Open office with workers at computer workstations

Last reviewed: June 29, 2026. Facts verified against the CPPA Stipulated Final Order and current legal commentary. What changed: the $1.35M Tractor Supply settlement has since been overtaken as California's largest CCPA penalty by the May 8, 2026 General Motors / OnStar $12.75M action; the CPPA's Delete Request and Opt-Out Platform (DROP) surpassed 300,000 signups on June 2, 2026; CalPrivacy formally opposed federal preemption of state privacy laws on June 3, 2026. Details and citations appended below.

TL;DR: On September 30, 2025, California's Privacy Protection Agency issued its largest-ever fine ($1.35 million) against Tractor Supply Company for multiple privacy violations. This landmark case is the first CPPA enforcement action addressing job applicant data rights, signaling that HR data is now a seven-figure compliance risk. The company failed to inform job applicants of their CCPA rights, did not honor universal opt-out signals like Global Privacy Control (GPC), and maintained an ineffective "Do Not Sell" webform that failed to prevent data sharing through third-party trackers.

A Watershed Enforcement Action

On September 30, 2025, the California Privacy Protection Agency (CPPA) announced a landmark $1.35 million settlement with Tractor Supply Company, the largest fine in the agency's history.[1, 2] What began as a single consumer complaint has evolved into a watershed moment in California privacy enforcement, marking the first time the CPPA has explicitly addressed violations related to job applicant data under the California Consumer Privacy Act (CCPA).[3, 4]

This case sends an unambiguous message to employers across California: workforce data, including job applicant information, is no longer a low-priority compliance matter. It is now a seven-figure risk that demands the same rigorous privacy protections as customer data.

Three Critical Violations

The CPPA identified three major categories of violations by Tractor Supply Company:

1. Failure to Inform Job Applicants of CCPA Rights

Tractor Supply's privacy notice for job applicants did not adequately inform them of their rights under the CCPA. This is a compliance blind spot for many businesses that have historically focused privacy efforts on customer-facing data while neglecting employee and applicant data.[5] The CPPA's enforcement makes clear that applicant data is not exempt from California's privacy law.

2. Ineffective "Do Not Sell My Personal Information" Webform

The company's "Do Not Sell My Personal Information" webform was fundamentally ineffective. While it may have appeared compliant on the surface, it failed to actually prevent the sale or sharing of personal data collected via third-party tracking technologies embedded on Tractor Supply's website and career pages.[6, 7] This gap between stated policy and actual practice is precisely what CCPA enforcement targets: companies cannot claim compliance while continuing to share data with third parties.

3. Failure to Honor Universal Opt-Out Signals (GPC)

Until mid-2024, Tractor Supply failed to honor universal opt-out signals such as the Global Privacy Control (GPC). GPC is a browser-based signal that allows users to automatically communicate their opt-out preference to websites, eliminating the need to manually fill out forms on every site.[6, 8] California law requires businesses to recognize and honor these signals, yet Tractor Supply ignored them for years.

What This Means for Employers and Job Seekers

For Employers: HR Data is No Longer a Secondary Concern

This settlement forces every company with employees or applicants in California to fundamentally reassess their approach to HR data. For years, privacy compliance programs have been customer-centric, with dedicated teams focused on consumer data while HR systems operated under legacy assumptions about employee data. The CPPA has now demolished that distinction.

Employers must now ensure that:

  • Privacy notices for job applicants clearly explain CCPA rights, including rights to know, delete, and opt out of data sales.
  • "Do Not Sell" mechanisms actually function, not just in theory but in practice. This means auditing all third-party trackers, analytics tools, and advertising pixels on career pages.
  • Universal opt-out signals like GPC are recognized and honored across all web properties, including applicant portals.
  • Data sharing agreements with recruiting firms, background check providers, and HR tech vendors are reviewed to ensure CCPA compliance.

For Job Seekers: Your Application Data Has Value, and Rights

Job applicants often assume that once they submit a résumé, their data disappears into an HR black hole. This case confirms that applicant data is being actively monetized through data brokers, advertising networks, and analytics firms. Applicants have the same rights under CCPA as consumers:

  • The right to know what personal information is collected and how it is used.
  • The right to delete that information (subject to certain exceptions).
  • The right to opt out of the sale or sharing of that data.

