This year, state lawmakers have introduced over a dozen bills to regulate “surveillance,” “personalized,” or “dynamic” pricing.  Although many of these proposals have failed as 2025 state legislative sessions come to a close, lawmakers in New York, California, and a handful of other states are moving forward with a range of different approaches.  These proposals include disclosure requirements, data use limitations, general prohibitions, and specific restrictions in the food retail and food service sectors.

While definitions vary, these proposals generally define “surveillance,” “personalized,” or “dynamic” pricing (hereinafter “covered activity”) as the setting or adjusting of prices by analyzing consumer data that may result in the offering of different, or “customized,” prices to different consumers for the same good or service.  Some of these proposals define covered activities to specifically encompass the setting of prices using “algorithms,” “surveillance technology,” or other technical systems that process consumer data.

Disclosure Requirements.  State lawmakers have introduced or passed legislation that would establish disclosure requirements for businesses that engage in the covered activity.  On May 9, for example, New York Governor Kathy Hochul (D) signed A3008 into law, making it a deceptive act or practice under the state’s UDAP law to knowingly offer “personalized algorithmic pricing using consumer data specific to a particular individual” unless the personalized algorithmic price contains a disclosure stating: “This price was set by an algorithm using your personal data.”  Two bills currently under consideration in the Ohio Senate, SB 79 and SB 328, would similarly require businesses with over $5 million in revenue to disclose to consumers if a “price or a commercial term is set or recommended by a pricing algorithm,” including whether the pricing algorithm sets or recommends different prices for identical products and whether the business developed or distributed the pricing algorithm.

Data Use Limitations.  By contrast, states are also pursuing legislation that would prohibit businesses from engaging in the covered activity based on specific protected categories of data about consumers.  On May 28, for example, the California Senate passed the Fair Online Pricing Act (SB 259), which would prohibit businesses from offering prices “to a consumer through the consumer’s online device” if the prices are generated “in whole or in part” based on (1) information about the consumer’s device, (2) the presence or absence of software on such device, or (3) geolocation data of the device. 

General Prohibitions.  Other state proposals would generally prohibit businesses from engaging in the covered activity, with certain exceptions.  On May 12, for example, the California Assembly passed AB 446, which would prohibit any person from engaging in surveillance pricing, i.e., the offering or setting of a “customized price” to a specific consumer or group of consumers based on personally identifiable or aggregate consumer information “collected through electronic surveillance technology.”  The bill would provide exemptions for differences in prices based solely on the costs of providing a good or service to different consumers, or for discounted prices offered based on publicly disclosed eligibility criteria, to members of a broadly defined group, or through a loyalty, membership, or rewards program. 

Legislation introduced in Colorado (HB 1264), Georgia (SB 164), Illinois (SB 2255), and Minnesota (HF 2452 / SF 3098) would have imposed general prohibitions on the use of “surveillance data” as part of an “automated decision system to inform” individualized prices or individualized wages.  Although these proposals failed to pass by the close of their states’ legislative sessions, we expect similar legislation to be introduced in future sessions. 

Prohibitions in Food Retail and Food Service Sectors.  Finally, state lawmakers are also considering restrictions on the use of “dynamic pricing” by grocery stores, restaurants, and other food service establishments.  In New York, for example, A3437 would prohibit “food service establishments” from using “dynamic pricing models” to determine the prices on their menus, and would require food service establishments to ensure that menu prices are fixed and posted.  Meanwhile, Maine lawmakers are considering HP 1055, which would prohibit any “eating establishment or grocery store” from using “dynamic pricing” to set the price for a good or product, and would require prices to be fixed for at least one business day. 

Tags: Personalized Pricing
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Read more about Nicholas ShepherdEmail
Show more Show less
Photo of August Gweon August Gweon

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks…

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks, and policy trends.

August regularly provides advice to clients on privacy and competition frameworks and AI regulations, with an increasing focus on U.S. state AI legislative developments and trends related to synthetic content, automated decision-making, and generative AI. He also assists clients in assessing federal and state privacy regulations like the California Privacy Rights Act, responding to government inquiries and investigations, and engaging in public policy discussions and rulemaking processes.

Read more about August GweonEmailAugust's Linkedin Profile
Show more Show less