Small Businesses: Pay Attention to the $1.35M California Privacy Complaint

In a major privacy enforcement milestone, the California Privacy Protection Agency (CPPA) has announced its largest fine to date: $1.35 million against Tractor Supply Company for violating the California Consumer Privacy Act (CCPA). While it’s the most expensive penalty yet, what truly matters for small businesses is why it happened and what it signals moving forward.

If your small business operates a website, collects data through online forms, runs digital advertising, or accepts job applications from California residents, even if you’re based elsewhere, this case should be a wake-up call.

California's Privacy Fine Sends a Clear Message to Small Businesses Everywhere

It’s easy to assume California’s privacy laws only apply to tech companies or businesses with physical locations in the state. But the CPPA’s enforcement posture makes it clear: any business collecting personal data from Californians is within scope, even if you’re a small company based outside the state. The CPPA has the authority to enforce privacy laws against any business that collects personal data from Californians, including by investigating violations and issuing fines.

In this case, Tractor Supply was penalized for violating consumer privacy rights by:

• Failing to maintain a privacy policy that properly informed consumers of their CCPA rights
• Failing to provide an effective opt-out mechanism for consumers to stop the sale or sharing of their personal data
• Ignoring browser-based opt-out preference signals (like Global Privacy Control)
• Sharing personal data with other companies without proper contracts in place

This fine isn’t just about employment practices; it’s about how businesses treat all types of personal data, regardless of it being from customers, site visitors, or applicants.

How a Privacy Complaint Happens: Filing, Investigation, and What Triggers Enforcement

Understanding how a privacy complaint unfolds under the California Consumer Privacy Act (CCPA) is essential for any business that handles the personal information of California consumers or job applicants. The California Privacy Protection Agency (CPPA) is the state’s dedicated watchdog, tasked with enforcing California privacy laws and ensuring that companies respect the privacy rights of California residents.

The process begins when a California resident believes their privacy rights have been violated. Perhaps their opt out requests were ignored, their sensitive personal information was shared with third party tracking technologies, or they weren’t properly informed through privacy notices.

Filing Complaints

Filing a complaint is straightforward: the CPPA provides an online complaint form that anyone can use to report suspected violations. This form asks for details about the business or company involved, the type of personal information at issue, and the nature of the alleged violation.

Complainants can choose to submit either a sworn complaint, which requires their contact information and a declaration under penalty of perjury, or an unsworn complaint, which can be submitted anonymously. While both types of complaints can trigger an investigation, sworn complaints often carry more weight and may allow the CPPA to follow up for additional details.

Investigating Complaints

Once a complaint is filed, the CPPA reviews the information to determine if there’s enough evidence to warrant an investigation. The agency has broad authority to investigate potential violations of the CCPA, including failures to honor opt out preference signals, inadequate privacy practices, or improper sharing of personal information with other third parties. If the agency decides to move forward, it may contact the business in question, request documentation, and review privacy policies, contracts, and compliance procedures.

The investigation process is thorough. The CPPA examines if the business has provided clear opt out mechanisms, maintained compliant privacy notices, and established proper agreements with service providers and vendors. The agency also checks if the business is honoring requests from California consumers and job applicants to access, delete, or opt out of the sale or sharing of their data.

Enforcing Action

If the CPPA finds that a business has violated the CCPA, it can take enforcement action. This may include imposing fines, requiring changes to privacy practices, or mandating ongoing compliance audits. The recent $1.35 million settlement with Tractor Supply Company is a prime example of how a single complaint can lead to significant penalties and long-term oversight.

For businesses, this process underscores the importance of proactive CCPA compliance. These enforcement actions are not limited to large corporations; any company that collects or processes the personal information of California residents is within the agency’s reach.

The Big Takeaways: Why This Enforcement Action Is a Game-Changer

Here are the key reasons this case matters, especially for small businesses.

1. Job Applicants and Consumers Share Equal Protection

Since 2023, California law has extended full privacy protections to employees, independent contractors, and job seekers; not just consumers. That means you must provide job applicants with privacy notices that include clear information about their privacy rights, just like you would for online shoppers or site users.

This dual focus means you’re responsible for how you handle everyone’s data, from applying for a job and browsing your website, to signing up for emails or making a purchase. 

2. Even One Complaint Can Lead to Massive Consequences

The CPPA opened this investigation after receiving a single complaint from a consumer in Placerville, California. That’s all it took to launch an in-depth investigation resulting in over a million dollars in penalties, mandatory audits, and long-term compliance requirements.

During an investigation, businesses are often contacted by the CPPA to provide information or respond to the complaint. For small businesses, this means customer service touch points, job portals, contact forms, and even cookie banners must be legally sound or risk becoming the next target.

