out requests, annual certification of compliance by a corporate officer or director for the next four years, and annual reviews and updates to contracts with third parties. The company must also review its privacy policies to ensure CCPA compliance, update its employee training, and publicly post privacy metrics for the next five years.