Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
California's privacy regime has entered a new phase.
With the California Privacy Protection Agency's USD1.35 million fine against Tractor Supply, the state's regulator has made it unmistakably clear that superficial compliance — cookie banners, boilerplate notices or broken opt-out links — is no longer sufficient. Retailers must now reckon with enforcement expectations around signal recognition, notice completeness, applicant data, and vendor accountability and governance.
What makes the Tractor Supply case so illuminating is not only the gravity of the penalty, the largest to come from the CPPA, but also the pattern of alleged violations it embodies: failing to honor opt-out requests, routing "Do Not Sell" to a webform that doesn't block tracking, ignoring Global Privacy Control signals, using weak vendor agreements without restrictive data-use clauses and omitting key disclosures in privacy notices — especially for job applicants.
But Tractor Supply is not alone. 2025 has already brought several other noteworthy California Consumer Privacy Act and CPPA actions that highlight how regulators are widening their lens. These examples reinforce that no sector — and especially no data-intensive retailer — can take privacy compliance lightly.
Enforcement highlights from 2025
Several recent cases showcase how the CPPA board's priorities are evolving. Earlier in the year, the CPPA levied a fine against Honda for requiring excessive verification for opt-outs and sensitive personal information requests, failing to provide symmetrical opt-out tools — like for cookies and trackers — and lacking proper third-party contract terms. The Honda case underscores that even non-pure retail enterprises tied to consumer data flows, such as connected vehicles, are on regulators' radars.
In May, the CPPA ordered Todd Snyder, a famous menswear brand, to overhaul its practices and pay a six-figure penalty. The violations included a 40-day outage during which opt-out links failed, requiring consumers to submit overly sensitive information to process privacy requests, even for simple opt-out requests, and demanding identity proof where none was required by law. Notably, the CPPA flagged improper oversight of the privacy portal and third-party tools. Retailers can't delegate compliance and then lose visibility.
In July 2025, California Attorney General Rob Bonta went after Healthline's misuse of online tracking tools, sharing sensitive health-related data via pixels and cookies, and employing ineffective opt-out mechanisms. Bonta also cited violations of the CCPA's purpose limitation principle and weak contractual safeguards.
In short, it's not just retail, all verticals and industries are squarely in the scope of enforcement. These cases show common threads: ineffective opt-out implementations, excessive verification requirements, failure to act on signal-based intents and weak or missing contractual guardrails.
What retailers must do: A roadmap
The new wave of enforcement makes one thing clear: retail and privacy executives can no longer rely on surface-level compliance measures. Opt-outs and signal recognition need to be directly embedded into the tracking infrastructure itself. A "Do Not Sell/Share" link is meaningless if pixels, cookies or tags continue transmitting data — regulators now expect these signals to be enforced at the technology layer.
Likewise, the GPC must be honored as a legitimate consumer intent signal, not treated as optional.
Privacy portals also need to evolve. Too many operate as little more than webforms disconnected from the systems that actually govern data flows. Regulators are pushing for portals that act as true execution engines, automatically applying consumer choices across every touchpoint — websites, mobile apps, loyalty programs and even in-store platforms.
Notices must also expand in scope and specificity. Generic language buried in terms and conditions no longer passes muster. Disclosures should be clear, versioned, and comprehensive, covering not just shoppers but prospects, employees and job applicants. They must explicitly describe how GPC signals are processed, what categories of data are being collected, and how opt-out rights are operationalized.
Contracts with vendors are another pressure point. The CPPA has shown it will hold retailers accountable for the failings of their partners. That means service agreements can no longer be perfunctory; retailers need to restrict secondary use of consumer data, require vendors to respect opt-out states, and allow for audits that verify compliance in practice.
All of this depends on visibility. Continuous monitoring and inventory of cookies, tags and trackers across digital properties is foundational. Without a live map of data collection points, retailers cannot credibly prove compliance — or effectively respond when regulators come knocking.
Finally, governance must become an embedded discipline, not an afterthought. Audit logs, records of opt-out request handling, vendor assessments and ongoing reviews of regulatory signals should be part of every release cycle and compliance program. The lesson from Tractor Supply and others is that post-hoc remediation isn't enough; regulators expect compliance to be proactive, continuous, and systemic.
Given the sheer scale of data flows, vendor ecosystems and regulatory complexity, none of this is feasible manually. Automation is the only realistic path forward. Modern platforms enable organizations to automate discovery and classification, route signals like GPC, enforce opt-outs across systems, monitor vendor compliance, and generate audit-ready reporting. Automation doesn't absolve retailers from responsibility, but it enables them to meet the expectations of this new era of privacy enforcement.
Governance is the new frontier: Enter SB 53
Privacy enforcement isn't the end of California's regulatory arc: It's the beginning. With September's passage of Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act, California is signaling a new era of oversight, introducing governance and transparency requirements that extend into AI development.
SB 53 requires large AI developers that publish frontier AI frameworks to explain how they benchmark safety, align with national and international norms, monitor misuse, and mitigate risks. It mandates incident reporting to state authorities and provides whistleblower protections for employees who raise concerns. Companies may redact trade secrets or sensitive security details, but they must retain those records for five years.
The lesson? Regulators are moving from fines for visible failures to proof of governance across systems, from privacy portals to AI pipelines.
For retailers, this convergence is critical. AI already powers recommendation engines, personalization platforms, fraud detection and inventory forecasting. Under SB 53, AI oversight and privacy accountability will no longer be siloed; both are part of the same governance stack.
The line between data rights and AI responsibility is dissolving.
Looking forward
The Tractor Supply case may be this month's headline, but in reality, it's just one node in a broader regulatory shift. California is no longer content with after-the-fact penalties; the state is demanding live proof of compliance, governance and transparency.
Retailers with sprawling data and AI operations are both the most vulnerable — and the best positioned to set the standard.
For executives, the mandate is clear: privacy and AI governance must become infrastructural, not optional. Patchwork fixes won't suffice, and delayed posture changes won't be forgiven. The time to rearchitect — for privacy, AI and governance as a whole — is now.
Sarah Hospelhorn is chief marketing officer at BigID.
