Skip to Main Content
Menu Button
CBIA

Take Action

Join Now

California Hits Employer with $1.35M Fine in First-Ever Job Applicant Enforcement Action

10.03.2025
Featured
HR & Safety

The following article first appeared on Robinson+Cole’s Data Privacy+Cybersecurity blog. It is reposted here with permission.

This week, the California Privacy Protection Agency issued its largest fine yet: $1.35 million against Tractor Supply.

This settlement is significant because it is the first-ever enforcement action involving job applicants under the California Consumer Privacy Act.

Based on an individual consumer’s complaint, the CPPA found that Tractor Supply failed to:

  • Provide a compliant privacy notice to job applicants;
  • Inform job applicants of their rights under the CCPA;
  • Maintain a sufficient privacy policy;
  • Honor opt-outs and browser preference signals (like global privacy controls); and
  • Execute appropriate, compliant vendor and advertising contracts.

Enforcement Action

This enforcement action and settlement agreement is significant for several reasons:

  • It reminds companies that job applicant and employee data is fully covered by the CCPA—California is the only state with comprehensive HR privacy obligations;
  • It is the largest CPPA fine to date (and it most certainly won’t be the last one for this type of violation);
  • It reiterates the point that the CCPA applies to ALL industries—not just tech and data brokers;
  • One consumer complaint can snowball; small issues can lead to big investigations (and fines); and
  • Fixing problems later won’t erase liability; proactive compliance is essential.

In addition to the fine, Tractor Supply must now conduct five years of strict audits of its website and third-party vendors, submit public reports of annual privacy metrics, monitor opt-out compliance, and perform staff retraining.

This five-year compliance program is a strong signal of how the CCPA expects organizations to handle personal data going forward.

Proactive Steps

Companies can take proactive steps now such as:

  • Update privacy notices for job applicants and employees;
  • Audit job portals and platforms for compliance gaps;
  • Review vendor and ad tech contracts;
  • Scan for tracking technologies on your website such as cookies and pixels;
  • Maintain a data-sharing inventory; and
  • Train HR, marketing, and IT teams on privacy workflows.

California is enforcing applicant and employee privacy with real teeth.

Employers and businesses operating in California need to treat applicant and employee data as a top-tier compliance priority.

Ignoring these obligations, or waiting until you’re under investigation, can now carry seven-figure consequences.

About the author: Kathryn Rattigan is a partner with Robinson+Cole and advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

EXPLORE BY CATEGORY

COMING EVENTS

Wed  |  Dec 03  |  10:00 am EST

TikTok Sparks Opportunity for Connecticut  

Thu  |  Dec 04  |  4:00 pm EST

CBIA E2: Energy & Environment Council Happy Hour 

Thu  |  Dec 11  |  1:00 pm EST
hr hotline logo

HR Hotline Live: Common Wage & Hour Issues

Stay Connected with CBIA News Digests

The latest news and information delivered directly to your inbox.

CBIA IS FIGHTING TO MAKE CONNECTICUT A TOP STATE FOR BUSINESS, JOBS, AND ECONOMIC GROWTH. A BETTER BUSINESS CLIMATE MEANS A BRIGHTER FUTURE FOR EVERYONE.

Join CBIA Today