Tractor Supply Company Fined for Selling Privacy Data of Applicants and Employees

A record fine levied by the California Privacy Protection Agency against the nation's largest rural lifestyle retailer in September signals a trend of "escalating" digital privacy law enforcement in the California

A record fine levied by the California Privacy Protection Agency against the nation's largest rural lifestyle retailer in September, say cybersecurity and data privacy attorneys, signals a trend of "escalating" digital privacy law enforcement in the state—as well as heightened scrutiny of retailers and their management of employee and job applicant data.

On September 30, the CPPA announced it had issued a decision ordering Tractor Supply Company, a provider of home improvement goods and farm supplies, to pay a $1,350,000 fine to resolve claims it violated the California Consumer Privacy Act. Tractor Supply, based in Brentwood, Tennessee, operates more than 2,500 stores in 49 states, with 97 locations in California, per its website.

According to the CPPA, the fine is the steepest in the agency's history—and, say experts, puts all companies that do business in California on notice. The decision is also "the first to address the importance of CCPA privacy notices and privacy rights of job applicants," the CPPA said in a news release.

Tractor Supply's CCPA violations, the agency said, were four-pronged, including failure to notify consumers of their rights in its online privacy policy; failure to notify California job candidates of their rights and "how to exercise them"; failure to provide an effective mechanism for consumers to opt out of or express a preference on the sale of their data; and the disclosure of consumers' personal information to third parties without adequate privacy protections.

This enforcement action by the CPPA, said Matthew Richardson, a partner at Brown Rudnick in Washington, D.C., who specializes in data privacy and cybersecurity, highlights an "escalating trend" in the California's privacy space: Instead of an attorney general reacting to large data breaches or consumer-focused problems, the state is taking a "proactive" approach to the enforcement of citizens' privacy rights.

Though California is leading the charge because it has the "legislative framework" in place to enforce privacy regulations, personal and class privacy litigation is sweeping states throughout the nation as plaintiff's firms "realize that this is a cash cow because so few businesses ... are prepared to fulfill all of the minutiae of these privacy laws," Richardson said.

"This should concern every business that has any footprint at all in California. Failure to have even the simplest privacy policy will result in a fine—potentially not of the size of this, but a relatively large fine. And that's a massive departure from where we've been before."
The Tractor Supply decision's implications for businesses at the regulatory level could be staggering, he added, as the agency asserts an "almost unassailable power of fining."

"And we’re seeing an attorney general and—and, in fact, attorneys general across the United States—realizing that this is a good way for them to get easy runs on the board because they know that most companies aren't complying with this and that they'll either settle or, if it goes to trial … the attorney general is probably going to win," he said.

'People, Process and Technology'

The landmark fine, which arises from a complaint filed with the agency by a consumer in Placerville, California, follows on the heels of a wave of similar digital privacy enforcement actions in the state, including decisions ordering American Honda Motor Co. and clothing retailer Todd Snyder to pay six-figure fines and revamp their privacy protection practices in the spring of 2025 over alleged violations of the CCPA.

But what distinguishes this most recent settlement from the actions that preceded it is not just the size of the fine, said Justine Phillips, co-chair of the data & cyber practice group for North America at Baker McKenzie in Los Angeles, but its emphasis on the protection of employee, HR and applicant data—which, she said, is "unique" to California.

"This signals that there will be a priority to ensuring that consumers in California—whether they're retail consumers, employees, applicants—that they will be looking at those issues and ensuring that companies really look closely at their disclosures, what's posted on their websites, making it easy on consumers, having very customized and specific notices," she said.

Tailoring online privacy disclosures to different website users and discarding with a "one-size-fits-all" approach to the CCPA will be the way forward for businesses operating in California, she added.

"And I think that the CPPA is going to continue to be active," she said. "They’re going to continue to use technology to audit companies, and that good governance will require harmonized people, process and technology across the enterprise."

The CPPA's trend of targeting retailers and focusing on employee data, said Sadia Mirza, leader of the incidents and investigations group at Troutman Pepper Locke in Orange County, will only continue to ramp up after the CCPA expanded its scope in Jan. 2023 to afford the same privacy protections for workers as it does for consumers.

"All the other states that have proxy laws have carved out employee or applicant data for the most part. But California has maintained that position," said Mirza. "I feel like this is California saying, 'Look, we know that the other states aren't looking at employee data,' but it demonstrates their commitment to this issue, signaling that they're aware of their unique position and they are determined to ensure compliance."

Impact on Compliance and Privacy Litigation

To avoid digital privacy enforcement actions in California, said Mirza, companies need to give consumers two mechanisms to opt out of the sale or sharing of their personal information to third parties.

Tractor Supply, she said, included a link at the bottom of its website stating "Do not sell my personal information," which led to a web form allowing visitors to opt out of the selling and sharing of their data—but did not provide disclosures about or the choice to opt out of cookies and online data collection technology.

"That's where I think ... businesses are falling short, is they're setting up these web forms and … it looks right, everything looks correct on the website, but then you have to think about: Is the mechanism that I've set up actually going to stop the selling and sharing of consumer's information, or do I need to do something more?" she said.

"There's got to be something that says, ‘Hey, by the way, we also sell your information through cookies and online collection technologies in order to stop that. Here are the steps you can take. You can broadcast a signal, you can change your cookie preferences, you can use our cookie consent tool to manage the tracker on your page.’ You’ve got to address both."

Companies that are inundated with consumer complaints, handle sensitive information such as medical data or interact with vulnerable populations will be more at risk of enforcement actions, she added.

Phillips said that though CCPA enforcement actions are strictly within the purview of the state attorney general and the CPPA, the fine may still embolden the plaintiff's bar.

"The settlement makes clear that there was a disconnect between what was represented in the web form … and what the law requires," she said.
​
"So I think that there is a likelihood that plaintiff's firms will read that and see arguments they could make under various private right of actions under Business and Professions Code § 17200 and [Unfair Competition Law] claims."