The California Privacy Protection Agency (CPPA) has issued a record fine of $1.35 million to Tractor Supply Company (Tractor Supply), America’s “largest rural lifestyle retailer,” for multiple violations of the California Consumer Privacy Act (CCPA) in a case that underscores the importance of firms being fully aware of all of their data compliance responsibilities.
Data harvesting
The CPPA’s investigation into Tractor Supply’s privacy practices found that the company had breached CCPA requirements around data privacy and protection related to the privacy rights of consumers and of job applicants. The investigation, which began after the CPPA received a complaint from a consumer in Placerville, California, found that, between January 1, 2023, and July 1, 2024, Tractor Supply had:
- Failed to maintain a privacy policy that notified consumers of their rights
- Failed to notify California job applicants of their privacy rights and how to exercise them
- Not provided consumers with a means to opt out of the selling or sharing of their personal information
- Disclosed personal information to other companies without entering into contracts requiring privacy protections
The CPPA’s order summarizes other findings from the investigation that cropped up, including that although Tractor Supply’s webform “purported to allow consumers to opt-out of the sale of their personal information,” completing the form did not opt those consumers out of third-party tracking and Cookie technologies that the company used for advertising purposes. Consumers were also not informed of how they could opt out of having their data sold or shared via third-party technologies.
It was also found that Tractor Supply first planted its privacy policy on its website in September, only subsequently updating the policy in November 2021 and then again after the company learned of the CPPA investigation – a failing of the CCPA requirement for privacy policies to be reviewed and updated annually.
———————————————————————————————————————————————————–
What is the California Consumer Privacy Act (CCPA)?
The CCPA regulation, first implemented in 2018, grants residents of California rights to access and delete personal information and opt-out of data sales to protect their privacy. These rights include:
- The Right to Know what personal information a business collects about them, how it is used, and how it is shared
- The Right to Delete personal information collected through making deletion requests
- The Right to Opt-out of the sales or sharing of personal information
- The Right to Non-discrimination in exercising their CCPA rights
While a state-based regulation, businesses based geographically outside of California may also be subject to the CCPA if they meet certain criteria, including deriving 50% or more annual revenue from selling California residents’ personal information, or if they buy, sell, or share the information of 100,000 or more California residents or households.
———————————————————————————————————————————————————–
You reap what you sow
Tractor Supply’s multiple failures to support consumers in exercising their rights, and lack of transparency in making them aware of them, resulted in the company receiving a historic fine from the CCPA, replacing Google’s $93 million fine from 2023. The CCPA also expects Tractor Supply to implement a “broad range” of remedial compliance measures going forward, including:
- Reviewing its privacy policies to ensure they comply with the CCPA.
- Conduct a quarterly scan of digital properties and inventory tracking technologies.
- Update opt-out methodologies to ensure greater transparency for consumers and meet CCPA requirements.
- For a period of four years, providing the CCPA’s enforcement division with a written certification of compliance signed by an officer or director.
To its credit, Tractor Supply seemed ready to field the CCPA’s difficult questions. The regulator “recognizes and credits” the firm’s remediation efforts, with Tractor Supply having “produced thousands of pages of documents, answered the Agency’s questions, [and] met with the agency numerous times.” The company has “substantially revised” its practices and remediated many of the issues by “committing substantial financial and other resources” to compliance.
While not resulting in a mitigated penalty, the CCPA is yet another regulator that appreciates firms proactively cooperating with investigations and undertaking early remediation actions.
Plowing on
The CCPA summarized that this case “underscores the need for businesses to review their privacy notices and opt-out mechanisms.” Michael Macko, head of enforcement at the CCPA, said:
“We will continue to look broadly across industries to identify violations of California’s privacy law. We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that.”
While financial services regulators like the Securities and Exchange Commission (SEC) may be consciously scaling back the pace of their enforcement actions, clearly regulators like the CCPA are not cowed, and are standing ready to fill the regulatory gap and issue hefty fines, and firms need to ensure that their data governance and capture practices adhere to all relevant regulations.
Clearly, the CCPA is ready to act “across industries,” and organizations must take note. Whether it’s putting old opt-in approaches out to pasture, or reviewing which third-parties you farm data out to, an (agri)cultural change is needed to ensure data privacy regulations are prioritized – and that the “John Does” (or in this case, John Deeres) that want to remain anonymous have the power to do so.
The bedrock of effective data governance is a reliable, secure, and scalable compliant archiving solution. From quickly searching and sourcing required data to meet regulatory investigation or legal demands or leveraging powerful eDiscovery tools, the right solution can make the difference between spotting a risk in time or facing a fine.
