CCPA Radar tracks publicly announced enforcement actions, settlements, and penalty decisions under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Its purpose is to provide a clear, practical view of how California regulators interpret and enforce privacy obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the organization involved, the amount of the penalty, the legal basis of the violation, and the core compliance issues identified in each matter. By presenting these cases in one place, CCPA Radar helps privacy, legal, compliance, and security teams better understand which failures most often lead to regulatory action.
More than a list of fines, CCPA Radar is designed as a working compliance resource. It shows how regulators approach topics such as opt-out mechanisms, dark patterns, children’s data, privacy notices, vendor contracts, and the technical implementation of consumer rights. This makes it easier to translate enforcement activity into concrete lessons for internal privacy governance and risk management.
Tractor Supply Company
Penalty:
USD 1.35 million
Privacy notice failures; job-applicant privacy rights; GPC/opt-out failures; missing contract safeguards
Core issue:
September 30, 2025
Date:
Main public findings:
CPPA announced that Tractor Supply failed to maintain a compliant privacy policy, failed to notify California job applicants of their privacy rights, failed to provide an effective opt-out including for Global Privacy Control, and disclosed personal information without contracts containing required privacy protections.
Cause of the violation:
Core issue:
Recommendations:
Source:
The company had gaps across several core CCPA compliance areas at once: notices, consumer rights handling, GPC processing, applicant privacy compliance, and third-party contract governance.
Privacy notice failures; job-applicant privacy rights; GPC/opt-out failures; missing contract safeguards
Keep website and workforce-related privacy notices up to date; honor GPC and other opt-out signals; validate webforms and request-handling systems; maintain required service-provider and contractor clauses; conduct regular privacy training and vendor reviews.