The Growing Power of the California Consumer Privacy Act
Editor’s Note: Regulators and litigants are treating the California Consumer Privacy Act (CCPA) less like a compliance guideline and more like a governance regime. In this insightful article, Phil Favro details how the CCPA’s authority has grown beyond its statutory roots—now enforced not only through state agencies but also through a rising tide of private litigation. From significant settlements like the $1.35 million Tractor Supply case to quietly burdensome ongoing compliance obligations, organizations are discovering that CCPA compliance is not a one-time checklist but a living, evolving program. For professionals in cybersecurity, eDiscovery, and information governance, this piece underscores the need to revisit privacy policies, data-sharing contracts, and opt-out mechanisms to ensure they are not only compliant but also resilient.
The Growing Power of the California Consumer Privacy Act
By Phil Favro, Contributing Author for HaystackID
The California Consumer Privacy Act has gotten the attention of regulated companies. To be sure, the law, when it was first conceived, seemed destined to become a regulatory challenge for organizations doing business with the state. But the CCPA’s authority has increased since its conception and subsequent enactment. This expansion of power is evident from a recent settlement against Tractor Supply Company, which includes a modest fine of $1.35 million issued by its new enforcement arm (the California Privacy Protection Agency). It’s also apparent from enforcement actions the California attorney general has brought and continues to pursue against regulated companies, along with the proliferation of private lawsuits targeting alleged CCPA violations.
The CCPA’s power has not been manifested by issuing massive fines against violators. Instead, it is the continuing oversight the state exercises once it identifies a violation and reaches a settlement with a regulated entity. Settlements with Tractor Supply Company and other entities suggest ongoing reporting obligations that could last for several years. All of this highlights the importance of regulated companies reviewing their CCPA compliance programs to better ensure proactive compliance with its provisions.
A Brief History of the CCPA
California enacted the CCPA on June 28, 2018. Passed by the state legislature after only a week of consideration, the CCPA went into effect on January 1, 2020, with the state attorney general beginning enforcement six months later on July 1, 2020.
As initially implemented, the CCPA provided California consumers with various rights, including the right to know what personal information a regulated company collects and how that information is shared. In addition, consumers generally have rights to delete personal information, opt-out of the sale or sharing their personal information, and be free from discrimination if they exercise their CCPA rights.[1] To ostensibly secure those rights, the CCPA imposed several obligations on regulated companies including (among several others) notice and disclosure requirements to consumers and employees regarding collection, sharing, and sale of their personal information.
Later that same year, in November 2020, California voters approved a ballot proposition referred to as the CPRA (California Privacy Rights Act). Effective January 1, 2023, the CPRA amended the CCPA by providing consumers with additional rights. These included rights both to correct inaccurate personal information and to limit the use and disclosure of sensitive personal information.[2] In addition, the CPRA ushered in a corresponding set of additional requirements for regulated companies. Among these are further restrictions on sharing personal information, annual cybersecurity audits, periodic risk assessments regarding the processing of personal information, and a directive to minimize stores of personal information.
Beyond the CCPA’s statutory provisions, the government has implemented regulations designed to clarify certain requirements. Those regulations have, in certain instances, augmented compliance obligations for regulated companies.
The CPRA also established the California Privacy Protection Agency (Agency) as the body tasked with enforcing the CCPA’s provisions. Nevertheless, the state attorney general, which previously had exclusive power to address CCPA violations, continues to enjoy enforcement powers. That both agencies are authorized to enforce the CCPA is apparent from recent settlements with Tractor Supply Company (Agency) and SlingTV (attorney general).
The Tractor Supply Company Settlement
The Tractor Supply Company (“Tractor Supply” or “company”) settlement is particularly noteworthy because it marked the largest fine which the Agency has so far imposed on a regulated company. To be certain, the Agency’s $1.35 million fine is not exactly troubling for a company whose 2024 fiscal year gross profit exceeded $5 billion. Nevertheless, the obligations the settlement imposed to address Tractor Supply’s violations are not trivial in nature.
The settlement—termed as a “Stipulated Final Order” that the Agency then issued as an “Order of Decision”—reviewed in detail the company’s alleged violations. Among the violations was Tractor Supply’s use of a misleading opt-out form that left “consumers with the false impression that Tractor Supply had stopped selling and sharing their personal information.” According to the settlement, the contrary was true: “Tractor Supply . . . continued to sell or share [consumers’] personal information through third party tracking technologies used for advertising purposes.” Additional violations included deficient notices to consumers and job applicants of their privacy rights under the CCPA or an explanation of how to exercise those rights.
