When we last covered the CPPA’s first ever filing to compel Tractor Supply to comply with its investigative subpoena, a lot of folks thought it was the agency testing the waters and questioned whether the state could reach back and ask for documentation from companies predating July 1, 2023 – when the CCPA assumed full enforcement authority.

Well the CCPA acted fast. It hit Tractor Supply with a $1.35 million settlement – reportedly the largest fine to date – over the alleged violations of the California Consumer Privacy Act and acknowledged the CCPA’s authority to investigate violations even before January 1, 2023. According to the CCPA, Tractor Supply did not inform job applicants and customers of their privacy rights, failed to have service providers protect their personal data, and failed to offer consumers an easy opt out from data sales or sharing.

Along with the fine, Tractor has to tighten up its privacy practices, appoint a compliance office and certify compliance to the CCPA for the next four years, conduct an annual review of tracking technologies, third parties and contracts, provide quarterly inventories of tracking technologies and updates to how opt-out requests must be honored.

The Order also credits Tractor Supply’s remediation efforts – it says the company “substantially revised” its practices after becoming aware of the investigation and committed significant resources to fixing deficiencies.

The CPPA’s own framing underscores how central this Order is – it is not just another enforcement action, but a public statement of enforcement posture. By publishing this settlement the agency signals that it wants this case and its implications to be widely visible. The Order clarifies that the failure to pay the fine or comply with the terms could lead to enforcement in the California Superior Court and also gives the CCPA the right to seek attorney’s fees if it has to enforce any part of the Order.

“This action underscores our ongoing commitment to ensuring consumers and job applicants alike can exercise their privacy rights,” said Michael Macko, the agency’s head of enforcement.

The Order makes clear that the CPPA expects companies of all sizes to be proactive, not reactive, when it comes to privacy compliance. Even though Tractor Supply is a national retailer, the obligations outlined in the Order translate into practical lessons for small & mid-sized businesses. Annual certifications and audits show that the CPPA is looking for ongoing governance, not just one-time fixes. The required updates to job applicant notices remind companies that employee and applicant data are firmly within CCPA’s scope – an area that mid-sized businesses often overlook. The mandated reviews of tracking technologies and third-party contracts highlight the CPPA’s focus on vendor management – meaning smaller players cannot simply rely on “off-the-shelf” practices without verifying compliance.

Perhaps most importantly, the agency’s insistence on retroactive documentation shows that businesses should maintain records stretching back to January 1, 2020 when the CCPA became effective.

You can read the stipulated final order here.