3. The CPPA Is Expanding Enforcement Across All Industries

This fine follows similar recent penalties issued to:

• Honda ($632,500)
• Todd Snyder, a fashion retailer ($345,178)
• Background Alert, a data broker forced to shut down
• Over half a dozen unregistered data brokers penalized under the Delete Act

The CPPA's position is that it can investigate privacy violations across all industries, not just tech or large companies. Clearly, no industry is exempt, and small businesses cannot fly under the radar. If you handle Californians’ data in any way, you are a potential target.

4. Fixing It After the Fact Doesn’t Protect You

Tractor Supply reportedly began correcting privacy issues during the investigation, but the California Privacy Protection Agency still levied the full fine. This makes one thing clear: you can’t wait until after people file complaints to become compliant. Taking a proactive approach is your best defense.

5. Poor Vendor Contracts Are a Hidden Risk

Another major violation was Tractor Supply’s failure to use proper contracts with third-party vendors, especially those receiving or processing sensitive personal information from customers and applicants. These contracts must include:

• Specific privacy protections
• Clear data usage limitations
• Requirements to honor opt-out signals and rights

These contracts must also comply with CCPA regulations regarding data sharing and privacy protections.

Many small businesses use platforms like CRMs, job boards, marketing tools, and payment processors, often without realizing they need updated, CCPA-compliant contracts.

Six Steps to Protect Your Small Business From a CCPA Violation

If you’re selling products online, collecting leads, or hiring remote talent, here are six immediate steps to align your business with CCPA requirements and avoid becoming a cautionary tale.

1. Update Your Privacy Notices for Both Consumers and Applicants

You need separate, clearly written privacy notices for:

• Consumers (on your website or e-commerce platform)
• Job applicants (linked on career pages or application forms)
• Employees/contractors (delivered directly or through HR platforms)

When you write privacy notices, use clear and accessible language to ensure everyone can understand the information provided. These notices must explain what data you collect, why you collect it, how it’s shared, and how people can exercise their rights (access, delete, correct, or opt out).

2. Review Your Website’s Opt-Out Mechanisms

Your website must:

• Include a “Do Not Sell or Share My Personal Information” link
• Detect and respect browser-based opt-out signals (like Global Privacy Control)
• Avoid using dark patterns or confusing language in cookie banners

Consider using a reputable consent management platform to manage cookies and track user preferences. 

3. Audit Third-Party Contracts and Data Sharing

Identify all vendors handling your consumer or applicant data, including:

• Job platforms and HR systems
• Ad tech and analytics partners
• Email marketing or CRM tools

Ensure contracts include CCPA-required privacy terms, especially for data sharing, retention, and opt-out signal recognition. It's also important to keep supporting documentation for all third-party contracts and data sharing agreements.

4. Scan for Tracking Technologies

Inventory all cookies, scripts, pixels, and other tracking tools used on your site. Confirm:

• Their purpose and data collection scope
• Whether they share information with third parties
• That you’re honoring all applicable opt-outs

Assign someone internally (or a consultant) to monitor and update your site regularly.

5. Maintain a Data Inventory and Retention Policy

Map out:

• What personal data you collect
• Where it’s stored
• Who has access to the data
• How long it’s kept
• How deletion or correction requests are handled
• When and how personal information is disclosed to third parties or regulators

This inventory helps you respond to requests and demonstrates accountability if investigated.

6. Train Your Team

Your team, especially those in HR, IT, marketing, and customer support, must understand your privacy obligations. Provide regular training on:

• Identifying and processing privacy requests
• Avoiding unnecessary data collection
• Complying with CCPA when using new tools or platforms

Additionally, designate a specific person to oversee privacy compliance and handle privacy-related requests to ensure accountability and clarity in your processes.

What Happens If You Don’t Comply?

If you end up like Tractor Supply, you will face quarterly tracking audits, annual reports on privacy metrics, public certification of compliance by a company officer, ongoing vendor contract reviews, and $1.35 million in fines. Keep in mind this was all because of one consumer complaint.

In some cases, the CPPA may seek court orders to enforce compliance or collect penalties. For a small business, that level of oversight (or even a fraction of it) could be devastating.

The Bottom Line: California Privacy Laws Apply to You, Too

If you operate online, collect consumer data, or accept job applications from California residents, the CCPA likely applies to you - even if you’re based in Texas, Utah, Florida, or anywhere else in the U.S.

The CPPA is no longer just enforcing consumer protections; it is actively monitoring how businesses, both large and small, handle data across the board. This includes consumers, applicants, and contractors. 

This enforcement action has set a precedent for future privacy investigations and penalties. Don’t wait for a complaint. Start preparing now.

For more information on where to get started, contact your certified HR expert. Not a current Stratus HR client? Book a free consultation and our team will contact you shortly.

Sources:
https://cppa.ca.gov/pdf/20250930_tractor_supply_bd_sfo.pdf
https://cppa.ca.gov/announcements/2025/20250930.html