The CPPA Means Business -- YOUR Business

Data PrivacyData Protection
Written By Hosch & Morris

October 23, 2025


Privacy Plus+


Privacy, Technology and Perspective

 

On the last day of September, in a decision likely to have a dramatic impact across the entire retail industry, the California Privacy Protection Agency (“CPPA”) imposed a $1.35 million penalty against nationwide retailer Tractor Supply Co. and is requiring a complete overhaul of Tractor Supply’s entire personal-data handling process.

 Ruling:  Like many companies, Tractor Supply Co. operates across California and many other states, selling directly to individual consumers as well as to businesses.  Acting on a consumer complaint, the CPPA found serious California privacy violations in four major categories:

  1. Failing to notify its consumers of their privacy rights;

  2. Failing to advise its job applicants of their privacy rights or how to exercise them;

  3. Failing to provide an effective opt-out of selling/sharing personal data, including through signals such as the Global Privacy Control; and

  4.  Failing to require privacy protection by its vendors.

In addition to the $1.35 million fine, Tractor Supply must implement broad remedial measures and require a corporate officer or director to certify compliance annually for the next four years.

You can read more about the Tractor Supply decision by clicking on the following link:

https://cppa.ca.gov/announcements/2025/20250930.html

Significance:  Each of Tractor Supply’s four areas of violation carries a corresponding warning for all other businesses, including yours: 

  1. Privacy notices must be prominent, complete, and correct;

  2. Don’t forget your own employees, and job applicants;

  3. You can no longer blandly declare that you “don’t accept (opt-out) signals.”  You must accept them – the Global Privacy Control appears to be the standard – and they must work inside your system; and

  4. Vendor controls are now critical. Your vendor contracts must contain proper privacy restrictions for personal information. 

For more information and analysis on the implications of the Tractor Supply decision, you can read this excellent article in CPO Magazine by clicking the following link:

https://www.cpomagazine.com/data-protection/broken-opt-outs-big-fines-tractor-supply-shows-privacy-enforcement-has-arrived-for-retail/

Additionally, you may read the following press release by the CPPA:

https://cppa.ca.gov/announcements/2025/20250930.html

Our Thoughts: 

1.     The Balance Has Shifted in Favor of Consumers.  The message from California is that like it or not, a business can no longer vacuum up and integrate at will the personal data of its consumers, employees, or even job applicants – even if that forms the very foundation of its whole marketing and development strategy. The era of "collect first, ask questions later" is over.

2.     California Can't Be Ignored. California represents 14% of U.S. GDP and would be the world's 5th largest economy if it were a country. More importantly, California leads a multistate "Consortium of Privacy Regulators" that includes conservative states. This isn't just California anymore—it's a coordinated enforcement network that crosses political boundaries.

3.     Vendor Control Requires Contractual Overhaul. The Tractor Supply case makes clear that every contract involving personal data must include specific data protection controls. Anyone with signature authority must be required to attach privacy provisions to every contract they sign. Tractor Supply has until March 2026 to fix all vendor contracts—and must then conduct annual audits to prove compliance. This can't be optional or situational.

4.     Technical Systems Must Be Rebuilt.  Manual compliance is dead. Tractor Supply's "Do Not Sell My Personal Information" link led to a webform that did nothing—it didn't actually stop tracking technologies from sharing data with advertisers. Because data spreads automatically across multiple systems, it must be controlled automatically. Privacy notices must be accurate and followed. Opt-out signals (like Global Privacy Control) must be technically honored, not just acknowledged. This will strain IT departments and AI systems—but it's no longer negotiable.

5.     A Clear Enforcement Playbook Is Emerging. Regulators are systematically testing: broken opt-out mechanisms, Global Privacy Control compliance, privacy notices (including for job applicants), and third-party contracts. These aren't random audits—they're following a checklist. Tractor Supply failed on all four fronts.

6.     Leadership Will Need Courage. Oliver Wendell Holmes, Jr. once wrote about a fellow judge he admired: "If a contract struck [the judge] as gambling, he wouldn't hesitate to strike it down, even if doing so would encounter the daily practice of a whole horde of brokers."

Many General Counsels, Marketing Officers, and Directors may soon need that same courage—to say "no" to practices their companies have relied on for years, even when those practices drive revenue.

-- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

 

 

Hosch & Morris https://hoschmorris.com
Next

The $30 Question: Can You Really Anonymize and Monetize Your Conversations?