The California Privacy Protection Agency (“CPPA”) just fined Tractor Supply $1.35 million under the CCPA, its largest retail enforcement action to date this year. With enforcement now reaching familiar retail brands, privacy is no longer an issue retail executives can treat as background noise. Most shoppers won’t read the CPPA’s ruling, but they will see the headlines. They will hear about it on social media. And they will take note if loyalty programs or apps feel murky in how they use data. Privacy failures don’t just cost money; they invite public scrutiny that can erode a brand’s reputation, sometimes faster than a poor service experience or clumsy promotion. What’s Actually Triggering these Fines Tractor Supply’s violations reveal exactly what regulators are hunting for. Broken opt-out links that route to dead webforms. Global Privacy Control signals ignored entirely. Privacy notices that skip job applicant data disclosures. Vendor agreements without data restriction clauses. This isn’t an isolated case. Sephora (AG, 2022), Honda and Todd Snyder (CPPA, 2025), and Healthline (AG, 2025) have all faced CCPA enforcement, which has been accelerating over the last two years. Regulators are building a playbook: test the opt-out mechanisms, check for GPC compliance, review all privacy notices including HR portals and audit third-party contracts. If any piece fails, expect enforcement. googletag.cmd.push(function() { googletag.display(‘RTP_300Article’); }); Advertisement For retailers, this pattern matters. Every loyalty app, ecommerce platform and delivery partner touches customer data. Unlike banks or insurers, most retailers weren’t built with compliance at their core. Privacy controls are…
Want more insights? Join Grow With Caliber - our career elevating newsletter and get our take on the future of work delivered weekly.
