California Nails Tractor Supply on Privacy
Tractor Supply Co. has agreed to pay $1.35 million to settle charges with California regulators that the company violated the state’s tough data privacy law — the largest privacy fine in state history, and the state’s first enforcement action that extends to privacy rights for job applicants. Let’s take a look.
The California Privacy Protection Agency (CPPA) announced the settlement Tuesday morning. In addition to the fine, Tractor Supply also agreed to overhaul numerous privacy practices, such as the tracking technologies it uses to observe users on its website and the opt-out methods consumers can use to exclude themselves from data collection. The company must also submit an annual compliance certification to the CPPA signed by a senior officer for the next five years.
The fine alone makes this case newsworthy for compliance and privacy officers, since it’s more than twice as large as any fine we’ve seen in previous CCPA enforcement. Plus, the CPPA had previously sued Tractor Supply to enforce a subpoena the regulator had issued as part of its investigation. (That litigation is now moot as part of this settlement.)
In other words, if you want a case that demonstrates the CPPA’s enforcement appetite and the types of remediation it’s likely to impose, Tractor Supply is that example.
“We will continue to look broadly across industries to identify violations of California’s privacy law,” Michael Macko, the agency’s head of enforcement, said in a statement. “We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike.”
‘False Impression’ of Opt-Outs
As described in the settlement order, one big issue was how Tractor Supply supposedly allowed website visitors to opt out of the sale or sharing of any personal data that Tractor Supply collected about them while they were on the company’s website. Under California’s privacy law, consumers have the right to opt out of such data sharing, and businesses must build a mechanism that allows them to exercise that opt-out right.
In theory, Tractor Supply met that obligation by including a “Do Not Sell My Personal Information” link at the bottom of each website page. When a user clicked on that link, he or she was whisked to a form that included a button expressly stating, “Do not sell my information.”
Except, even when a user clicked on that button, that didn’t switch off the third-party tracking technologies that Tractor Supply used on its website for advertising purposes. Those technologies kept collecting personal data and sharing it with other advertisers, even if the data wasn’t “sold.”
“Tractor Supply’s webform had no effect upon how the company shared consumers’ personal information through third party tracking technologies used for advertising purposes,” the CPPA order said, “leaving consumers with the false impression that Tractor Supply had stopped selling and sharing their personal information.”
Second, the CPPA dinged Tractor Supply for the related failure of governing how its third parties used personal data that Tractor Supply had provided to them.
Businesses that collect personal data are allowed to share that data with others (assuming the customer’s consent), but California privacy law requires that business to enter into contracts with those third-party recipients. The contracts must identify the limited scope and purpose of the data, and the recipient must promise to use the data only for those stated purposes.
According to the CPPA, Tractor Supply didn’t comply with that part of the law too well. Some of its contracts did meet all the criteria; but too many others didn’t. Either they failed to define the scope and purpose, or didn’t require the third party to honor consumer opt-out requests, or didn’t bar the third party from reselling collected data yet again; or they flubbed some other requirement.
Bottom line: poor contract management was a big part of Tractor Supply’s errors here. Other privacy officers would do well to ponder whether your own contracts for data collection, sharing, and resale can hit all the requirements of California law.
A third misstep was Tractor Supply’s poor disclosure of privacy rights to job applicants. That’s new because California only started extending privacy protections to job applicants at the start of 2023, and I suspect we’ll see mishandling of job applicants more often in the future.
The offense itself was rather straightforward: an insufficient privacy disclosure statement included on the Careers section of Tractor Supply’s website. The statement did accurately say how Tractor Supply would collect and use personal data from applicants, but the statement “failed to provide job applicants with any notice of their privacy rights, nor any description of how to exercise those rights.”
That sounds like a boilerplate failure to me, one that other companies can easily correct.
Remediation Steps
As we mentioned earlier, Tractor Supply agreed to numerous reforms to its privacy practices. Among them…
Third-party tracking technologies. Tractor Supply will scan all its websites and other digital properties at least quarterly to inventory any tracking technologies that might be lurking there. That inventory must identify whether Tractor Supply believes that each tracking technology “is used for a selling or sharing purpose” and is supported by a compliant contract.
Opt-out methods. Tractor Supply must ensure “symmetry of choice” for consumers, meaning that its buttons to opt out of data sharing or collecting must be of equal size and prominence as its buttons to opt in to data sharing. That holds whether the actual opt in/out process is a banner ad, a web form, or whatever else.
Job applicants. The company must email all employees and outside applicants to inform them that its privacy policies have been updated; and include a link to the new policies and a point of contact for follow-up questions.
Contract management. The company needs to upgrade its contract management and tracking systems so that for any external recipient of personal information, there’s a contract in place that includes all provisions required under California privacy law. (This part of the settlement must be completed by March 31, 2026.)
Annual certifications. An officer or director of the company must certify in writing that Tractor Supply remains in compliance with this settlement, every year from 2026 through 2030.
So in total, this case reminds us that privacy compliance is a formidable undertaking, where privacy officers need to work closely with IT and legal teams to achieve all the technical and contract management capabilities you’re going to need.
You also need to work closely with the marketing or sales teams, since a big risk here is the complicated nature of online advertising. It can involve lots of third parties moving on and off your website with those tracking technologies, and you’ll need some way to keep track of what those third parties and their technologies are doing with personal data generated by people on your website.
And until the U.S. government enacts a nationwide data privacy law (which will be never), the California Consumer Privacy Act is the toughest privacy law we have. Study this example and plan your privacy program accordingly.