CPPA Dings Tractor Supply for Opt-Out Failures, 'Deficient' Privacy Notices
The California Privacy Protection Agency assessed its largest-ever penalty, ordering Tractor Supply Co. to pay a $1.35 million fine and change its business practices, the CPPA said Tuesday. The company told Privacy Daily that it’s committed to compliance and addressed the privacy issues raised.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The CPPA Board’s decision said that the rural lifestyle retailer failed to: maintain a privacy policy notifying consumers of their rights; notify California job applicants of their privacy rights and how to exercise them; and provide consumers with an effective opt-out mechanism, including through universal opt-out preference signals.
Also, the retailer disclosed personal information to other companies without entering into contracts that sufficiently protect privacy, the agency said.
Tractor Supply agreed to pay the fine and “implement broad remedial measures, such as scanning its digital properties to inventory tracking technologies, and require a corporate officer or director to certify compliance annually for the next four years,” the agency said.
"Tractor Supply takes our responsibilities to our Team Members, customers and applicants seriously," a company spokesperson said in an emailed statement. "We are committed to complying with all privacy laws and protecting the trust placed in us. The Company has already addressed the issues raised by the state of California."
The enforcement action came about two months after the CPPA filed a court petition (see 2508060070) alleging that the company, which has more than 2,500 outlets in 49 states, refused to be fully responsive to an investigative subpoena seeking information about its compliance with the California Consumer Privacy Act (CCPA). The agency said it will end that litigation given Tuesday’s resolution.
“We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike,” said Michael Macko, the CPPA’s enforcement head. At a CPPA Board meeting Friday, Macko revealed that the agency has “hundreds” of investigations open, and in most cases the targeted businesses don’t know about them yet (see 2509260039).
The CPPA opened its investigation in 2024 in response to a consumer complaint, the agency’s order said. While based in Tennessee, Tractor Supply has more than 85 brick-and-mortar stores in California and also sells to Californians online, the order noted. The CCPA applies to the company because its annual gross revenue is $26.6 million, and it sells or shares personal information of 100,000 or more consumers or households, the agency said.
Tractor Supply’s do-not-sell link and webform didn’t effectuate consumers’ opt-out requests, the CPPA found. “Tractor Supply failed to align its process for accepting consumer requests to opt-out of sales/shares to CCPA requirements, and thus failed to honor these opt-out requests,” the order said. “Although Tractor Supply’s webform purported to allow consumers to opt-out of the sale of their personal information, completion of the webform did not opt-out consumers from the third-party tracking technologies that Tractor Supply used for advertising purposes. The webform also did not inform consumers where or how they could opt-out of Tractor Supply’s selling or sharing of their personal information through those technologies.” Consumers were left with a “false impression” that the company had stopped selling or sharing their information, the CPPA added.
Also, the company failed to process opt-out preference signals, such as from the Global Privacy Control, said the agency, which earlier this month announced a multistate sweep of GPC compliance (see 2509090045). Tractor Supply’s privacy policy didn’t explain how it processes such signals or how users can take advantage of them, and the company didn’t configure its website to honor universal opt-outs until July 2024, the order said.
The California agency also condemned the company’s privacy policy for failing to inform consumers about their rights under the CCPA or how to exercise them, and for not updating it annually. “Tractor Supply posted its privacy policy in September 2018, updated it in November 2021, and did not update it again until years later, after the company learned of the Agency’s investigation.” Also, it “failed to provide job applicants with any notice of their CCPA rights,” the order said of the Fortune 500 company that employs 50,000 people.
In addition, Tractor Supply failed to meet the CCPA’s requirement that “businesses that collect and disclose personal information to a third party, service provider, or a contractor … enter into a contract with the recipient containing certain terms,” the CPPA said. “Contracts with service providers or contractors must identify the limited and specified purposes for which the personal information can be used and must limit the recipient’s use of the personal information for only those purposes. The contracts must also require the recipient to comply with the CCPA and provide the same level of privacy protection that the CCPA requires of businesses.”