GPC Enforcement 2026: What Sephora, Honda, and Tractor Supply Fines Tell WordPress Store Owners

January 1, 2026
by Cherry Rose

California fined Tractor Supply $1.35 million in September 2025—the largest CPPA fine in history—for failing to honor GPC signals and other opt-out violations. That same year, Healthline paid $1.55 million, Honda paid $632,500, and Todd Snyder paid $345,178. All for the same basic failure: their opt-out mechanisms didn’t actually work.

These aren’t theoretical risks. They’re happening now to real retailers. And the enforcement playbook is clear: regulators test your opt-out mechanisms, check for GPC compliance, audit your vendor contracts. If any piece fails, you pay.

The 2025 Enforcement Wave

Privacy enforcement accelerated dramatically in 2025. California, Colorado, and Connecticut launched a joint investigative sweep in September 2025 specifically targeting GPC compliance. Three states, coordinated enforcement, focused on one thing: whether businesses actually honor opt-out signals.

The fines tell the story:

  • Tractor Supply: $1.35 million (September 2025) — Largest CPPA fine ever
  • Healthline Media: $1.55 million (July 2025) — Continued sharing after opt-out
  • Honda: $632,500 (March 2025) — Excessive verification for opt-outs
  • Todd Snyder: $345,178 (May 2025) — Opt-out mechanism failed for 40 days

The pattern is clear. Regulators aren’t issuing warnings anymore. They’re issuing fines.

What Tractor Supply Did Wrong

Tractor Supply’s violations read like a checklist of what not to do.

Their “Do Not Sell My Personal Information” link led to a webform. Filling out that form did not actually stop tracking. The link existed. The mechanism behind it was broken. Simply having an opt-out link or form is insufficient; businesses must ensure these mechanisms prevent the sale or sharing of personal information across all technologies including third-party tracking.

That’s a direct quote from the White Case legal analysis. And it explains why Tractor Supply’s fine was so large.

The specific violations included:

  • Ignored GPC signals entirely — Browser signals were not processed
  • Opt-out form didn’t work — Tracking continued after submission
  • Inadequate job applicant notices — HR portal privacy was also non-compliant
  • Weak vendor contracts — Third-party tracking partners lacked proper agreements

The $1.35 million fine reflected multiple failures across multiple systems. But the GPC violation was the headline.

You may be interested in: The Cookie Redemption: First-Party Data Is the Ethical High Ground

What Healthline Did Wrong

Healthline Media’s $1.55 million fine—technically the largest of 2025—came from a different failure mode.

Users opted out via GPC. Healthline continued sharing their data anyway. The opt-out signal was received. The data sharing continued. That’s not a technical bug. That’s ignoring the signal entirely.

Making it worse: Healthline transmitted sensitive health inferences to third parties. When you’re sharing health-related data after someone explicitly opted out, regulators notice.

The additional violations:

  • Continued data sharing after GPC opt-out — The core violation
  • Transmitted sensitive health inferences — Category of data made it worse
  • Misleading consent banner — UI didn’t reflect actual behavior

What Honda Did Wrong

Honda’s $632,500 fine introduced a new concept: symmetrical opt-out tools.

Symmetrical opt-out tools means opting out must be as easy as opting in. If it takes one click to accept cookies, it must take one click to reject them. Honda failed this test.

When users tried to opt out, Honda required excessive verification. Extra steps. Additional friction. Meanwhile, opting in was simple. That asymmetry violated California’s requirement for frictionless GPC compliance.

Honda also:

  • Required excessive verification for opt-out requests — More friction than opt-in
  • Ignored GPC signals — Signals weren’t processed automatically
  • Lacked proper third-party contracts — Vendor agreements were inadequate

What Todd Snyder Did Wrong

Todd Snyder’s $345,178 fine came from a simpler failure: their opt-out mechanism was broken for 40 consecutive days.

A misconfigured cookie banner. Users clicking “reject” but tracking continuing anyway. For over a month.

