CPPA Files First-Ever Judicial Action to Enforce Privacy Investig

What happened, in plain English

On August 6, 2025, the CPPA announced it had filed a petition in California Superior Court to enforce an investigative subpoena
against Tractor Supply Company, a Fortune 500 retailer. The agency said the company failed to comply with a subpoena seeking information
about its compliance with the California Consumer Privacy Act (CCPA). This filing was notable for two reasons: it was the CPPA’s first public
disclosure of an ongoing investigation into a specific company, and the CPPA’s first court action to compel cooperation with an investigation.
(Source Note A)

The CPPA also described what it was investigating at a high levelespecially whether the company honored Californians’ right to opt out of the
“sale” or “sharing” of personal information online. That “opt out” right is one of the hallmarks of the CCPA/CPRA framework, and the agency signaled
it sees noncompliance as more than a paperwork oopsie. (Source Note A)

Here’s the key takeaway: a subpoena isn’t a customer survey. It’s a formal investigative demand. When an agency believes a company isn’t answering
adequatelyespecially “under oath” questionsit can ask a court to order compliance. And the CPPA made clear it’s willing to do exactly that.
(Source Note A)

Why the first court filing matters more than the headline

Privacy enforcement often looks “soft” from the outside. You don’t see flashing lights or a perp walk of someone’s cookie banner.
But behind the scenes, regulators rely on investigative toolscomplaints, audits, interrogatories, and subpoenasto figure out what’s happening
inside a business. If a company can slow-walk or stonewall those tools, enforcement becomes a game of “catch me if you can.”

The CPPA’s move into court changes the incentives. It signals that refusing to cooperate is not a strategy; it’s a second problem layered on top of
the first one. If the agency is willing to spend time and political capital in court, companies should assume it has a strong appetite to pursue the
underlying privacy issues, too. (Source Note A)

It also puts “scope fights” under a brighter spotlight

A common corporate instinct is to argue about scope: “That’s too broad,” “That’s not relevant,” or “You can’t ask about that time period.”
In this saga, legal analysis around the dispute highlighted arguments about how far back the CPPA could look and what conduct fell within its
investigative authorityespecially involving practices before certain regulations took effect. Those debates matter because they can define how aggressive
investigations can be, not just for one company but for an entire enforcement program. (Source Note C)

The plot twist: it didn’t end with the court filing

The story didn’t stop at “regulator sues, company responds.” About seven weeks later, on September 30, 2025, the CPPA announced a major resolution:
its Board issued a decision requiring Tractor Supply to change practices and pay a $1.35 million fine to resolve claims it violated the CCPA. The CPPA
described the fine as the largest in its history and said the decision was the first to address the importance of privacy notices and the privacy rights of
job applicants. (Source Note B)

According to the CPPA, the investigation began after a complaint from a consumer in Placerville, Californiaan important reminder that enforcement sometimes
starts with one frustrated person and a form submission. (Source Note B)

What the CPPA said the company did wrong

The agency’s announcement summarized the alleged violations in a way that reads like a compliance checklistexcept the kind you do after you’ve already been graded:
(Source Note B)

• Not maintaining a privacy policy that properly notified consumers of their rights.
• Not notifying California job applicants of their privacy rights and how to exercise them.
• Not providing an effective opt-out mechanism for the sale/sharing of personal informationexplicitly including opt-out preference signals like Global Privacy Control (GPC).
• Disclosing personal information to other companies without contracts containing required privacy protections.

The resolution also mattered procedurally: the CPPA said that, with the settlement, its Enforcement Division would discontinue the earlier subpoena-enforcement litigation.
In other words, the “first-ever judicial action” worked as leverage in the broader enforcement arcpressure that helped bring the matter to a conclusion. (Source Note B)

What this means for businesses (yes, even the ones outside California)

If you do business with Californiansor you collect data that involves themCalifornia privacy enforcement is part of your reality. And even if you’re convinced
you have zero California footprint, privacy compliance lessons from CPPA actions still apply because other states watch what California does, then borrow the playbook.
(That’s not paranoia; that’s policy diffusion.)