In addition to the imposition of the above-referenced fine, Tractor Supply agreed to several remedial measures. While many of those provisions included requirements that the company comply with basic CCPA provisions, others were more onerous. For example, the company must develop and maintain a program through 2030 “to assess and monitor whether it is effectively processing consumers’ requests to opt-out of sale/sharing” of personal information. In addition, a company officer or board member must annually certify to the Agency through 2030 that Tractor Supply is in compliance with the settlement provisions. Perhaps the most significant measure requires Tractor Supply to submit an annual report to the Agency through 2030 memorializing key compliance details relating to “third parties and service provider or contractors with whom [the company] makes available personal information collected through tracking technologies.” These measures—and particularly the final condition—provide the Agency with the opportunity to both oversee and ensure Tractor Supply’s continued compliance with the settlement.
While significant, the Tractor Supply settlement is not unique as the Agency and attorney general have collectively obtained several settlements with companies over CCPA violations. For example, the attorney general announced on October 30, 2025 that Sling TV agreed to “implement changes to ensure the CCPA opt-out is easy for consumers to execute, requires minimal steps, and considers the way the business interacts with consumers.” Sling TV also agreed to pay a $530,000 fine. The pace of enforcement shows no signs of slowing.
CCPA Litigation by Private Parties
Beyond the regulatory realm of CCPA compliance lies private party litigation. Lawsuits typically to seek to address enterprises’ alleged CCPA violations, particularly for data breach violations, often through proposed class actions. Those actions have significantly multiplied since the CCPA went into effect, with legal search engines reporting dozens of federal court decisions this year alone addressing CCPA-related issues; most frequently ruling on motions to dismiss CCPA claims. Significantly, CCPA claims are not limited to California federal and state courts. A brief review of 2025 cases reveals CCPA claims in pending lawsuits throughout the country, including federal courts based in the following U.S. cities beyond California: Atlanta, Baltimore, Boston, Dallas, Detroit, Jacksonville, Las Vegas, New York, Orlando, Philadelphia, and Salt Lake City. Both the growth of CCPA-related litigation and its widespread proliferation suggest the number of private CCPA lawsuits will not decrease any time soon.
Ensure Compliance Measures Are Suitable
The current trends in both regulatory enforcement and private litigation indicate the CCPA is turning into a legal juggernaut. Given this reality, regulated companies should carefully examine their CCPA compliance program and determine whether any measures they previously adopted are suitable for the present. In particular, companies could learn from Tractor Supply’s shortcomings to shore up compliance measures that may have lapsed.
Companies could evaluate whether their opt-out forms are actually operational and allow consumers to stop companies from selling or sharing their personal information. Indeed, companies may consider a periodic review of this feature to confirm that it remains functional.
Another area where enterprises may consider a recurring audit includes contracts with service providers. Those contracts—which should align with CCPA requirements that mandate disclosing “the limited and specified purposes for which the personal information can be used”—could end up having the required language modified or removed. Periodically ensuring service provider contracts meet CCPA conditions could help organizations avoid violations that tripped up Tractor Supply.
Companies might also consider a periodic review of privacy policies to ensure they offer proper notice to consumers and employees of their CCPA rights and how to exercise those rights. Reexamining this information on a regular basis could spotlight vulnerabilities and lead to improvements.
Finally, entities should stay abreast of developments with the law. Updated regulations are a reality that companies must deal with. Indeed, the Agency just published a revised set of regulations that will take effect on January 1, 2026. Determining the nature and extent of the regulatory updates should help enterprises better tailor their compliance measures accordingly.
About Phil Favro
Phil Favro is the founder of Favro Law PLLC, where he counsels clients on ESI, AI, and discovery issues and serves as a special master, mediator, and expert witness. Phil is nationally recognized for his expertise on ESI, discovery, and information governance, with courts acknowledging his credentials. See, e.g., Oakley v. MSG Networks, Inc., No. 17-CV-6903 (RJS), 2025 WL 2061665 (S.D.N.Y. July 23, 2025). This background makes Phil particularly well-suited to counsel clients and advise courts on information-related issues. As a special master, Phil is acclaimed for his collaborative approach, working with parties to find stipulated solutions to complex issues. For disputes that require adjudication, he is renowned for the clarity and vigor of his written dispositions, which are available on legal search engines.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID
[1] California Consumer Privacy Act (CCPA), State of California Department of Justice (Mar. 13, 2024), https://oag.ca.gov/privacy/ccpa. [2] The California attorney general collectively refers to the CCPA and CPRA as the CCPA. See id.