California Privacy Protection Agency Levies Record $1.35 Million Fine

On Sept. 30, 2025, the California Privacy Protection Agency (CPPA) issued its largest enforcement fine to date, $1.35 million, in the first CPPA decision addressing privacy protections for job applicants. The settlement, which resolved Case No. ENF24-M-TR-04, followed an investigation triggered by a single consumer complaint and establishes important precedents for employment data privacy, opt-out mechanism implementation, and the CPPA’s investigative authority.

Investigation Background

The CPPA initiated an investigation into Tractor Supply Company in early 2024 following a consumer complaint in Placerville, Calif. The national farm and home improvement retailer — which operates 2,500 stores nationwide with 85 in California — initially resisted the scope of the agency’s investigative authority. Tractor Supply argued the agency’s enforcement powers began in 2023 when the CPPA finalized its first batch of regulations. The dispute escalated in August 2025 when the CPPA filed a petition in the Superior Court of California – Sacramento County to enforce its investigative subpoena.

However, as part of the settlement agreement, the company acknowledged “that the agency possesses broad authority to investigate potential violations of the privacy law, including those that occurred before Jan. 1, 2023.” This acknowledgment, made independent of the settlement terms, represents a significant precedent for the CPPA’s investigative reach. While the final settlement covers violations occurring between Jan. 1, 2023, and July 1, 2024, the retailer’s concession on investigative authority extends the CPPA’s enforcement reach to the law’s original 2020 effective date.

Violations

The CPPA alleged violations of California’s privacy laws in three critical areas:

1. Privacy Policy Failures

The CPPA held that Tractor Supply company failed to maintain current privacy policies, as required by law, with its consumer-facing privacy policy remaining unchanged since 2021, therefore creating a three-year gap in legally required annual updates. More significantly for employers, the CPPA alleged the company failed to provide adequate privacy notices to job applicants and employees. This violation highlights California’s unique position as the only state with comprehensive privacy laws that fully protect employee and job applicant data without exemptions — a requirement that became enforceable on January 1, 2023.

2. Opt-Out Mechanism Deficiencies

The CPPA found that Tractor Company failed to provide consumers with effective methods to opt out of personal information sales and sharing. Critically, the CPPA found company failed to honor browser-based Global Privacy Control signals, which automatically communicate consumer privacy preferences across websites. Under California law, businesses must recognize and process these GPC signals as valid opt-out requests.

3. Service Provider Contract Gaps

The retailer lacked proper contractual safeguards with service providers and other third parties handling personal information. The missing contract provisions included requirements limiting third-party use to specified business purposes, prohibiting retention of personal information for other purposes, and mandating CCPA compliance certification from service providers.

Settlement Terms

Tractor Supply is to pay the $1.35 million fine within 30 days of approval by the CPPA’s five-member board. The CPPA has acknowledged that the company has “substantially revised” its privacy practices since learning of the investigation in 2024 and has “remediated many of the issues” identified by the regulator.

However, the settlement requires comprehensive ongoing remedial measures:

• Scan digital properties at least quarterly to maintain a full and current inventory of tracking technologies deployed on websites and mobile applications
• Make opt-out request processes more “frictionless” for consumers by eliminating unnecessary verification steps and streamlining request forms
• Modify contract management processes to ensure all required contractual terms are in place with all external recipients of personal information by March 31, 2026
• Provide updated CCPA training to all personnel handling consumer data requests
• Have a corporate officer or director certify to the privacy agency its compliance with the settlement terms annually for the next four years

This officer-level certification requirement signals the CPPA’s expectation that privacy compliance is a board-level governance matter, not merely an operational function.

Broader Enforcement Context

This enforcement action continues the CPPA’s pattern of accelerating enforcement activity since the agency opened in December 2020. Previous notable fines included $632,500 against American Honda Motor Company and $345,178 against clothing retailer Todd Snyder. The agency has demonstrated particular focus on opt-out mechanism failures, service provider contract deficiencies, and “dark patterns” that impair consumer privacy choices.

The enforcement landscape is expanding beyond individual actions. In September 2025, the CPPA announced coordination with the attorneys general of California, Colorado and Connecticut on an investigative sweep focused on whether companies are honoring consumers’ opt-out requests. This shift toward multi-state collaborative enforcement signals that privacy violations could carry expanded geographic reach and impact, with potential coordinated penalties across multiple jurisdictions.

The agency recently finalized new regulations on Sept. 23, 2025, covering risk assessments, cybersecurity audits, and technologies using artificial intelligence, indicating continued regulatory expansion.

What This Means for Business

This enforcement action confirms that privacy compliance has moved beyond theoretical policy implementation to practical functionality scrutiny. Regulators are examining whether privacy mechanisms actually work as intended and protect consumer rights in real-world scenarios. The CPPA’s willingness to pursue a $1.35 million penalty demonstrates that privacy violations carry substantial financial risk, particularly when they affect multiple compliance areas simultaneously.

The inclusion of employment data violations carries particular significance for California employers and businesses hiring California residents. The CPPA has made clear it will actively police employer compliance with job applicant and employee privacy requirements, an area many businesses have not fully addressed despite the Jan. 1, 2023, effective date.

Recommended Actions

1. Review and Update Privacy Policies

Businesses subject to the CCPA should immediately audit their privacy policies to confirm annual updates as required by law. Employers must review their job applicant and employee privacy notices to ensure compliance with California’s employment data protection requirements. These notices must detail what personal information is collected during recruitment and employment, how it will be used, with whom it will be shared, and how individuals can exercise their rights to access, correct, and delete their information. Implement quarterly scanning of digital properties to maintain a current inventory of tracking technologies.

2. Audit Service Provider Contracts

Conduct a comprehensive audit of all service provider relationships to ensure contracts contain required CCPA provisions. These must include language limiting third-party use of personal information to specified business purposes, prohibiting retention or use for other purposes, and requiring certification of CCPA compliance understanding.

3. Strengthen Opt-Out Mechanisms

Test opt-out processes from the consumer perspective to identify friction points. Ensure proper implementation of Global Privacy Control signals by configuring systems to automatically recognize and process these browser-based opt-out requests. Eliminate unnecessary verification requirements that create barriers for consumers exercising privacy rights. The CPPA’s emphasis on “frictionless” processes means opt-out mechanisms should function with minimal steps and maximum clarity.

4. Enhance Training and Governance

Provide updated CCPA training for all personnel handling consumer privacy requests, with particular attention to the nuances of employment data protections. Establish clear escalation procedures for privacy-related issues and designate a corporate officer or director to oversee privacy compliance. Consider implementing annual officer-level certification of compliance, as the CPPA increasingly requires this governance structure in settlement agreements.

5. Monitor Multi-State Developments

Monitor enforcement developments beyond California, particularly coordination between state regulators. The September 2025 announcement of collaborative enforcement between California, Colorado and Connecticut indicates that privacy violations may trigger investigations across multiple jurisdictions simultaneously, multiplying both compliance burdens and potential financial exposure.

Conclusion

This case demonstrates that the CPPA is actively monitoring compliance across industries and will not hesitate to pursue substantial penalties for systematic privacy failures. Individual consumer complaints can trigger extensive investigations, and businesses that haven’t updated their privacy practices since 2023 face significant enforcement risk. Companies should act now to ensure their privacy programs meet not just the letter of the law, but the CPPA’s expectations for practical, effective consumer protection.