It wasn’t a big tech firm, but the biggest rural retailer in America that got the largest wallop ever from California’s toughest privacy watchdog.
Do you sometimes find yourself getting jealous because European Union nations seem to take action to protect the online privacy of their citizens by passing — and actually enforcing — privacy laws with teeth, while here in the States our politicians only pay lip-service to privacy, while allowing corporations to do what they want without consequence?
Me too.
That’s why I was pleased to see that the State of California — which has had strong privacy legislation on the books for five years — has been holding companies to task for privacy violations in way that would make the European Commission proud.
About a week ago, the California Privacy Protection Agency — which is tasked with enforcing California’s stringent privacy laws — levied a $1,350,000 fine against Tractor Supply Company and ordered it to change its business practices, in order to remedy violations of the California Consumer Privacy Act. The fine is not only the largest in the CPPA’s history, the decision is the first to address the importance of CCPA privacy notices and the privacy rights of job applicants.
“We will continue to look broadly across industries to identify violations of California’s privacy law,” said Michael Macko, the Agency’s head of enforcement. “We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike.”
An Unusual Target
This action is unusual, not just because it took place in the US, but because it’s not against a tech giant, data broker, or advertising company — the industries that privacy regulators typically go after.
Tractor Supply is hardly one of those. It’s a “rural lifestyle retailer” — the largest in the country with 2,500 stores in 49 states — that specializes in products for farming, ranching, pet care, gardening, and home maintenance. If you live in a large urban area, you’ve probably never heard of it, but if you live in one of the far suburbs, a small city, or a rural area, you’re likely well acquainted with it.
Hayley Tsukayama, Electronic Frontier Foundation’s associate director of legislative activism noted in a blog published on EFF’s website on Tuesday.
“This case merely highlights what anyone who uses the internet knows: practically every company is tracking your online behavior,” she said. “The agency may be trying to make exactly this point by zeroing in on Tractor Supply.”
That assessment seemed to be expressed in a statement from Tom Kemp, the CPPA’s executive director, that was included in the organizations press release:
“California’s privacy rights protect everyone in the state, from the Central Valley to the Silicon Valley. We appreciate the members of the public who help us uphold these rights by submitting complaints to the CPPA.”
Where Tractor Supply Went Wrong
According to CPPA, Tractor Supply violated Californians’ privacy rights by:
- Failing to maintain a privacy policy that notified consumers of their rights;
- Failing to notify California job applicants of their privacy rights and how to exercise them;
- Failing to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control; and
- Disclosing personal information to other companies without entering into contracts that contain privacy protections.
The CPPA Board’s decision followed a separate court case brought against Tractor Supply last month to enforce an investigative subpoena.
“With today’s resolution,” the agency said, “the CPPA’s Enforcement Division will be discontinuing that litigation.”
Other CPPA Actions
The action against Tractor Supply is far from being the only actions the agency has taken to support California’s privacy laws. Other recent actions include:
- Issuing a decision requiring clothing retailer Todd Snyder to change its business practices and pay a $345,178 fine for CCPA violations.
- Issuing a decision requiring American Honda Motor Co. to change its business practices and pay a $632,500 fine for CCPA violations.
- Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up “scary” amounts of information about people — to shut down or pay a steep fine.
- Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.
- Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.
In addition, the agency has successfully taken enforcement actions against unregistered data brokers following an investigative sweep launched late last year to assess compliance with the Delete Act, a California law that, among other things, requires data brokers to process deletion requests that consumers submit through an online system known as the Delete Request and Opt-out Platform.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment