California Regulators Are Turning Consumer Privacy Act Into Broad TechReg Regime

The Tractor Supply settlement offers a case in point, according to an analysis by HaystackID. The California Privacy Protection Agency (CPPA) imposed a $1.35 million penalty on the company, but also added obligations that run through 2030. Tractor Supply must monitor and test its opt out tools, have a senior officer certify compliance every year and submit detailed annual reports on how tracking technologies and third-party partners handle consumer data.

According to the settlement, Tractor Supply’s online opt out form suggested that data sales and sharing had stopped even as advertising trackers continued to send personal information to marketing partners. Regulators also flagged weak privacy notices for consumers and job applicants. The lesson for other companies is straightforward: it is not enough to place a “do not sell or share” link on a website. The form must work, and it must align with the underlying data flows.

The settlement is not an outlier, per HaystackID. The privacy agency and the state attorney general now share enforcement authority and are announcing more settlements, including with Sling TV over opt out mechanics. At the same time, plaintiffs are adding CCPA claims to data breach and tracking suits across the country. With subsequent amendments to the law layering in new rights and risk assessment duties, CCPA compliance now looks like an ongoing program, not a one-off project.

A companion analysis from Jackson Lewis shows that automated decision making is the next major front. New CCPA regulations define automated decision-making technologies, or ADMT, as tools that process personal information and use computation to replace or largely replace human decisions. To count as real human involvement, a person must understand how to interpret the system, review its output alongside other relevant information and have authority to change the outcome.

The rules further tighten when ADMT is used to make “significant decisions” about a consumer. The regulations treat as significant any decision that controls whether a person receives or is denied essential services such as credit, housing, education, employment, pay or health care. In practice, this reaches scoring engines for loans and insurance, algorithmic hiring and promotion tools and many eligibility models used by digital platforms and financial institutions.

For significant decision uses, businesses must give clear notice before deploying ADMT, provide a way to opt out in many situations and respond when consumers ask how the system was used in their case. Companies already using ADMT must meet these duties by January 1, 2027, while new users must comply from day one. Limited carve outs apply if a human appeal process exists or if the tool only allocates work and does not create unlawful discrimination.

For companies subject to the CCPA, these developments point to three priorities:

Fix the basics. Test opt out flows and cookie controls with real users, refresh plain language notices and tighten vendor contracts around permitted data uses.

The emerging picture is clear. California is using the CCPA to police both long standing privacy risks and the next wave of AI driven decision making. Companies that treat the law as a static disclosure exercise are likely to find themselves in complex, multi-year oversight orders. Those that invest now in pragmatic governance, cross functional privacy and AI teams and realistic testing of what consumers actually experience will be better positioned to navigate what is fast becoming the country’s most influential privacy regime.