What happened. On September 30, the California Privacy Protection Agency (CPPA) Board announced a $1.35M settlement with Tractor Supply and a mandate to overhaul its privacy program. The CPPA’s decision highlights failures in: (1) consumer- and applicant-facing privacy notices, (2) honoring opt-outs (including Global Privacy Control), and (3) having proper contracts in place when disclosing data to other companies. It also requires a 4-year officer certification and scanning digital properties for tracking tech.
Why this matters beyond retail. This is CPPA’s largest penalty to date and its first decision squarely addressing job-applicant data—a signal that HR and recruiting practices are now squarely in scope, not just consumer sites.
Key Findings and Enforcement Themes
- “The concept of “reasonable security” is gaining sharper definition. The CPPA itemized specific gaps (notice, GPC, service-provider contracts) and prescribed specific remedies (tracking scans, executive attestations). That looks and feels like an operational control list that counsel can audit against—less debate, more evidence.
- HR and recruiting data are part of the evolving privacy compliance framework. With the CPRA’s 2023 expansion of individual rights to employees and job applicants, the CPPA’s recent action illustrates how regulators are now reviewing workforce data practices as part of overall privacy compliance. Ensuring that HR and recruiting systems are integrated into privacy governance programs is becoming an essential element of readiness.
- Opt-out signals and vendor contracts are now focal points for compliance alignment. Regulators continue to emphasize the importance of honoring Global Privacy Control (GPC) signals and maintaining clear, compliant agreements with analytics and advertising partners. Ensuring these obligations are coordinated across legal, marketing, and technology teams is becoming a hallmark of mature privacy governance.
Strategic Takeaways for Counsel and Leadership
- Build structured executive visibility into privacy and security operations. Schedule briefings that connect legal, compliance, IT, and business leadership. Use these sessions to review key risks, emerging regulatory expectations, and the effectiveness of existing controls. Visibility and coordination remain the strongest indicators of program maturity.
- Strengthen cross-functional accountability mechanisms. Operate privacy, marketing, security, and vendor-management teams from a shared governance framework — one that aligns notice obligations, opt-out mechanisms, and contractual controls. Clear ownership of each compliance function reduces operational blind spots and regulatory exposure.
- Elevate documentation and follow-through. Maintain records of decisions, updates, and internal audits related to privacy and cybersecurity. Meeting notes, risk-register updates, and vendor reviews help demonstrate diligence and continuous improvement when regulators or stakeholders ask how your program operates in practice.
- Treat governance as part of risk management, not an afterthought. Integrate privacy and cybersecurity metrics into enterprise risk reports, so leadership can see trends — not just incidents. This framing positions compliance as a contributor to business resilience, not a reactive exercise.
Taken together, these steps embed privacy and cybersecurity into a broader risk framework. They demonstrate visible ownership, documented coordination, and continuous improvement across the organization.
Closing Reflection
California’s $1.35 million fine previews where enforcement is likely heading. The CPPA is linking technical safeguards, vendor governance, and leadership engagement into one integrated standard of care.
For organizations subject to the CCPA/CPRA, the path forward is about building a program that is coordinated, transparent, and demonstrably managed.
Thompson Coburn’s Cybersecurity and Data Privacy practice group will continue to monitor how California and other states refine this model of governance-driven cybersecurity enforcement in the months ahead.
