← All posts Enforcement Analysis

Tractor Supply Paid $1.35M Because Their Opt-Out Button Didn't Actually Do Anything

CalPrivacy's largest fine at the time. Tractor Supply had a "Do Not Sell My Personal Information" link. It opened a webform. Consumers submitted requests. The form accepted them. But it didn't stop a single tracking pixel from firing.

What CalPrivacy found

Three distinct infrastructure failures:

  • The opt-out webform was disconnected from tracking enforcement. Consumers submitted opt-out requests through a "Do Not Sell My Personal Information" webform. The requests were recorded. But the ad tech tracking technologies on the site continued to collect and share consumer data as if nothing happened. The form was a dead end.
  • Global Privacy Control signals were completely ignored. Tractor Supply did not configure its website to detect or honor GPC headers — the browser-level opt-out signal that's been a CCPA requirement since 2020. They didn't add GPC recognition until July 2024, years after it was required.
  • Vendor contracts were missing CCPA provisions. Contracts with advertising technology companies lacked the required data processing limitations. Even if Tractor Supply had fixed the technical enforcement, there was no contractual basis to require vendors to stop processing on opt-out.

Additionally, Tractor Supply failed to provide adequate privacy notices to job applicants — a separate but related violation showing systemic gaps in their privacy infrastructure.

The technical failure

This is the most common consent enforcement failure pattern: client-side consent collection with no server-side enforcement.

The webform collected the consumer's preference. But the tracking pixels were loaded client-side — injected by tag managers, loaded before consent state was checked, or simply not connected to the consent system at all. The form wrote to one system; the tracking tags read from another (or from nothing).

GPC is even simpler. The browser sends Sec-GPC: 1 in the HTTP request header. If your server doesn't read that header and act on it, you're ignoring a legally valid opt-out signal on every single page load from that consumer.

What should have been deployed

1. Server-side consent enforcement

Not a client-side banner that fires tags before the user responds. A middleware layer that reads consent state and blocks downstream requests at the server before any tracking pixel loads. If the consent store says "opted out," no tag fires. Period.

function consentMiddleware(req, res, next) {
  const gpcSignal  = req.headers['sec-gpc'] === '1';
  const optedOut   = consentStore.isOptedOut(req.user.id);

  if (gpcSignal || optedOut) {
    res.locals.consent = { tracking: false, sharing: false };
    if (gpcSignal && !optedOut) {
      consentStore.recordOptOut(req.user.id, 'gpc');
    }
  }
  next();
}

2. GPC detection at the edge

This is ~50 lines of middleware. The header arrives with every request. Read it, record the opt-out, suppress downstream tracking. The fact that Tractor Supply went years without implementing this suggests nobody on their engineering team was even aware of the requirement.

3. Tag management connected to consent state

If you use a tag manager (Google Tag Manager, Segment, etc.), it needs to check consent state before loading any tracking script. Server-side tag management is better — the tags never reach the browser if consent is denied. Client-side tag management with consent gating is acceptable, but only if the gating actually works and is connected to your consent store.

4. A consent propagation pipeline

When a consumer opts out via the webform, that decision must propagate to every ad tech vendor. Not via email to your account manager. Via API calls to each vendor's opt-out endpoint. Automated, auditable, immediate.

The fine math

$1.35M was a settlement — CalPrivacy's largest at the time, surpassed months later by the $2.75M Disney settlement. The statutory maximum is $7,988 per consumer, per violation, with no cap. Tractor Supply operates 2,200+ stores and processes data on millions of customers. If every page load from an opted-out consumer loaded tracking pixels anyway, each page load is potentially a separate violation.

Does this apply to you?

If your website has a "Do Not Sell" link or opt-out mechanism, ask your engineering team one question: does submitting that form actually stop third-party tracking scripts from loading?

If the answer is "I think so" or "I'm not sure" — you have the same exposure Tractor Supply had.

// Free CCPA gap assessment — we'll audit your consent enforcement from the server layer to the tag manager. 60 minutes, 48-hour gap report.