This is the nightmare scenario for any WordPress store. A configuration change. A plugin update. Suddenly your consent mechanism doesn’t work. And you don’t notice for 40 days.

By the time regulators tested it, the evidence was clear. The fine followed.

You may be interested in: Six-Month Consent Rejection Period 2026: What Happens When Users Say No

The Regulator Playbook

These cases reveal exactly how regulators test for compliance. Regulators are building a playbook: test the opt-out mechanisms, check for GPC compliance, review all privacy notices including HR portals, and audit third-party contracts. If any piece fails, expect enforcement.

The testing process:

  1. Send GPC signal — Does tracking stop?
  2. Click opt-out link — Does it actually work?
  3. Verify tracking behavior — Is data still being shared?
  4. Review privacy notices — Are disclosures accurate?
  5. Audit vendor contracts — Do third parties have proper agreements?

If any step fails, you’re in the enforcement queue.

What This Means for WordPress Store Owners

These enforcement actions targeted major retailers. But the same rules apply to WordPress stores selling to California residents.

The question isn’t whether regulators will eventually test smaller businesses. The question is whether your opt-out mechanisms actually work when they do.

Common WordPress tracking setups create risk:

  • Third-party tracking pixels — You’re sharing data with advertising platforms
  • Cookie consent plugins — Do they actually block tracking when users opt out?
  • GTM implementations — Does your container respect consent signals?
  • Vendor contracts — Do your tracking partners have proper agreements?

Every piece in the chain can fail. And if it fails, you’re responsible.

The First-Party Alternative

There’s a simpler path: don’t share data with third parties for advertising in the first place.

First-party data collection changes the compliance equation. When events are captured on your server and sent to your own data warehouse, you’re not “selling” or “sharing” personal information with advertising platforms. GPC obligations around data sales don’t apply the same way.

Transmute Engine™ routes WooCommerce events server-side to destinations you control. Your data goes to your GA4, your BigQuery, your analytics stack. Not to third-party advertising networks that trigger GPC obligations.

The difference matters. Tractor Supply got fined because tracking continued after opt-out. With first-party server-side tracking, the data never leaves your infrastructure in ways that trigger these obligations.

Key Takeaways

  • Tractor Supply fined $1.35 million for ignoring GPC signals and having a non-functional opt-out mechanism
  • Healthline fined $1.55 million for continuing data sharing after GPC opt-out
  • Honda fined $632,500 for requiring excessive verification—opting out must be as easy as opting in
  • Todd Snyder fined $345,178 for a misconfigured consent banner that failed for 40 days
  • Three states launched joint GPC enforcement in September 2025—this is coordinated and accelerating
  • First-party data collection avoids the core problem by not sharing data with third parties
How do regulators test for GPC compliance?

Regulators follow a playbook: they send GPC signals to your site, verify whether tracking actually stops, check if your “Do Not Sell” link works correctly, review privacy notices including HR portals, and audit your third-party vendor contracts. If any piece fails the test, enforcement follows.

What did Tractor Supply do wrong with GPC?

Tractor Supply’s “Do Not Sell My Personal Information” link led to a webform that did not actually block tracking. They ignored GPC signals, had inadequate job applicant privacy notices, and weak vendor contracts. The result: $1.35 million fine—the largest CPPA fine in history.

Can I be fined for GPC violations in states outside California?

Yes. California, Colorado, and Connecticut launched a joint investigative sweep in September 2025 specifically targeting GPC compliance. Other states with privacy laws are watching these enforcement actions closely and building similar playbooks.

What is frictionless GPC compliance?

California requires businesses to honor GPC signals automatically without requiring consumers to take additional steps. The opt-out must apply immediately upon signal detection. No confirmation emails, no additional clicks, no verification—the signal itself is the opt-out.

Concerned about GPC compliance for your WordPress store? Learn how first-party tracking eliminates these risks.

Share this post
Related posts