California’s Privacy Protection Agency (CPPA) has issued a record fine of $1.35 million to Tractor Supply, a national retail chain with 2,500 stores across 49 states, for violating the California Consumer Privacy Act (CCPA). The agency alleges that the company failed to provide consumers and job applicants with clear notice of their privacy rights, neglected to offer effective opt-out mechanisms, and disclosed personal information without adequate contractual protections. This penalty marks the first time the CPPA has enforced the CCPA to protect job applicants, signaling its growing focus on data privacy compliance across industries.
The fine is the largest the CPPA has ever issued, underscoring the agency’s commitment to enforcing the CCPA’s stringent data privacy standards. The agency’s investigation revealed that Tractor Supply failed to maintain a privacy policy that informed customers of their rights, did not notify California job applicants of their privacy rights and how to exercise them, and did not provide an effective mechanism for opting out of the sharing and selling of personal information. The company also disclosed personal information to other companies without entering into contracts that contained privacy protections.
As part of the settlement, the company must conduct an inventory of its digital properties and tracking technologies and will have to certify its compliance with the CCPA for the next four years. The CPPA’s website states that it continues to actively enforce California’s cutting-edge privacy laws, emphasizing its role as a leader in data protection. This enforcement action aligns with the agency’s recent decisions against companies such as American Honda Motor Company and clothing retailer Todd Snyder, where similar violations were identified and addressed through financial penalties and compliance measures.
Additionally, the CPPA has secured a settlement agreement requiring data broker Background Alert to either shut down or pay a steep fine for promoting its ability to gather extensive personal information about individuals. The agency has also launched the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide. Furthermore, the CPPA is working with data protection authorities in Korea, France, and the United Kingdom to share information and strengthen privacy protections for Californians.
The agency has also taken action against more than half a dozen unregistered data brokers following an investigative sweep launched late last year. These enforcement actions collectively demonstrate the CPPA’s increasing vigilance in safeguarding consumer privacy and holding companies accountable for their data practices. As California continues to set a precedent in data privacy regulation, the CPPA’s efforts are likely to influence the broader national and international landscape of data protection policies.