The California Privacy Protection Agency (“CPPA”) just fined Tractor Supply $1.35 million under the CCPA, its largest retail enforcement action to date this year. With enforcement now reaching familiar retail brands, privacy is no longer an issue retail executives can treat as background noise.
Most shoppers won’t read the CPPA’s ruling, but they will see the headlines. They will hear about it on social media. And they will take note if loyalty programs or apps feel murky in how they use data. Privacy failures don’t just cost money; they invite public scrutiny that can erode a brand’s reputation, sometimes faster than a poor service experience or clumsy promotion.
What’s Actually Triggering these Fines
Tractor Supply’s violations reveal exactly what regulators are hunting for. Broken opt-out links that route to dead webforms. Global Privacy Control signals ignored entirely. Privacy notices that skip job applicant data disclosures. Vendor agreements without data restriction clauses.
This isn’t an isolated case. Sephora (AG, 2022), Honda and Todd Snyder (CPPA, 2025), and Healthline (AG, 2025) have all faced CCPA enforcement, which has been accelerating over the last two years. Regulators are building a playbook: test the opt-out mechanisms, check for GPC compliance, review all privacy notices including HR portals and audit third-party contracts. If any piece fails, expect enforcement.
Advertisement
For retailers, this pattern matters. Every loyalty app, ecommerce platform and delivery partner touches customer data. Unlike banks or insurers, most retailers weren’t built with compliance at their core. Privacy controls are bolted on after the fact, leaving gaps regulators can now easily identify. When those gaps become headlines, customers notice.
California Wants Your AI Too
Privacy enforcement is just the opening act. California’s SB 53, passed in September 2025, extends the same governance expectations to ‘frontier’ AI systems. The law requires developers to document their safety frameworks, report incidents and protect whistleblowers who flag concerns.
Why does this matter for retailers? Because retailers are already using AI everywhere — pricing algorithms, recommendation engines, chatbots, inventory forecasting. Each one touches customer data.
SB 53 signals that California won’t treat privacy and AI as separate issues. They’re watching both through the same lens. Even though SB 53 doesn’t directly regulate most retailers today; it targets frontier-model developers and it signals California’s expectation of documented controls, incident reporting, and whistleblower protection in AI — pressure that will influence buyers and vendors across the stack.
The message is clear: prove you have control. Not just over the data you collect, but over the algorithms that process it. The same broken opt-out that triggers a privacy fine could signal to regulators that your AI systems lack oversight too.
The Operational Reality Retailers Face
The hardest challenge is visibility. Data sits across point-of-sale systems, loyalty apps, ecommerce platforms and vendor portals. Without a full view, retailers can’t know which records are exposed, who has access or whether privacy requests are being honored. Tractor Supply’s blind spots show how quickly these become enforcement actions.
The fix requires systematic changes: Automated opt-out enforcement across all tracking infrastructure; privacy notices that actually reflect your data practices, including applicant and employee data; vendor contracts with teeth that restrict secondary use; continuous monitoring that proves these controls work. Without automation, the volume and complexity make compliance impossible at retail scale.
Governance must become embedded, not bolted on. Audit logs, opt-out request handling, vendor assessments and regulatory compliance should be part of every release cycle. The lesson from Tractor Supply and others is clear: post-hoc remediation isn’t enough. Regulators expect compliance to be proactive and systemic.
Privacy by Design is Brand by Design
Too often, new loyalty apps or in-store kiosks launch fast, with privacy bolted on afterward. That model is collapsing under regulatory and customer pressure. Tractor Supply’s fine shows what happens when core data rights aren’t handled properly: regulators step in, and customers get the message that their data isn’t valued.
Enforcement is expanding beyond the tech sector into every business that handles sensitive consumer data. For retail leaders, the takeaway is straightforward. Privacy risk isn’t a niche legal matter. It’s a business risk with direct reputational and operational consequences.
For shoppers, a privacy stumble feels no different than a missed delivery or a broken app feature. It’s one more signal that the retailer isn’t in control. By contrast, making transparency visible with clear opt-ins at signup, concise policies and easy-to-find data choices turns privacy into part of the brand experience. It tells customers: we respect your data as much as your business.
The Bottom Line
California regulators are building momentum. They’re no longer policing only superficial gaps. They’re policing entire systems: opt-out enforcement at the signal layer, honest notices, applicant data and vendor accountability.
Retailers that wait for enforcement will pay twice: once in fines, once in customer trust. Privacy and AI governance must become infrastructural, not optional. Patchwork fixes won’t suffice.
In retail, brand reputation is currency. Privacy is now one of the fastest ways to gain or lose it.
Heather Kuhn is Senior Privacy Counsel at Big ID. She is a privacy, cybersecurity, and technology counsel recognized for guiding organizations through complex regulatory and security challenges. She combines deep legal expertise with technical insight, holding three IAPP certifications (FIP, CIPP/US, CIPT). An active leader in the privacy community, Kuhn serves in bar association and IAPP leadership roles and co-teaches Privacy and Cybersecurity Law at Georgia State University College of Law. Her career spans law, business and public service, with a track record of enabling innovation while protecting people and data.