Lesson 1: Your opt-out flow has to work in real life, not just in theory

“We have a ‘Do Not Sell or Share’ link” is not the finish line. Regulators care whether a consumer’s request actually changes what happens behind the curtain,
including with tracking technologies and ad tech partners. The CPPA’s summary explicitly called out effective opt-out mechanisms and honoring opt-out preference signals
like GPC. If your site respects GPC only on Tuesdays, or only on one subdomain, or only when Mercury is in retrograde, that’s not “partial compliance”it’s a broken
promise to users. (Source Note B)

Lesson 2: Privacy notices are not “set it and forget it” content

The CPPA highlighted failures around maintaining a privacy policy that notifies consumers of rights. That sounds simple until you realize how many teams touch data:
marketing adds new tags, product launches a feature, analytics changes vendors, HR adopts a recruiting platform, and suddenly your privacy policy is basically a museum
exhibitbeautifully preserved… from 2022. (Source Note B)

Lesson 3: Job applicant privacy is no longer a side quest

Many organizations obsess over customer-facing privacy rights and treat job applicant and employee data as “HR’s thing.”
The CPPA made a point of job applicant notices and rightsan area that can be overlooked because recruiting stacks are complicated and distributed.
If applicants can’t understand what data you collect, why you collect it, how long you keep it, and how to exercise their rights, you’ve created a compliance gap in a
place regulators are clearly willing to inspect. (Source Note B)

Lesson 4: Vendor contracts are where good intentions go to die

The CPPA’s summary emphasized disclosures of personal information to other companies without contracts that contain privacy protections. This is one of the most common
pain points because it’s operationally annoying: you have to inventory vendors, categorize relationships, negotiate terms, and sometimes have the awkward conversation
where you ask an advertising partner to stop doing the thing it’s famous for doing.

But the logic is straightforward: if you’re sending personal information to another entity, regulators want to see enforceable limits on what that entity can do with it.
If your contract says “Vendor will comply with all applicable laws” and nothing else, that’s the legal equivalent of writing “Be good” on a sticky note and calling it
a security program. (Source Note B)

Why the CPPA’s subpoena move is a forecast, not a one-off

Enforcement agencies mature. Early on, they educate. Later, they deter. The CPPA’s first court actionand the high-profile resolution that followedfits a broader
narrative that California privacy enforcement is getting more operational, more technical, and less patient with “we’re working on it” responses. (Source Note D)

Around the same time, reports and commentary about CPPA enforcement suggested the agency is pursuing “hundreds” of open investigations, many of which are not public
and not yet known to the targeted businesses. That’s the part that should make compliance teams put down the novelty stress ball and pick up a real data map.
(Source Note E)

Meanwhile, the CPPA has also signaled upcoming infrastructure that could make opting out easier at scalelike California’s Delete Request and Opt-out Platform
scheduled to launch on January 1, 2026. If that system increases consumer opt-out activity, companies should expect more complaints, more testing of opt-out flows,
and more scrutiny of whether “opt out” means “opt out,” not “opt out-ish.” (Source Note F)

How to reduce your risk without turning your company into a law firm

1) Stress-test your opt-out mechanisms like a grumpy consumer would

Do a practical test: submit an opt-out request, enable Global Privacy Control in a browser, and then verify what actually happens.
Are third-party trackers still firing? Are you still “sharing” data for cross-context behavioral advertising? Does the preference apply across devices,
brands, and subdomains? The CPPA’s focus suggests they will look past the presence of a link and toward the effectiveness of the mechanism. (Source Note B)

2) Inventory tracking tech across websites and apps

If you can’t list your tracking technologies, you can’t control them. Create (and maintain) an inventory of SDKs, tags, pixels, cookies, and partners,
along with what data they receive and for what purpose. In the Tractor Supply resolution, the CPPA emphasized remedial measures like scanning digital properties
to inventory tracking technologiesan approach that’s becoming a baseline expectation. (Source Note B)

3) Fix privacy notices so they match reality

Your privacy policy and your internal practices need to agree. If you say you don’t share data, but your ad stack shares it, that’s not a “gap”that’s a contradiction.
If you say consumers can opt out, but your opt-out process doesn’t work reliably, that’s a broken commitment.

