In a major privacy enforcement milestone, the California Privacy Protection Agency (CPPA) has announced its largest fine to date: $1.35 million against Tractor Supply Company for violating the California Consumer Privacy Act (CCPA). While it’s the most expensive penalty yet, what truly matters for small businesses is why it happened and what it signals moving forward.
If your small business operates a website, collects data through online forms, runs digital advertising, or accepts job applications from California residents, even if you’re based elsewhere, this case should be a wake-up call.
It’s easy to assume California’s privacy laws only apply to tech companies or businesses with physical locations in the state. But the CPPA’s enforcement posture makes it clear: any business collecting personal data from Californians is within scope, even if you’re a small company based outside the state. The CPPA has the authority to enforce privacy laws against any business that collects personal data from Californians, including by investigating violations and issuing fines.
In this case, Tractor Supply was penalized for violating consumer privacy rights by:
This fine isn’t just about employment practices; it’s about how businesses treat all types of personal data, regardless of it being from customers, site visitors, or applicants.
Understanding how a privacy complaint unfolds under the California Consumer Privacy Act (CCPA) is essential for any business that handles the personal information of California consumers or job applicants. The California Privacy Protection Agency (CPPA) is the state’s dedicated watchdog, tasked with enforcing California privacy laws and ensuring that companies respect the privacy rights of California residents.
The process begins when a California resident believes their privacy rights have been violated. Perhaps their opt out requests were ignored, their sensitive personal information was shared with third party tracking technologies, or they weren’t properly informed through privacy notices.
Filing a complaint is straightforward: the CPPA provides an online complaint form that anyone can use to report suspected violations. This form asks for details about the business or company involved, the type of personal information at issue, and the nature of the alleged violation.
Complainants can choose to submit either a sworn complaint, which requires their contact information and a declaration under penalty of perjury, or an unsworn complaint, which can be submitted anonymously. While both types of complaints can trigger an investigation, sworn complaints often carry more weight and may allow the CPPA to follow up for additional details.
Once a complaint is filed, the CPPA reviews the information to determine if there’s enough evidence to warrant an investigation. The agency has broad authority to investigate potential violations of the CCPA, including failures to honor opt out preference signals, inadequate privacy practices, or improper sharing of personal information with other third parties. If the agency decides to move forward, it may contact the business in question, request documentation, and review privacy policies, contracts, and compliance procedures.
The investigation process is thorough. The CPPA examines if the business has provided clear opt out mechanisms, maintained compliant privacy notices, and established proper agreements with service providers and vendors. The agency also checks if the business is honoring requests from California consumers and job applicants to access, delete, or opt out of the sale or sharing of their data.
If the CPPA finds that a business has violated the CCPA, it can take enforcement action. This may include imposing fines, requiring changes to privacy practices, or mandating ongoing compliance audits. The recent $1.35 million settlement with Tractor Supply Company is a prime example of how a single complaint can lead to significant penalties and long-term oversight.
For businesses, this process underscores the importance of proactive CCPA compliance. These enforcement actions are not limited to large corporations; any company that collects or processes the personal information of California residents is within the agency’s reach.
Here are the key reasons this case matters, especially for small businesses.
Since 2023, California law has extended full privacy protections to employees, independent contractors, and job seekers; not just consumers. That means you must provide job applicants with privacy notices that include clear information about their privacy rights, just like you would for online shoppers or site users.
This dual focus means you’re responsible for how you handle everyone’s data, from applying for a job and browsing your website, to signing up for emails or making a purchase.
The CPPA opened this investigation after receiving a single complaint from a consumer in Placerville, California. That’s all it took to launch an in-depth investigation resulting in over a million dollars in penalties, mandatory audits, and long-term compliance requirements.
During an investigation, businesses are often contacted by the CPPA to provide information or respond to the complaint. For small businesses, this means customer service touch points, job portals, contact forms, and even cookie banners must be legally sound or risk becoming the next target.
This fine follows similar recent penalties issued to:
The CPPA's position is that it can investigate privacy violations across all industries, not just tech or large companies. Clearly, no industry is exempt, and small businesses cannot fly under the radar. If you handle Californians’ data in any way, you are a potential target.
Tractor Supply reportedly began correcting privacy issues during the investigation, but the California Privacy Protection Agency still levied the full fine. This makes one thing clear: you can’t wait until after people file complaints to become compliant. Taking a proactive approach is your best defense.
Another major violation was Tractor Supply’s failure to use proper contracts with third-party vendors, especially those receiving or processing sensitive personal information from customers and applicants. These contracts must include:
These contracts must also comply with CCPA regulations regarding data sharing and privacy protections.
Many small businesses use platforms like CRMs, job boards, marketing tools, and payment processors, often without realizing they need updated, CCPA-compliant contracts.
If you’re selling products online, collecting leads, or hiring remote talent, here are six immediate steps to align your business with CCPA requirements and avoid becoming a cautionary tale.
You need separate, clearly written privacy notices for:
When you write privacy notices, use clear and accessible language to ensure everyone can understand the information provided. These notices must explain what data you collect, why you collect it, how it’s shared, and how people can exercise their rights (access, delete, correct, or opt out).
Your website must:
Consider using a reputable consent management platform to manage cookies and track user preferences.
Identify all vendors handling your consumer or applicant data, including:
Ensure contracts include CCPA-required privacy terms, especially for data sharing, retention, and opt-out signal recognition. It's also important to keep supporting documentation for all third-party contracts and data sharing agreements.
Inventory all cookies, scripts, pixels, and other tracking tools used on your site. Confirm:
Assign someone internally (or a consultant) to monitor and update your site regularly.
Map out:
This inventory helps you respond to requests and demonstrates accountability if investigated.
Your team, especially those in HR, IT, marketing, and customer support, must understand your privacy obligations. Provide regular training on:
Additionally, designate a specific person to oversee privacy compliance and handle privacy-related requests to ensure accountability and clarity in your processes.
If you end up like Tractor Supply, you will face quarterly tracking audits, annual reports on privacy metrics, public certification of compliance by a company officer, ongoing vendor contract reviews, and $1.35 million in fines. Keep in mind this was all because of one consumer complaint.
In some cases, the CPPA may seek court orders to enforce compliance or collect penalties. For a small business, that level of oversight (or even a fraction of it) could be devastating.
If you operate online, collect consumer data, or accept job applications from California residents, the CCPA likely applies to you - even if you’re based in Texas, Utah, Florida, or anywhere else in the U.S.
The CPPA is no longer just enforcing consumer protections; it is actively monitoring how businesses, both large and small, handle data across the board. This includes consumers, applicants, and contractors.
This enforcement action has set a precedent for future privacy investigations and penalties. Don’t wait for a complaint. Start preparing now.
For more information on where to get started, contact your certified HR expert. Not a current Stratus HR client? Book a free consultation and our team will contact you shortly.
Sources:
https://cppa.ca.gov/pdf/20250930_tractor_supply_bd_sfo.pdf
https://cppa.ca.gov/announcements/2025/20250930.html