The California Privacy Protection Agency, the state’s main data privacy regulator, just announced its largest fine yet – a record-setting $1.35 million – against an employer that it found to have violated job applicant and consumer privacy rights. Today’s announcement marks the first-ever enforcement action involving job applicants, kicking off a new chapter when it comes to the way employers need to think about the California Consumer Privacy Act (CCPA). If you collect information from California job applicants, employees, or consumers, you will want to review our summary of this groundbreaking news and follow our six-step action plan.

What Happened?

The California Privacy Protection Agency (CPPA) launched its investigation against Tractor Supply, the nation’s largest rural lifestyle retailer, after it received a solitary complaint from a consumer in Placerville, CA. It is not publicly known whether this consumer was a job applicant, employee, website user, retail customer, or other consumer. But the reality is that a CPPA investigation can be triggered by any complaint, including from disgruntled former employees or from a current employee seeking to shield themselves from retaliation, or from a job applicant who was turned away or not considered for the job.

According to the September 30 agreement, the agency found that the employer failed to:

  • Provide a compliant privacy notice to job applicants
  • Inform job applicants of their rights and how to exercise them
  • Maintain a legally sufficient privacy policy
  • Honor opt-out requests submitted through its website
  • Recognize browser-based opt-out preference signals (like Global Privacy Control) that consumers can use to automatically indicate that they don’t want their data sold or shared for targeted advertising purposes
  • Enter into appropriate contracts that limit how third-party vendorscould use shared personal data and ensure they recognize opt-out signals
  • Use proper contracts with advertising and analytics providers

5 Reasons Why This Development is Big News for Employers

Read The Full Article at Fisher Phillips

Consumer Protection Enforcement EU Surveillance
October 21, 2025
0 12

Pay or ok? Why Europe’s data watchdogs must reject “forced consent”

Data Security
October 17, 2025
0 17

IPC updates its de-identification guidelines, setting a new standard for responsible data use

Consumer Protection Data Breaches
October 16, 2025
0 25

Canadian Tire says under 150,000 customers affected by data breach

Consumer Protection Data Breaches
October 16, 2025
0 25

Canadian Tire says under 150,000 customers affected by data breach

Data Breaches Enforcement
October 2, 2025
0 56

California Breaks New Ground With Record $1.35M Fine for Job Applicant Mistakes: 6-Step Action Plan for Employers

Canada Cybersecurity Data Breaches
July 30, 2025
0 179

Bill C-8 revives Canadian cyber security reform: What critical infrastructure sectors need to know

Check Also

Pay or ok? Why Europe’s data watchdogs must reject “forced consent”

Europe’s data watchdogs already have all the evidence they need to reject Pay or OK …