Field Notes from FLLR: What the latest CPPA enforcement means for you

California's $1.35M Privacy Fine: What Your Program Needs to Know

What did the enforcement action call out, what does it mean for your organization, and how can you respond effectively?

The State of Enforcement Just Shifted (no pun intended)

California just issued its largest privacy fine to date: $1.35M to Tractor Supply Company, stemming from a single consumer complaint about inability to opt out. This wasn't a breach. This wasn't systematic data misuse. One person couldn't exercise their privacy rights, and it triggered the state's most significant enforcement action yet.

The timing couldn't be more critical. Governor Newsom signed AB-566 this week, mandating all web browsers support Global Privacy Control (GPC) signals by January 2027. When Chrome, Safari, Edge, and Firefox implement this requirement, every California resident will have one-click opt-out capability for every website they visit.

Here's what privacy and compliance leaders need to understand about this enforcement evolution and its practical implications for enterprise privacy programs.

4 Strategic Considerations for Your Privacy Program

1. The Enforcement Pattern Is Now Clear

What is it: California's enforcement actions follow a consistent checklist that regulators are using to identify violations.

What This Means for You:

• Four major enforcements (Honda $632K, Todd Snyder $345K, Healthline, Tractor Supply $1.35M) all cited the same failures

• CPPA is processing 150+ complaints weekly; any one could trigger investigation

• The multi-state privacy consortium expanded to 10 states this week with Minnesota and New Hampshire joining

• Job applicant privacy violations are now actively enforced, expanding your risk surface

Implementation Approach: Conduct immediate assessments against the enforcement checklist: GPC signal recognition, vendor privacy provisions, functional opt-out mechanisms, and job applicant privacy rights. Organizations that proactively address these four areas significantly reduce enforcement exposure.

Strategic Question: When was the last time your organization tested end-to-end opt-out functionality across all integrated technologies, not just your consent management platform?

2. Browser-Mandated Privacy Signals Change Everything

What is it: AB-566 transforms opt-out signals from edge case to universal capability by 2027.

What This Means for You:

• Every major browser will have built-in GPC support within 24 months

• California, Colorado, Connecticut, and New Jersey already require businesses to honor these signals

• When consumers enable GPC, it applies to every website they visit automatically

• Marketing analytics and personalization strategies need fundamental rearchitecting

Implementation Approach: Begin technical preparations now by mapping all third-party scripts, tags, and pixels across your web properties. Successful programs are establishing governance frameworks that connect marketing technology decisions with privacy compliance requirements before the mandate takes effect.

Strategic Question: How will your marketing and analytics strategies adapt when 30-50% of traffic arrives with automated opt-out signals enabled?

3. Job Applicant Privacy Creates New Compliance Surface

What is it: Tractor Supply marks the first publicized enforcement on California job applicant privacy. Every company with an ATS just became a potential target.

What This Means for You:

• Companies reject 100+ applicants per hire, creating thousands of potential complainants

• ATS systems must support privacy rights including access, deletion, and opt-out

• Dedicated privacy notices for job applicants are now enforcement triggers

• HR teams need privacy training on par with marketing departments

Implementation Approach: Establish dedicated workflows for employment data that include retention schedules, deletion processes, and applicant-specific privacy notices. Leading organizations are embedding privacy rights management directly into their ATS platforms rather than managing requests separately.

Strategic Question: Does your HR team understand their privacy compliance obligations as clearly as your marketing team does?

4. Web Governance Gaps Create Enforcement Exposure

What is it: Every major enforcement revealed the same organizational disconnect: Marketing owns consent tools but doesn't understand privacy requirements, while Privacy sets rules but can't validate technical implementation.

What This Means for You:

• Less than 30% of organizations have defined web governance practices

• Consent management platforms can be configured correctly yet still fail compliance

• Third-party scripts often bypass consent controls entirely

• Nobody validates end-to-end compliance across all technologies

Implementation Approach: Establish cross-functional web governance that brings together Privacy, Marketing, Legal, and IT. Implement regular scanning and validation processes that verify consent choices are honored across all integrated technologies, not just within your consent platform.

Strategic Question: Who in your organization has both the technical knowledge and privacy expertise to validate that opt-out requests actually stop data collection across all platforms?

Key Takeaways

Enforcement Has a Playbook: Regulators follow a consistent pattern: GPC signals, vendor contracts, opt-out mechanisms, and now job applicant privacy. Organizations addressing these four areas proactively avoid the enforcement spotlight.

Browser Mandates Accelerate Change: AB-566 isn't just another regulation; it fundamentally changes how privacy preferences propagate across the web. Smart organizations are preparing now rather than scrambling in 2026.

Cross-Functional Governance Is Non-Negotiable: The gap between marketing technology and privacy compliance creates enforcement exposure. Successful programs bridge this divide through structured web governance.

Job Applicants Are the New Frontier: With the first enforcement action on employment data, every ATS becomes a compliance risk. HR departments need the same privacy capabilities as marketing teams.

Next Steps

The enforcement landscape has shifted from theoretical risk to active prosecution. Organizations that implement comprehensive privacy programs, not just compliant configurations, position themselves for success.

Start by testing your GPC signal recognition today. Enable GPC in your browser, visit your website, and verify that targeting and analytics cookies are properly disabled. If they're not, you're already behind.

Resources and Upcoming Events

Events

• October 29: Digital Governance in Philly (A FLLR x OT event)
  If you’ve got any clients or prospects with team members in the OT area, make sure to send this link their way for our event - https://www.fllrconsulting.com/digital-governance-event-philadelphia 

Resources

• Tractor Supply Analysis Blog: https://www.fllrconsulting.com/blog/tractor-supplys-135m-ccpa-fine-key-lessons-for-2025

• Cookie Management Guest Blog, featuring Andrew Clearwater: https://www.fllrconsulting.com/blog/five-critical-cookie-management-best-practices

• The Strategic Guide to C&P: https://www.onetrust.com/resources/the-strategic-guide-to-consent-and-preferences-ebook/

• Strategic Guide to TPRM: https://www.fllrconsulting.com/the-strategic-guide-to-tprm

• 7-day AI Governance Email Course: https://fllr.kit.com/ai-governance-course

Connect with our team.

• Nik Fuller, CEO: [email protected]

• Dan Harms, Managing Partner: [email protected]

• Zack Meszaros, Account Director: [email protected]

• Andrew Stroefer, Account Director: [email protected]