California continues vigorous enforcement of the California Consumer Privacy Act (CCPA), this time racking up a $1,325,000 fine against Tractor Supply Company, a nationwide retailer with over 2,500 stores.

The stipulated order, published by the California Privacy Protection Agency (CPPA), alleges that Tractor Supply violated the CCPA in a number of ways over a period covering July 2023 to July 2024. Here’s what we learned.

Opt-Outs That Don’t Opt-Out

Though we don’t get a lot of details, Tractor Supply was apparently using tracking technologies in ways that were considered either “selling” personal information or “sharing” personal information (i.e., using it for targeted advertising), or both. This triggered the requirement to give consumers a way to opt-out.

While Tractor Supply did have a privacy request form on their site, the CPPA nonetheless found that the company fell short in a couple of ways.

1. Opt-Outs Via the Privacy Form Did Nothing for Browser-Based Tracking
   If consumers submitted a Do Not Sell request on the request form, third-party trackers continued to operate. Tractor Supply did not offer any alternative opt-out method.
2. No Response to Opt-Out Preference Signals
   Businesses are required to honor opt-outs via opt-out preference signals such as Global Privacy Control. Tractor Supply failed to do so.

Outdated Privacy Notices

Under the CCPA, businesses are required to review their privacy notices at least once a year, a requirement that Tractor Supply failed to meet. The company had not updated its privacy policy since 2021, and it showed.

The only statement regarding Californians’ privacy rights in the entire notice was a brief statement meant to satisfy California’s Shine the Light law, passed in 2003. 

Insufficient Notice for Employees and Applicants

The CCPA is the only data privacy law in the U.S. that applies to employees and job applicants as well as regular consumers. Businesses must provide full privacy disclosures in the employment context, including a description of the person’s privacy rights.

Tractor Supply did have a brief disclosure for employees and job applicants which described categories of personal information to be collected and the purposes for processing that data, but this was not enough. Businesses must provide more information, such as categories of third parties that will receive the personal information, data retention periods, and most importantly, a description of the employee/applicant’s privacy rights and how to make a privacy request.

Missing Vendor Contracts

The CCPA requires businesses to meet certain contractual requirements for disclosing personal information to outside parties.

For service providers, this means a contract that:

• Prohibits the selling or sharing of personal information;
• Prohibits the use of the personal information outside of the direct business relationship between the two parties or using it for any other purpose; and
• Prohibits combining the personal information with personal information from other sources.

On top of that, businesses must have a contract with all service providers, contractors, and third parties that meets the following requirements:

• Specifies that personal information is being disclosed for limited and specified purposes;
• Obligates the recipient to comply with all applicable obligations under the CCPA;
• Grants the business the right to take reasonable steps to ensure that the data is being used in a compliant manner;
• Requires the recipient to notify the business if it can no longer meet its CCPA obligations;
• Grants the business the right to remediate any unauthorized use of the personal information.

Tractor Supply was missing such contracts for a number of its vendors. The CPPA has indicated it is paying special attention to these requirements when it comes to adtech vendors.

Don’t Be the Next Business to Get Fined

Privacy compliance is complicated, and even large retailers like Tractor Supply can underestimate what it takes to be compliant. They can also underestimate the risk involved in continuing to operate in a non-compliant or semi-compliant way. Enforcement has picked up dramatically, and businesses shouldn’t put off compliance any longer.

TrueVault helps businesses of all sizes get privacy compliant in as little as a few days, and stay that way for years to come. Using our guided workflows and automated integrations, you can quickly create a data map, publish privacy notices, be prepared to handle consumer requests, and more. Anyone can do it—no legal background required. Best of all, as new state laws are passed or old laws are amended, those changes are incorporated into your privacy dashboard at no extra cost!

Contact our team today to learn how TrueVault can help your business get compliant.