4) Bring HR and recruiting into the privacy program

Applicant tracking systems, background checks, assessments, and recruiting analytics all involve personal information.
Build a job applicant notice that explains rights in clear language and provides real instructions for exercising them. Don’t bury it in a link that only appears after
someone uploads their résumé. (Source Note B)

5) Clean up vendor contracts, starting with high-risk data flows

Prioritize contracts connected to advertising tech, analytics, identity, and large-scale processors. Then move to the long tail.
You don’t need perfection overnight, but you do need a credible plan with owners, deadlines, and documented progressbecause if the CPPA asks,
“How do you ensure downstream privacy protections?” “We sent an email once” is not the answer you want to give.

6) Treat investigative requests like the beginning of a story, not a standalone event

The headline was about a court filing, but the outcome was a larger enforcement action with a major fine.
That’s the pattern to watch: investigations can start quietly, become visible through procedural moves (like subpoena enforcement),
and then end with operational requirements that affect multiple business units. (Source Note A) (Source Note B)

Conclusion: a subpoena is not a suggestion

The CPPA’s first-ever judicial action to enforce an investigative request wasn’t just a legal milestoneit was a cultural one.
It told the market: California’s privacy regulator is willing to use the courts to keep investigations moving, and it’s willing to pursue outcomes that touch the
messy, real parts of complianceopt-outs that actually work, notices that reflect reality, contracts that restrain downstream use, and privacy rights that apply to
job applicants as much as customers. (Source Note A) (Source Note B)

If your privacy program is strong, this moment is reassuring: the rules are being taken seriously. If your privacy program is held together by hope, a banner,
and a spreadsheet named “FINAL_FINAL_v7.xlsx,” consider this your friendly nudge. The CPPA just showed it’s comfortable in court.
You should be comfortable in compliance.

Real-World Experiences: What “A Privacy Investigation” Feels Like in Practice

Companies love to say, “We take privacy seriously,” right up until the day a regulator asks them to prove it with documents, timelines, and technical details.
In the real world, a privacy investigation is rarely one dramatic meeting. It’s a slow-motion stress test of how your organization actually workshow fast teams can
coordinate, how clearly you can explain data flows, and whether your systems do what your policies promise. (Source Note E)

One common experience: the opt-out mechanism looks perfect on a slide deck… and then someone tests it. The “Do Not Sell or Share” link sends users to a form,
but the form triggers a ticket, and the ticket goes to a queue, and the queue is processed weekly, and the tracking tags keep firing the whole time.
From a consumer’s perspective, that’s not an opt-out; that’s a polite suggestion box. When regulators focus on effectiveness (not just existence), teams often discover
they’ve been measuring the wrong thing: clicks, not outcomes. (Source Note B)

Another classic: the “vendor contract scramble.” Most organizations don’t have one clean, centralized list of every vendor receiving personal information.
Marketing has ad partners, product has analytics, IT has monitoring tools, HR has recruiting vendors, and procurement has a folder full of agreements named
“Signed_ReallyFinal_UseThisOne.pdf.” When an investigation asks, “What protections exist downstream?” the first challenge is simply finding the downstream.
The lesson teams learn (sometimes the hard way) is that contract hygiene is not paperworkit’s governance. If you can’t identify who gets data, you can’t enforce
how it’s used. (Source Note B)

Job applicant privacy is where many companies get surprised. They’ll have a polished consumer privacy policy, a functioning cookie banner, and a DSR workflow
and then realize the careers site is running different tracking scripts, owned by a different vendor, with a different set of disclosures.
Recruiting teams are usually moving fast, optimizing for conversion, and adopting tools that “just work.” A privacy investigation forces a reset: applicants are people,
their data is personal information, and “it’s only HR” is not a compliance exemption. The experience here is often organizational, not technical:
you have to bring HR into the same privacy operating rhythm as marketing and product. (Source Note B)

Finally, there’s the “timeline reality check.” Investigations often ask about how things worked over specific periods.
That’s when teams discover they don’t have clean change logs for tags, scripts, or preference signals across properties.
The practical fix isn’t glamorous: governance over deployments, documentation of configuration changes, and routine audits that verify what’s live.
The good news is that once companies build these muscles, investigations become less chaotic. Instead of panic-building narratives from memory,
teams can show evidence: inventories, test results, contracts, and remediation plans. The overall experience shifts from “We hope we’re compliant”
to “We can demonstrate compliance,” which is a much calmer way to live. (Source Note A) (Source Note B)

SEO Tags