California’s privacy regulators just crossed a historic line — and employers should take note.

In In the Matter of Tractor Supply Company (Sept. 2025), the California Privacy Protection Agency (CPPA) issued its first full enforcement order under the CCPA, imposing $1.35 million in penalties and broad compliance obligations. Beyond fines, the agency ordered quarterly technology scans, contract audits, written certification of compliance, and email notification to all employees and job applicants that it has updated its Privacy Policy.

What makes this case different? It’s the first CCPA action to cover job applicants, signaling that privacy enforcement now extends well beyond consumers into the employment relationship.

The New Enforcement Message: Privacy Law Meets Employment Law

For California employers, the message from the CPPA’s enforcement could not be clearer: applicant and employee privacy notices must meet the same disclosure standards as consumer notices. Vendor contracts must include enforceable safeguards, and any use of AI or algorithmic systems in HR must be supported by documented bias testing and privacy-risk assessments.

We are at the dawn of a new era of enforcement — one that merges privacy law and employment law. This convergence is taking shape as California’s two key regulatory bodies — the California Privacy Protection Agency (CPPA) and the California Civil Rights Council (CRC) — finalize overlapping rulemakings that together reshape how employers must manage HR data and prepare for heightened scrutiny.

The CRC’s Automated-Decision Systems (ADS) regulations, effective October 2025, require employers using AI or algorithmic tools for hiring, promotion, or pay decisions to conduct anti-bias testing and maintain records for several years. As noted by Squire Patton Boggs in California Employers Face New Challenges for HR Data Processing (Aug. 2025), these rules “subject employers utilizing ADS to far stricter scrutiny” and establish that “the absence of such testing will be considered to support a claim of discrimination.”

At the same time, the CPPA’s new privacy-risk assessment and cybersecurity audit requirements under the CCPA extend directly to HR data. Employers must identify and evaluate any automated decision-making technologies (ADMT) used in employment, conduct and document risk assessments, and file annual compliance attestations with the agency. These assessments must clearly define the purpose of processing, document the logic of ADMT tools, evaluate potential harms (including discrimination), and outline safeguards to mitigate those risks.

In short, the CPPA and CRC have converged on a shared governance model that is centered on fairness, transparency, and accountability in the workplace. Coordinating compliance efforts under both frameworks is essential to meeting California’s evolving standards for workforce data protection.

The Broader Compliance Landscape: Contracts and Tracking in the Spotlight

While the expansion to HR data is new, the Tractor Supply decision builds on two long-standing enforcement priorities in California and other jurisdictions: contractual compliance and opt-out of online tracking. For years, regulators have scrutinized companies that share data with adtech or analytics providers without service-provider contracts containing all required privacy safeguards. They have also consistently enforced the obligation to honor “Do Not Sell or Share” links and Global Privacy Control (GPC) signals, ensuring consumers — and now job applicants — can meaningfully opt out of cross-context behavioral advertising.

These obligations are not new, and remain an active area of regulatory attention. The CPPA and other authorities continue to prioritize enforcement around vendor contracts, online tracking, and opt-out mechanisms. Regulated entities should be aware that these issues will remain a central focus of privacy oversight and enforcement well into 2026.

Takeaways

The Tractor Supply order makes it clear that, in California, privacy compliance is no longer just a consumer issue — it is also an employment law obligation.

Contractual compliance and online tracking remain top enforcement priorities. Regulators continue to monitor how companies manage vendor relationships, adtech integrations, and opt-out mechanisms across both consumer and employment data.

If your recruiting portal lacks California-specific notices — or if your vendor contracts and cookie practices still predate the CPRA — now is the time to act.

More information

• For a detailed analysis of this case see In the Matter of Tractor Supply Company

• For more information on the topic of HR and Privacy see: Squire Patton Boggs (Aug 2025) — California Employers Face New Challenges for HR Data Processing.