Privacy Daily is a service of Warren Communications News.
Subscriber Login
Employers' 'Wake-Up Call'

Tractor Supply Enforcement Moves Privacy Beyond Consumers

October 3, 2025 by Kara Thompson and Adam Bender|Top News

The $1.35 million California enforcement action against Tractor Supply Co. this week raised the bar for privacy compliance, emphasizing that privacy laws and rights extend beyond consumers, privacy lawyers and advocates said in interviews with Privacy Daily. The California Privacy Protection Agency (CPPA) found that the country's largest rural lifestyle retailer violated the California Consumer Privacy Act (CCPA) in several instances, including how it handled candidates for employment (see 2509300010).

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

Start My Free Preview

“The focus on notices to job applicants … is the newsworthy item here,” said Usama Kahf, a Fisher Philips privacy attorney: It was the first publicly announced enforcement action "in which the agency is finding violation for not having all the information required in the notice to job applicants." A Fortune 500 company, Tractor Supply has 50,000 employees serving more than 2300 outlets in 49 states. 2024 revenue was $15 billion.

This “should be a wake-up call" for California employers, the lawyer added. Some non-consumer-facing businesses have not prioritized privacy compliance, even five years after the CCPA went into effect, because they believe they are low risk, he said.

“Just because you're in that zone doesn't mean that you have the luxury of sitting back and not worrying about" or "spending money on privacy compliance and compliance with the CCPA,” Kahf said. California is the only state with a comprehensive privacy law that covers employees and B2B personal information.

Susan Duarte, a privacy lawyer at Marashlian & Donahue, agreed. “It's sending the message that no one is immune; everyone should be in compliance, and that they're going to be checking every industry and looking under every rock,” she said.

In a sense, job applicants are like consumers in that “they're individuals ... and even if they're applying for a job, they should still be protected” and “able to exercise their privacy rights,” Duarte added.

The Electronic Privacy Information Center also welcomed “the CPPA’s attention to the privacy rights of Californians as workers as well as consumers,” EPIC said Thursday. “Over-collection of worker data, inappropriate downstream uses of such data, and the uses of automated decisionmaking systems impact workers’ ability to get hired, fairly assessed for performance, receive fair compensation, and protect job security.”

Alfred Brunetti, data privacy and security lawyer at Porzio Bromberg, in an email, said that “companies in scope of the CCPA need to expand their gaze (and compliance resources) to wider than the traditional marketplace ‘consumer’ and make sure the job applicants and employee rights are fully administered.”

ZwillGen Law's Alexei Klestoff agreed the action is "a clear signal that the CPPA is now focusing on HR practices and employment-related privacy rights."

Kahf emphasized employers shouldn't respond by simply providing notices to applicants. Instead, they must understand “the entire process from beginning to end ... When do you interact with people who are job applicants? How do you interact with them? What data is collected?” and “Where does the data go? Who uses it? How is it stored [and] disclosed? How long is it retained? What do you do with it after that?”

He noted that even for just a handful of positions, companies can get hundreds or thousands of applicants. “The exposure is very, very significant even for smaller businesses," he said. “This is why the penalties could be very, very significant.” Even if an individual didn't submit an application, the person still could be “an applicant if they went to the careers page to look for and to see if there's information about jobs."

An 'Interesting' Target

The fact that Tractor Supply was subject to a privacy settlement surprised several privacy lawyers and consumer advocates.

The CPPA’s choice to target a retailer is “really interesting,” underscoring that it's not limiting enforcement to tech companies, Hayley Tsukayama, associate director of legislative activism for the Electronic Frontier Foundation (EFF), said in an interview. “It's a good choice because it highlights how every company is collecting information and using it and really should be giving people these privacy rights that they're guaranteed under the law.”

It’s also significant that the investigation and subsequent large penalty began with a single customer’s complaint, said Tsukayama: EFF is excited to see the CPPA Enforcement Division starting to deliver big enforcement actions.

Laura Riposo VanDruff, consumer privacy, data security, and consumer protection lawyer at Kelley Drye, said this focus shows the additive nature of each enforcement action. “Thinking about companies with sensitive consumer information that might be an obvious regulator target,” Tractor Supply Co. likely wouldn’t make the list, she said. Yet a consumer complaint “opened this investigation and [it] resulted in this settlement.”

Before a company can think it's “flying under the radar," it must have done "the basics," she added. This includes making sure “that opt-outs are actually working, having a privacy policy that details consumers' privacy rights and is updated annually, and having appropriate contracts with service providers and with third parties.”

Other Takeaways

Duarte also weighed in on opt-outs, noting that “the ability to receive opt-out signals … seems to be a real big trend that's coming out of the CPPA.”

VanDruff added that even if a company has a Do Not Sell link, "that the consequence on the back end is to opt consumers out of behavioral advertising.”

“It's helpful that the agency underscored the importance of service provider and third-party contracts,” she added. “This is an aspect of the statute that requires legal attention but is also really fundamental to the law working in practice.”

Brunetti agreed: Tractor Supply “appeared to have the requisite forms, but they were not backed up by properly functioning mechanisms, so consumer rights were not honored in the actual practice.”

The settlement means there are “no more free passes or participation trophies for a company merely appearing to be compliant from its [user-experience] and policy language, the functionalities must actually work as intended,” Brunetti added. “Similarly, the CPPA will give little leeway, even if a lack of functionality could be attributed to your technology solutions vendors. [So,] ultimately if compliance is your obligation, the lack of compliance will be your problem.”

But Kahf said, “We've already known for quite a while that this is what the regulators are focusing on,” as “those are high-figure items.” In addition to looking at cookie-consent processes, “don't forget HR. Don't forget employment-related data. Don't forget employee data."

Klestoff agreed, noting those aspects of the settlement "shouldn’t surprise anyone."

The settlement “also tells you ... how easy it is to find these violations,” Kahf said. “All it takes is for somebody who has the checklist of” everything necessary for compliance, and after a couple of minutes on your website you “would know very quickly, do you have it, or do you not?”

But Duarte said that “a lot of companies are still struggling to catch up with all the state laws and have a privacy policy that's tailored for all of them.” It's a "challenge," she admitted.

The historic monetary penalty signals “the days of grace periods are over,” VanDruff said. Though both the CPPA and the state attorney general's office are “very happy to engage with companies,” the privacy law has been in effect for a while now, “and so the expectations for companies with respect to compliance … is getting higher.”

Another unique aspect of this situation was that the CPPA’s investigation into Tractor Supply was revealed in early August, after the agency filed a court petition alleging the retailer failed to comply with an investigative subpoena about its compliance with the CCPA (see 2508060070). At that time, several privacy professionals celebrated the agency for raising the regulatory stakes with the petition (see 2508070043).

The CPPA filed the court petition due to Tractor Supply challenging the agency's jurisdiction in the time period before the agency was established, noted Klestoff. He said the settlement addressed that by specifying that the covered period was limited to Jan. 1, 2023 through July 2024, "so the question of whether the CPPA has jurisdiction over acts pre-dating the agency’s creation remains open."

Brunetti also said “it’s important to cooperate early and often in investigations."

“It seems that [Tractor] Supply may have been less [than] accommodating in the early stages of the investigation (and the legal jousting over the investitive subpoena doesn’t seem to have done Supply any favors). So, it doesn’t feel like Supply received any grace by [entering] into a settlement only after the actual complaint was filed."

Duarte agreed. “It's better to cooperate than to not cooperate, especially if you don't want this getting out.”