When a North Carolina employer’s job postings attract California applicants, the company may get caught in California’s web of privacy laws. Accordingly, businesses with California connections, including out-of-state employers who recruit and hire California-residents, need to take note of the California Privacy Protection Agency Board’s (the “Board”) most recent decision. On September 30, 2025, the Board announced its largest penalty to date: a $1.35 million fine against Tractor Supply Company to resolve a series of alleged California Consumer Privacy Act (“CCPA”) violations. In addition to this sizable fine, Tractor Supply must implement numerous remedial measures and is subject to an annual certification requirement.
What is the CCPA and Who Does it Cover?
Enacted in 2018, the CCPA was the first comprehensive state privacy law in the United States. The CCPA requires that covered businesses[1] provide privacy disclosures, accept and honor data subject requests, implement safeguards in vendor agreements, and take other measures to protect the privacy of Californians. Notably, unlike other recently enacted comprehensive state privacy laws, the CCPA also applies to personal information collected in employment and business-to-business contexts.
A Snapshot of the Alleged Violations
The Board alleges that Tractor Supply failed to honor consumer requests to not sell or share their personal information, including mishandling requests submitted through its website and those communicated via browser-enabled privacy settings.[2] Additionally, the Board alleged that Tractor Supply failed to include all required data protection terms in its contracts with vendors handling personal information.[3]
The Board also alleged that Tractor Supply’s applicant-facing privacy notice did not include CCPA-required disclosures, including information about available data subject rights and the types of information that the company had processed in the prior 12 months. Additionally, the Board noted that the pre-investigation version of Tractor Supply’s Privacy Policy (dated November 2021) had not been updated annually as required under the CCPA.
Notably, the Board also alleged issues in the privacy disclosures provided to job applicants. Though Tractor Supply did provide a “California Consumer Privacy Act Disclosure,” displayed as a pop-up on their Careers Page, its disclosures failed to include information about available CCPA rights or a description of how to exercise those rights.
Far-Reaching Impact
This decision has a far-reaching impact, as the CCPA's broad scoping thresholds encompass many businesses with little or no physical presence in California. In the employment context, the CCPA covers personal information collected by a covered business from California-resident applicants, regardless of whether the business has a physical office and/or current employees in the state. Additionally, the decision acknowledged the Board’s broad authority to investigate violations, including those occurring before January 2023. Furthermore, the detailed nature of the Board’s allegations signals that covered businesses must carefully examine whether their privacy disclosures and practices fully align with the CCPA and its regulations.
What You Should Do
While consumer-facing disclosures and data subject rights have been longstanding priorities for most businesses, the Board’s decision clarifies that employment-related disclosures and data subject rights require equal attention. Employers should act now to determine if they are subject to the CCPA, and, if so, take proactive steps to ensure compliance and mitigate risk.
Brooks Pierce employment and privacy attorneys regularly assist businesses with matters related to the CCPA and other data privacy laws. For assistance on any of these issues, please contact members of our Labor & Employment Team or Privacy Team.
[1] Generally, the CCPA applies to for-profit employers doing business in California that meet one or more of the following criteria: (a) have gross annual revenue in excess of $25 million in the previous calendar year; (b) buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or (c) derive 50 percent or more of annual revenue from selling consumers’ personal information. Under these broad scoping thresholds, this law technically covers many out-of-state businesses.
[2] Specifically, with regard to opt-out requests, the Board alleged that: (i) “Tractor Supply’s ‘Do Not Sell My Personal Information’ Link and webform did not effectuate consumers’ opt-out requests” and (ii) “Tractor Supply did not process opt-out preference signals.” In this context, the term “preference signals” refers to a user-enabled browser setting that is automatically transmitted to all websites (as part of the HTTP request). The “Global Privacy Control” is the leading example of such a signal.
[3] The Final Order states that “Tractor Supply did not properly contract with its service providers, contractors, and third parties to protect consumers’ privacy.” The Board references the contracts Tractor Supply had with “advertising technology companies that used consumers’ personal information for cross-context behavioral advertising purposes” and lists nine specific examples of missing provisions that the CCPA requires.