The recent spate of enforcement actions against retailers, including Tractor Supply, Todd Snyder, Healthline, and more, highlights a troubling pattern of repeated privacy fails in the retail industry. From mishandling opt-outs to sharing personal data with third parties, multiple issues have come up, putting consumer rights in jeopardy.

The lawsuits underscore that superficial compliance is no longer sufficient. Regulators now expect privacy to be embedded into technology, processes, and governance across the entire data ecosystem. In this blog, we will discuss the pitfalls and challenges that are putting retail businesses on the radar for privacy lawsuits and what they can do to avoid them.

The Cost of Privacy Compliance Gaps

The rise in lawsuits can be attributed to several factors, ranging from heightened public awareness and public scrutiny to the natural challenges of maintaining privacy compliance on the website itself. While we will discuss these points later, let us look at a few recent examples of such lawsuits.

• Tractor Supply: On September 26, 2025, the CPPA imposed a record $1.35 million fine on Tractor Supply Co., alleging multiple CCPA violations tied to consumer consent and data sharing. The complaint charged that Tractor Supply’s opt-out webform failed to stop the sale or sharing of personal information, and that the company ignored Global Privacy Control signals submitted by consumers.
• Healthline: In September 2025, California Attorney General Rob Bonta announced $1.55 million settlement, marking the largest CCPA enforcement action to date, against Healthline Media LLC[1]. The investigation found that Healthline failed to allow consumers to opt out of targeted advertising and shared personally identifiable data with third parties.
• Todd Snyder:On May 6, 2025, the California Privacy Protection Agency (CPPA) announced a $345,178 settlement with Todd Snyder, Inc., marking the agency’s first enforcement action against a retailer. The CPPA alleged that Todd Snyder’s website failed to process opt-out requests for over 40 days due to a misconfigured consent tool.
• Honda:On March 12, 2025, the CPPA announced a $632,500 fine against American Honda Motor Co., Inc. for alleged violations of the CCPA. The complaint charged Honda with requiring excessive personal information in its data rights request forms, unlawfully forcing consumers to verify their identity for opt-out requests, and deploying cookie management tools that made opting out more burdensome than opting back in.

Retailer’s Guide to Embedding Privacy

A proactive approach towards data privacy handling needs practices that ensure complete visibility and control over how a user’s personal data is collected, used, and shared. Here are some practical steps to achieve that.

• Embedding Opt-Outs: Retailers must ensure that opt-out requests are not just collected but actively enforced across all tracking systems, including websites, mobile apps, loyalty programs, and in-store platforms. Opt-out links or forms that fail to block data sharing, or misconfigured consent tools, are a common source of enforcement.
• Global Privacy Control (GPC) Signals: Regulators now treat GPC signals as legally binding expressions of consumer intent. Retailers should integrate systems that detect and honor these signals automatically. This will ensure that third-party trackers, advertising pixels, and cookies respect user preferences.
• Simplifying Verification Processes: Excessive or legally unnecessary verification steps, such as mandatory government-issued IDs for opt-out requests, create friction for consumers and violate CCPA requirements. Retailers should apply verification only where strictly required by law, keeping the process straightforward and consumer-friendly to avoid unnecessary exposure.
• Strengthening Vendor and Partner Contracts: Many violations stem from third-party misuse of consumer data. Retailers must include explicit contractual clauses that restrict secondary use, mandate compliance with privacy laws, require enforcement of opt-outs, and allow for audits. Weak or absent vendor agreements are a recurring factor in enforcement actions.
• Comprehensive Privacy Notices: Generic or buried disclosures are insufficient. Retailers should ensure that privacy notices clearly describe what data is collected, how it is used, which third parties have access, and how consumer rights are implemented, including GPC signal processing. Notices should cover all touchpoints, including shoppers, prospects, employees, and job applicants, and be version-controlled and regularly updated.

Privacy Roadmap for Retailers

The recent enforcement actions data privacy failures carry really financial and reputational risks. To stay ahead, retailers must embed privacy into their technology, operational processes, and governance frameworks. By being proactive in handling these risks, retailers can reduce their exposure to lawsuits and build trust with customers in an era where data accountability is no longer optional.