Beyond the Fine: Mandatory Remediation

The $1.35 million fine is only part of the penalty. Tractor Supply must implement sweeping remedial measures that will reshape its privacy program for years:[9]

Quarterly Audits

Tractor Supply must conduct quarterly audits of all tracking technologies on its websites to ensure they comply with user opt-out preferences.

Annual Compliance Certifications

For the next four years, a corporate officer must personally certify annual compliance with the settlement terms. This creates executive-level accountability.

Comprehensive Privacy Notice Updates

The company must revise all privacy notices to clearly inform applicants and employees of their CCPA rights, including providing specific, accessible mechanisms to exercise those rights.

GPC Recognition

The company must recognize and honor all universal opt-out signals, including Global Privacy Control, across its entire digital footprint.

These requirements are designed to prevent future violations and to serve as a model for other California businesses. The CPPA is sending a signal: superficial compliance is not enough.

Recommendations

For Job Seekers:

Use GPC-Enabled Browsers

Enable Global Privacy Control in your browser before visiting career sites. Browsers like Brave, Firefox (with extensions), and DuckDuckGo support GPC. This automatically signals your opt-out preference without requiring you to fill out forms on every site.

Request Information

If you've applied for jobs in California, exercise your CCPA rights. Send a "Right to Know" request to companies where you've applied to learn what data they collected, how it was used, and with whom it was shared.

Minimize Data Shared

When applying for jobs, only provide information that is strictly required. Avoid uploading full résumés to third-party application portals unless absolutely necessary. Consider creating a minimal "application version" of your résumé that excludes home address, personal phone number, or other sensitive details.

For Employers:

Audit Your Career Pages

Conduct an immediate audit of all third-party trackers, analytics tools, and advertising pixels on career pages and applicant portals. Ensure that "Do Not Sell" mechanisms genuinely prevent data sharing.

Implement GPC Recognition

Work with your web development and IT teams to ensure your sites recognize and honor Global Privacy Control signals. This is not optional in California; it is a legal requirement.

Update Privacy Notices

Revise applicant-facing privacy notices to clearly explain CCPA rights in plain language. Include conspicuous links to opt-out mechanisms and instructions for submitting data requests.

Train HR and Recruiting Teams

Ensure that HR professionals, recruiters, and hiring managers understand CCPA compliance obligations. Privacy is not just a legal issue; it's an operational requirement that touches every stage of the applicant lifecycle.

References

  1. Holland & Knight. "California Privacy Protection Agency Fines Tractor Supply $1.35M for Privacy Law Violations."
  2. Klein Moynihan Turco LLP. "California Privacy Violations Result in $1.35 Million Fine!"
  3. Fisher Phillips. "California Breaks New Ground With Record $1.35M Fine for Job Applicant Mistakes."
  4. The National Law Review. "California Hits Employer with $1.35M Fine in First-Ever Job Applicant Enforcement Action."
  5. JDSupra. "$1.35M CPPA Fine Signals New Focus on Privacy Disclosures."
  6. Holland & Knight. "California Privacy Protection Agency Fines Tractor Supply $1.35M for Privacy Law Violations."
  7. California Privacy Protection Agency. "Stipulated Final Order, In the Matter of Tractor Supply Company."
  8. The Record. "CPPA fines Tractor Supply Company $1.4 million for privacy violations."
  9. California Privacy Protection Agency. "Stipulated Final Order, In the Matter of Tractor Supply Company."
  10. California Attorney General Rob Bonta, CalPrivacy, SF DA Brooke Jenkins, LA DA Nathan J. Hochman, Napa DA Allison Haley, Sonoma DA Carla Rodriguez. "When It Comes to Data Privacy, Consumers Must Be in the Driver's Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement." May 8, 2026.
  11. California Privacy Protection Agency. "When It Comes to Data Privacy, Consumers Must Be in the Driver's Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement." May 8, 2026.
  12. California Privacy Protection Agency. "Privacy Momentum Builds: 300,000+ Californians Sign Up for DROP as Registered Data Brokers Hit a Record High." June 2, 2026.
  13. California Privacy Protection Agency. "The California Privacy Protection Agency Opposes Federal Legislation That Would Weaken State Privacy Protections." June 3, 2026.