By: Linda L. Goodman
If your business blends software, media, and data-driven marketing, you may already be operating as a “data broker” under California law, and the California Privacy Protection Agency’s $1.35 million CCPA settlement with a nationwide retailer shows what happens when regulators decide to prove that point.
The $1.35M warning shot for hybrid businesses.
On September 30, 2025, the California Privacy Protection Agency (“AGENCY”) announced a record $1.35 million settlement with Tractor Supply Company, a nationwide retailer, for multiple violations of the California Consumer Privacy Act (“CCPA”). In addition to the fine, the AGENCY imposed a sweeping set of remedial obligations that will govern the company’s tracking technologies, contracts, and privacy program for years.
The Board’s decision and stipulated final order identify five main violations: failure to effectuate “Do Not Sell My Personal Information” opt-outs for tracking technologies; failure to honor Global Privacy Control (GPC) opt-out signals; lack of CCPA-compliant data processing agreements with service providers and third parties; deficient website privacy notice; and deficient job-applicant notice that omitted CCPA rights and instructions. Importantly for counsel, Tractor Supply also agreed that the AGENCY “possesses broad authority to investigate potential violations of the CCPA, including those that occurred before January 1, 2023,” effectively conceding a jurisdictional question the agency had tested via subpoena enforcement.
What “data broker” means in 2026 (and why hybrid models are exposed).
California’s Data Broker Registration Law, now layered with the Delete Act, defines a data broker as a business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship. “Sell” is interpreted broadly under the CCPA to include making personal information available to a third party for valuable consideration, and “sharing” covers cross-context behavioral advertising, even where the company insists it is “just running ads.”
Critically for hybrid models, the AGENCY has clarified that a business can be a data broker even if it has a direct relationship with a consumer, when it sells personal information about that consumer that the business did not collect directly from the consumer. That means a retailer, SaaS provider, or marketplace can be pulled into data-broker status for particular lines of business, such as a retail media network or audience products, while the rest of the enterprise remains a “normal” CCPA business.
How ordinary companies slide into data-broker territory.
Founders rarely describe their companies as data brokers, yet their revenue experiments often look exactly like data-broker behavior when viewed through a regulator’s lens.
Common patterns include:
- Retailers with media networks. You sell physical goods, but you also run a retail media network that lets brands target your customers on-site and off-site using your first-party data and third-party enrichment, often under contracts that let AdTech partners reuse data for their own purposes.
- SaaS and platforms monetizing “insights.” You provide a SaaS platform or marketplace but also sell “aggregated” or “anonymized” insights, look-alike audiences, or propensity scores that rely on individual-level activity and are delivered to third parties who have no direct relationship with the underlying consumers.
- Lead-gen and affiliates. You think of yourself as a marketing or lead-gen shop, but your core business is collecting and passing personal information to multiple buyers, sometimes bundled with other services; regulators have underscored in recent enforcement that “a sale is a sale,” even when it is packaged with advertising or marketing services.
For in-house counsel, the through-line is that the company is monetizing identity- or behavior-level data about individuals for the benefit of third parties who use that data for their own purposes, not solely as processors or service providers. At that point, your “hybrid” model looks like a data-broker line of business, whether or not anyone inside the company uses that label.
What the Tractor Supply order tells you about your risk.
While the Tractor Supply order does not label the company a “data broker,” it reads like a blueprint for how the AGENCY expects data-intensive, ad-supported businesses to behave, and what happens when they do not.
Key lessons:
- Opt-outs must actually cut off sales and shares. The retailer provided a “Do Not Sell My Personal Information” link and a webform, but the form did not effectuate opt-outs for cookies and similar tracking technologies and did not clearly explain how consumers could opt out of those technologies. Any business that depends on pixels, SDKs, and server-to-server ad integrations should assume that “broken” or incomplete opt-out flows are now an enforcement magnet.
- GPC is no longer optional. The AGENCY found a violation where Tractor Supply failed to recognize GPC signals and did not explain in its privacy policy how opt-out preference signals are treated. This sits against the backdrop of a joint investigative sweep by the AGENCY and the Attorneys General of California, Colorado, and Connecticut focused specifically on GPC compliance, and broader multi-state collaboration on honoring web browser–based opt-outs.
- Contracts define whether your partners are processors or co-brokers. The order faulted Tractor Supply for not having CCPA-compliant contracts with service providers and third parties, including advertising technology companies engaged in cross-context behavioral advertising. Where agreements allow partners to build or enrich their own datasets or sell the data onward, regulators can fairly view those relationships as data-broker style sales, not tightly constrained processing.
- Static or legacy notices are itself a violation. Tractor Supply’s website contained only a California “Shine the Light” disclosure and omitted required CCPA disclosures; its privacy policy had not been updated since November 2021, despite the statute’s expectation of annual review and updates. Its job-applicant notice failed to inform applicants of their CCPA rights or how to exercise them, making this the AGENCY’s first enforcement touching privacy in the employment context.
- Remedies are operational and long-term. Beyond the fine, Tractor Supply must conduct quarterly scans of its digital properties, maintain a full and current inventory of tracking technologies, flag which are used for selling or sharing and whether supported by compliant contracts, and ensure symmetry of choice in consent interfaces. It must also train personnel, overhaul contract management, send notice of updated policies to employees and applicants, post large-data-holder metrics, and for four years operate a monitoring program and provide annual reports to the AGENCY.
For a hybrid company, this package looks very much like a forced data-broker compliance program built on top of an ad-tech-heavy stack.
Checklist for Team Actions.
To make this actionable for your teams:
- Map your data-monetization lines. Identify every product or initiative that uses customer or visitor data for anything beyond delivering your core service: retail media, audience products, co-branded analytics, “insights” sales, and data-sharing programs. Ask explicitly: “Are we selling or sharing personal information about people who never directly interacted with us?”
- Inventory tracking technologies and flows. Build and maintain a live inventory of pixels, tags, SDKs, and server-to-server integrations, and for each, determine whether it is used for selling or sharing and whether it is backed by a CCPA-compliant contract. This is now an explicit expectation in AGENCY settlements, not a nice-to-have.
- Fix opt-outs and GPC before regulators do. Ensure your “Do Not Sell or Share” mechanisms actually propagate through your stack and cut off sales and shares for a given consumer within statutory timelines. Implement and document handling of GPC and similar signals; in light of the joint multi-state sweep, treating GPC as optional is no longer a defensible position.
- Re-paper relationships that look like broker deals. Have counsel segment contracts into true service-provider/processor arrangements versus relationships where partners gain independent use rights. Tighten service-provider terms, prohibit secondary use, and ensure that any residual “sale” or “share” is deliberate, disclosed, and, if you qualify, covered by data-broker registration and Delete Act obligations.
- Update notices and train the humans. Refresh privacy and job-applicant notices at least annually so they accurately describe your sale/share practices, opt-out methods, and treatment of preference signals. Train marketing, product, ad-ops, and recruiting teams on these obligations, since they are the ones who will launch the campaigns and tools that either keep you compliant or pull you deeper into data-broker territory.
The strategic takeaway is simple: if part of your valuation story is that “your data is an asset,” you need a clear answer, grounded in statute, contracts, and systems design, to determine whether that asset makes you a data broker. For in-house counsel and compliance, Tractor Supply opinion offers a concrete checklist for how the AGENCY will evaluate that answer in the next investigative sweep, which they promise is coming.
© 2026 CLIClaw.com
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.